The China-aligned hacker group MirrorFace has apparently set its sights on a diplomatic group in the European Union, which is kind of a big deal because it's the first time they've hit somewhere in that area. ESET, a cybersecurity firm, mentioned this in their APT Activity Report from April to September 2024. They said that during this sneaky move, MirrorFace used the upcoming World Expo in Osaka, Japan in 2025 as bait. So, even though they're branching out geographically, they're still pretty obsessed with Japan and anything connected to it.
MirrorFace is actually part of a bigger bad guy group called APT10, which has other members like Earth Tengshe and Bronze Starlight. These cyber troublemakers have been giving Japanese organizations headaches since at least 2019, but they've also started poking around in Taiwan and India recently. They've got a bunch of nifty tools in their toolkit, including backdoors named ANEL (also called UPPERCUT), LODEINFO, and NOOPDOOR (or HiddenFace), along with a handy dandy credential thief they like to call MirrorStealer.
ESET told The Hacker News that these guys are super picky about who they attack, usually going for just a handful each year, and they're mostly in it for the cyber spying and data swiping. And this isn't the first rodeo for them with diplomatic offices either.
For the latest shenanigans they pulled, they sent a spear-phishing email to their target, with a link to a ZIP file titled "The EXPO Exhibition in Japan in 2025.zip" hosted on OneDrive. Inside that file was a shortcut to a "document" called "The EXPO Exhibition in Japan in 2025.docx.lnk" that, when clicked, started a whole process that dropped ANEL and NOOPDOOR into the victim's system.
This isn't the only China-related cyber-mischief going on. There's also groups like Flax Typhoon, Granite Typhoon, and Webworm that are getting cozier with open-source stuff like SoftEther VPN to keep tabs on their victims' networks.
And speaking of keeping tabs, Bloomberg reported that the China-linked Volt Typhoon hacked into Singapore Telecommunications (Singtel) as a sort of dress rehearsal for a larger operation aimed at telecom companies and critical infrastructure. They found out about this back in June 2024.
But wait, there's more! The Wall Street Journal said that earlier this week, some of these cyber ninjas managed to get into the cellphone lines of top U.S. national security and policy folks, along with some big-wig politicians. They're also said to have snooped around in the systems of another country that's like BFFs with the U.S. when it comes to sharing secrets. These attacks were apparently part of a broader plan by a Chinese collective known as Salt Typhoon (or FamousSparrow and GhostEmperor). They've been busy bees, also messing with AT&T, Verizon, and Lumen Technologies in the U.S. So, it seems like everyone's playing spy games out there in cyber-land!