Japan's National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) have attributed an ongoing cyber espionage campaign to a China-linked advanced persistent threat (APT) group known as MirrorFace. The cyberattacks, which have been active since 2019, target Japanese organizations, businesses, and individuals with the intent of stealing sensitive data related to national security and advanced technology.
Who is MirrorFace?
MirrorFace, also tracked as Earth Kasha, is believed to be a sub-group within APT10, a notorious Chinese hacking collective. The group has a well-documented history of targeting Japanese entities, leveraging a sophisticated arsenal of malware, including ANEL, LODEINFO, and NOOPDOOR (aka HiddenFace).
Spear-Phishing & Vulnerability Exploitation: Attack Strategies
A recent investigation by Trend Micro uncovered a targeted spear-phishing campaign delivering ANEL and NOOPDOOR to Japanese organizations. Past campaigns have also been observed targeting Taiwan and India, indicating a broader geopolitical espionage effort.
According to the NPA and NCSC, the attacks executed by MirrorFace fall into three major categories:
Campaign A (December 2019 – July 2023): Targeting Think Tanks & Government Entities
Victims: Think tanks, government agencies, politicians, and media organizations
Attack Method: Spear-phishing emails
Payloads Delivered: LODEINFO, NOOPDOOR, LilimRAT (a modified Lilith RAT)
Campaign B (February – October 2023): Targeting Critical Infrastructure
Victims: Semiconductor, manufacturing, communications, academic, and aerospace sectors
Attack Method: Exploitation of vulnerabilities in Array Networks, Citrix, and Fortinet devices
Payloads Delivered: Cobalt Strike Beacon, LODEINFO, NOOPDOOR
Campaign C (Since June 2024): Expanding Targets in Academia & Politics
Victims: Academia, think tanks, politicians, and media organizations
Attack Method: Spear-phishing emails
Payload Delivered: ANEL (aka UPPERCUT)
Advanced Evasion Techniques: Remote Tunnels & Windows Sandbox Exploitation
One of MirrorFace’s key tactics involves using Visual Studio Code remote tunnels to create covert network connections, enabling remote control of compromised systems while bypassing traditional security defenses.
Additionally, the attackers have been observed stealthily executing malicious payloads within Windows Sandbox—a temporary, isolated environment that prevents malware detection by antivirus (AV) or endpoint detection and response (EDR) tools. This method ensures that:
Malware runs undetected, avoiding security scans.
All traces are erased upon system reboot or shutdown, leaving no forensic evidence.
Ongoing Threat & National Security Implications
The persistent nature of MirrorFace’s cyberattacks underscores the growing cybersecurity threats against Japan. With national security and critical infrastructure at stake, cybersecurity experts urge organizations to fortify defenses, apply timely patches, and enhance threat intelligence strategies.