MirrorFace APT
Japan's National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) have accused a China-linked threat actor known as MirrorFace of orchestrating a long-running cyberattack campaign. Since 2019, the group has allegedly targeted organizations, businesses, and individuals across Japan, aiming to steal information related to national security and advanced technology.
Table of Contents
MirrorFace’s Links to APT10
MirrorFace also referred to as Earth Kasha, is believed to be a subgroup within the well-known APT10 threat actor. The group has systematically attacked Japanese entities, employing sophisticated tools such as ANEL, LODEINFO, and NOOPDOOR (also known as HiddenFace) to achieve its objectives.
Spear-Phishing and Target Expansion
Researchers have uncovered details of a spear-phishing campaign in which MirrorFace targeted individuals and organizations in Japan to deploy ANEL and NOOPDOOR. Over the years, similar operations have been observed targeting entities in Taiwan and India, demonstrating the group's broader strategic interest.
Three Major Attack Campaigns Identified
According to NPA and NCSC, MirrorFace's activities have been classified into three major campaigns:
- Campaign A (December 2019 – July 2023): This phase focused on think tanks, government agencies, politicians, and media organizations. Attackers used spear-phishing emails to deliver LODEINFO, NOOPDOOR, and a customized version of Lilith RAT known as LilimRAT.
- Campaign B (February – October 2023): During this period, MirrorFace shifted its focus to the semiconductor, manufacturing, communications, academic and aerospace sectors. The group exploited known vulnerabilities in internet-facing devices from Array Networks, Citrix, and Fortinet to infiltrate networks and deploy Cobalt Strike Beacon, LODEINFO, and NOOPDOOR.
- Campaign C (From June 2024): The most recent attacks have primarily targeted academia, think tanks, politicians and media organizations. The attackers continue to use spear-phishing emails, this time to deliver ANEL (also known as UPPERCUT).
Evasion Techniques and Covert Communications
MirrorFace has employed advanced techniques to maintain persistence and avoid detection. A notable tactic involves using Visual Studio Code remote tunnels to establish covert connections, enabling threat actors to bypass network defenses and maintain remote control over compromised systems.
Windows Sandbox for a Stealth Execution
Investigators also discovered that attackers have been executing threatening payloads within the Windows Sandbox environment. This approach allows the malware to operate without being detected by antivirus software or Endpoint Detection and Response (EDR) systems. Moreover, once the host computer is shut down or restarted, all traces of the malware are erased, leaving no forensic evidence behind.
Ongoing Threat to National Security
The persistent and evolving tactics used by MirrorFace highlight the ongoing cyber threats facing Japan. By targeting critical sectors and employing sophisticated evasion strategies, the group continues to pose a serious challenge to national security and technological advancements. Authorities urge organizations to remain vigilant against spear-phishing attempts and to strengthen their cybersecurity defenses against evolving threats.