MirrorFace Leverages ANEL and NOOPDOOR in Multi-Year Cyberattacks on Japan
MirrorFace Cyberattacks on Japan: Latest Developments and Threat Analysis
Overview
The Chinese-linked hacker group known as "MirrorFace" or "Earth Kasha" has been identified as the perpetrator of a significant number of cyberattacks targeting Japan, particularly focusing on national security and advanced technologies. Here are the key points from recent reports:
Scope and Targets
Since 2019, MirrorFace has conducted over 200 cyberattacks on Japanese entities, including government ministries (such as Foreign Affairs and Defense), space exploration agencies like the Japan Aerospace Exploration Agency (JAXA), think tanks, private enterprises involved in advanced technology research, and individual politicians and journalists145.
Tactics and Malware
MirrorFace employs sophisticated tactics, primarily using spear-phishing campaigns to infiltrate targets. Here are some of the methods and malware used:
- Spear-Phishing: The group uses malware-laden emails disguised as legitimate communications from trusted entities. These emails often contain malicious attachments or links that deploy backdoor malware such as LODEINFO, ANEL, and NOOPDOOR14.
- Campaign A (2019-2023): This phase involved targeting think tanks, government personnel, politicians, and media organizations through spear-phishing emails containing malware-laden attachments. Malware like LODEINFO exploited vulnerabilities in Microsoft Office macros4.
- Campaign B (2023): This phase shifted towards exploiting vulnerabilities in network devices, including VPN systems and SQL injection flaws. Targets included Japan’s semiconductor, manufacturing, and IT sectors. Tools like Neo-reGeorg tunneling software and web shells were deployed to compromise Active Directory servers and virtualization platforms4.
- Campaign C (2024): The group returned to email-based attacks, using embedded links that led recipients to download malware disguised as legitimate files. A new strain of malware, ANEL, was employed alongside innovative methods such as abusing Windows Sandbox and Visual Studio Code’s dev tunnels to evade detection and execute remote commands4.
Links to China and State-Sponsored Operations
Investigations by the Japanese National Police Agency (NPA) and other authorities suggest that MirrorFace operates as part of a broader state-sponsored effort linked to China. The group’s focus on acquiring information critical to Japan’s national security and technological advancements aligns with the activities of other Chinese advanced persistent threat (APT) groups like APT10 (Stone Panda)145.
Specific Vulnerabilities Exploited
MirrorFace has exploited several specific vulnerabilities in widely used network devices, including:
- Array Networks Array AG (CVE-2023-28461)
- Fortinet FortiOS and FortiProxy (CVE-2023-27997)
- Citrix ADC and Gateway (CVE-2023-3519)4.
Evasion Techniques
The group has developed sophisticated evasion techniques, such as:
- Abusing Microsoft Windows Sandbox: To execute malware in isolated environments, evading traditional antivirus and Endpoint Detection and Response (EDR) systems.
- Leveraging Visual Studio Code’s development tunnels: For stealthy remote control of compromised systems4.
Impact and Concerns
These cyberattacks have raised significant concerns about Japan’s cybersecurity readiness and its ability to protect sensitive information. The continuous targeting of national security and advanced technology sectors poses substantial risks to Japan’s strategic industries145.
Related Threat Actors
MirrorFace’s activities share similarities with other Chinese APT groups, particularly APT10 (Stone Panda), which has a history of targeting Japanese entities. This suggests a coordinated effort within China’s cyber espionage landscape14.
Conclusion
The MirrorFace group represents a significant cyber threat to Japan, with its sophisticated tactics, advanced malware, and clear links to Chinese state interests. The ongoing nature of these attacks underscores the need for enhanced cybersecurity measures and international cooperation to mitigate these threats.