Japan’s National Police Agency (NPA) and the National Cyber Security Strategy and Incident Preparedness Center (NCSC) have accused a China-linked threat actor named MirrorFace of orchestrating an ongoing campaign of attacks against organizations, businesses and individuals in the country since 2019.
The main goal of the attack campaign is to steal information related to Japan’s national security and advanced technology, the agency said.
MirrorFace, also tracked as Earth Kasha, is believed to be a subset of APT10. It has a track record of systematically attacking Japanese organizations, often using tools such as ANEL, LODEINFO, and NOOPDOOR (aka HiddenFace).
Last month, Trend Micro revealed details of a phishing campaign targeting individuals and organizations in Japan to provide ANEL and NOOPDOOR. Other companies is observed in recent years have also been directed against Taiwan and India.
According to the NPA and NCSC, the attacks orchestrated by MirrorFace broadly fall into three main campaigns:
- Company A (December 2019 to July 2023) targeting think tanks, governments, politicians and media organizations using phishing emails to deliver LODEINFO, NOOPDOOR and LilimRAT (custom open source version Lilit RAC)
- Company B (February to October 2023), targeting the semiconductor, manufacturing, communications, academic and aerospace industries exploiting known vulnerabilities in Array Networks, Citrix, and Fortinet devices with Internet access to hack networks to deliver Cobalt Strike Beacon, LODEINFO, and NOOPDOOR
- Company S (From June 2024), targeting academia, think tanks, politicians and media organizations using phishing emails to deliver ANEL.
The agencies also noted that they have seen instances of attackers stealthily executing malicious payloads stored on a host computer in a Windows sandbox and communicating with a command and control server since at least June 2023.
“This method allows malware to run unchecked by anti-virus software or EDR on the host computer, and when the host computer is shut down or restarted, the Windows sandbox traces are erased, so no evidence remains,” the NPA said. and NCSC said.
