Japanese cybersecurity authorities have identified a sophisticated Chinese threat actor, MirrorFace (also known as Earth Kasha), conducting extensive cyber espionage operations against Japanese entities since 2019. The group, believed to be a subset of APT10, has primarily focused on stealing national security and advanced technology information.
Three Major Campaign Phases:
1. Campaign A (2019-2023):
– Targeted think tanks, government agencies, politicians, and media
– Deployed LODEINFO, NOOPDOOR, and customized LilimRAT malware
– Utilized spear-phishing tactics
2. Campaign B (February-October 2023):
– Focused on semiconductor, manufacturing, communications, academic, and aerospace sectors
– Exploited vulnerabilities in Array Networks, Citrix, and Fortinet devices
– Deployed Cobalt Strike Beacon and other malware
3. Campaign C (June 2024):
– Targeted academia, think tanks, politicians, and media organizations
– Delivered ANEL (UPPERCUT) malware through spear-phishing
Technical Sophistication:
– Employed Visual Studio Code remote tunnels for covert communications
– Utilized Windows Sandbox to evade detection
– Implemented advanced anti-forensic techniques to eliminate evidence
The group has also conducted operations against Taiwan and India, demonstrating its broader regional focus. Japanese authorities continue to monitor and investigate these cyber threats to protect national interests and critical infrastructure.