In a bold move marking a significant geographical expansion, the China-aligned hacking group MirrorFace, also known as Earth Kasha, has targeted a diplomatic organization within the European Union (EU) for the first time. Historically, this subset of the broader APT10 group has primarily focused on Japanese targets, but recent operations have extended to Taiwan and India. This latest attack utilized the upcoming World Expo 2025 in Osaka, Japan, as a lure, reflecting evolving tactics aimed at cyber espionage and data theft.
MirrorFace’s Tactics and Malware Arsenal
Spear-Phishing and Malware Deployment
The specific attack on the EU diplomatic organization involved a sophisticated spear-phishing email. This email contained a link to a ZIP archive named “The EXPO Exhibition in Japan in 2025.zip," hosted on Microsoft OneDrive. Upon opening the archive, victims encountered a Windows shortcut file designed to initiate the infection process. This led to the deployment of ANEL and NOOPDOOR malware, two of MirrorFace’s favored tools. ANEL, in particular, drew significant attention due to its sudden reappearance after nearly five years. Previously thought to be replaced by LODEINFO around 2019, ANEL’s return signals a possible shift or diversification in MirrorFace’s approach.
The modus operandi of MirrorFace relies on highly targeted operations, typically executing fewer than ten attacks annually. This precision indicates reconnaissance and a deep understanding of their targets. By using the World Expo 2025 as bait, MirrorFace capitalizes on the high-profile nature of international events to catch the interest of their victims. The deployment of multiple malware variants showcases the group’s capability to adapt and utilize a diverse toolkit, enhancing their chances of a successful breach.
Credential Theft with MirrorStealer
Alongside backdoors like ANEL and NOOPDOOR, MirrorFace also employs a credential stealer named MirrorStealer. This tool is designed to extract sensitive information, including passwords and other login credentials, which can then be used to infiltrate networks further. By compromising these credentials, MirrorFace can gain prolonged access to victim environments, allowing them to exfiltrate valuable data over extended periods. This method underscores the group’s primary objective: cyber espionage and data theft targeting entities with high-value information.
Credential theft serves as a critical component in MirrorFace’s strategy, facilitating deeper network penetration and enabling long-term surveillance. The use of MirrorStealer aligns with their broader goal of gathering intelligence and compromising sensitive communications. Considering the rise in cyber activities by Chinese-affiliated actors, MirrorFace’s sophistication in deploying various malware highlights the advanced stage of their operations.
Broader Cyber Espionage Activities
Increased Activity by Chinese Groups
MirrorFace’s operations form part of a broader context of heightened cyber activities by Chinese-affiliated threat actors. Groups like Flax Typhoon, Granite Typhoon, and Webworm have increasingly leveraged open-source tools like SoftEther VPN to maintain stealthy and resilient access to compromised networks. This trend signifies an evolution in tactics where open-source solutions are adapted to circumvent traditional security measures. The strategic use of such tools complicates detection efforts, illustrating a growing sophistication within these attack campaigns.
Recent reports suggest that Volt Typhoon, another Chinese group, used Singapore Telecommunications (Singtel) as a testbed in a campaign targeting telecom companies and critical infrastructure. This tactic of targeting major telecommunications providers indicates a shift towards compromising essential communication networks, which can have cascading effects on national security and infrastructure. Additionally, other U.S.-based telecom providers, like AT&T, Verizon, and Lumen Technologies, reportedly faced similar threats from Salt Typhoon, highlighting the expansive reach and persistent nature of these campaigns.
Impact on Communications and Infrastructure
In a daring move signifying notable geographical expansion, the China-aligned hacking group MirrorFace, also known as Earth Kasha, has struck a diplomatic organization within the European Union (EU) for the first time. Previously, this faction of the wider APT10 group mainly targeted Japanese entities. However, its operations have recently broadened to include Taiwan and India. The group’s latest attack employed the upcoming World Expo 2025 in Osaka, Japan, as bait, highlighting its evolving strategies in cyber espionage and data theft.
Historically known for their sophisticated cyber-attacks, MirrorFace’s focus on Japan has meant rigorous defenses in that region. By turning attention to the EU, they exploit potentially less fortified cyber landscapes. This shift signifies not just a change in tactics but a strategic repositioning aimed at capturing more diverse intelligence. Such maneuvers underscore the persistent global threat posed by state-sponsored hacking groups. Their growing activity and expanding target range highlight the critical need for robust cybersecurity measures worldwide.