Japanese cybersecurity authorities have uncovered an extensive cyber espionage campaign targeting the nation's critical sectors since 2019. The National Police Agency (NPA) and National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) attribute these attacks to MirrorFace, a China-linked threat actor.
The attackers, believed to be a subgroup of APT10, have systematically targeted Japanese organizations to steal sensitive information related to national security and advanced technology. Their campaign deployed sophisticated malware including ANEL, LODEINFO, and NOOPDOOR.
The authorities identified three distinct attack waves:
From December 2019 to July 2023, MirrorFace targeted think tanks, government agencies, politicians, and media organizations through spear-phishing emails delivering various malware strains.
Between February and October 2023, the group shifted focus to semiconductor, manufacturing, communications, academic, and aerospace sectors. They exploited vulnerabilities in network devices from vendors like Array Networks, Citrix, and Fortinet.
The most recent campaign, beginning June 2024, returned to targeting academia, think tanks, politicians, and media organizations, primarily using ANEL malware through spear-phishing attacks.
The threat actor demonstrated advanced evasion techniques, including the use of Windows Sandbox to execute malicious code while avoiding detection by security tools. This method leaves minimal forensic evidence, as traces are erased when the host computer restarts.
The sustained nature of these attacks and the range of targeted sectors highlight the persistent cyber threats facing Japanese organizations. The revelations come as cybersecurity agencies worldwide grapple with increasingly sophisticated state-sponsored attacks targeting critical infrastructure and sensitive information.