Are Chinese Cyber-Espionage Groups Expanding Their Operations Globally?

In a bold move marking a significant geographical expansion, the China-aligned hacking group MirrorFace, also known as Earth Kasha, has targeted a diplomatic organization within the European Union (EU) for the first time. Historically, this subset of the broader APT10 group has primarily focused on Japanese targets, but recent operations have extended to Taiwan and India. This latest attack utilized the upcoming World Expo 2025 in Osaka, Japan, as a lure, reflecting evolving tactics aimed at cyber espionage and data theft.

MirrorFace’s Tactics and Malware Arsenal

Spear-Phishing and Malware Deployment

The specific attack on the EU diplomatic organization involved a sophisticated spear-phishing email. This email contained a link to a ZIP archive named “The EXPO Exhibition in Japan in 2025.zip," hosted on Microsoft OneDrive. Upon opening the archive, victims encountered a Windows shortcut file designed to initiate the infection process. This led to the deployment of ANEL and NOOPDOOR malware, two of MirrorFace’s favored tools. ANEL, in particular, drew significant attention due to its sudden reappearance after nearly five years. Previously thought to be replaced by LODEINFO around 2019, ANEL’s return signals a possible shift or diversification in MirrorFace’s approach.

The modus operandi of MirrorFace relies on highly targeted operations, typically executing fewer than ten attacks annually. This precision indicates reconnaissance and a deep understanding of their targets. By using the World Expo 2025 as bait, MirrorFace capitalizes on the high-profile nature of international events to catch the interest of their victims. The deployment of multiple malware variants showcases the group’s capability to adapt and utilize a diverse toolkit, enhancing their chances of a successful breach.

Credential Theft with MirrorStealer

Alongside backdoors like ANEL and NOOPDOOR, MirrorFace also employs a credential stealer named MirrorStealer. This tool is designed to extract sensitive information, including passwords and other login credentials, which can then be used to infiltrate networks further. By compromising these credentials, MirrorFace can gain prolonged access to victim environments, allowing them to exfiltrate valuable data over extended periods. This method underscores the group’s primary objective: cyber espionage and data theft targeting entities with high-value information.

Credential theft serves as a critical component in MirrorFace’s strategy, facilitating deeper network penetration and enabling long-term surveillance. The use of MirrorStealer aligns with their broader goal of gathering intelligence and compromising sensitive communications. Considering the rise in cyber activities by Chinese-affiliated actors, MirrorFace’s sophistication in deploying various malware highlights the advanced stage of their operations.

Broader Cyber Espionage Activities

Increased Activity by Chinese Groups

MirrorFace’s operations form part of a broader context of heightened cyber activities by Chinese-affiliated threat actors. Groups like Flax Typhoon, Granite Typhoon, and Webworm have increasingly leveraged open-source tools like SoftEther VPN to maintain stealthy and resilient access to compromised networks. This trend signifies an evolution in tactics where open-source solutions are adapted to circumvent traditional security measures. The strategic use of such tools complicates detection efforts, illustrating a growing sophistication within these attack campaigns.

Recent reports suggest that Volt Typhoon, another Chinese group, used Singapore Telecommunications (Singtel) as a testbed in a campaign targeting telecom companies and critical infrastructure. This tactic of targeting major telecommunications providers indicates a shift towards compromising essential communication networks, which can have cascading effects on national security and infrastructure. Additionally, other U.S.-based telecom providers, like AT&T, Verizon, and Lumen Technologies, reportedly faced similar threats from Salt Typhoon, highlighting the expansive reach and persistent nature of these campaigns.

Impact on Communications and Infrastructure

In a daring move signifying notable geographical expansion, the China-aligned hacking group MirrorFace, also known as Earth Kasha, has struck a diplomatic organization within the European Union (EU) for the first time. Previously, this faction of the wider APT10 group mainly targeted Japanese entities. However, its operations have recently broadened to include Taiwan and India. The group’s latest attack employed the upcoming World Expo 2025 in Osaka, Japan, as bait, highlighting its evolving strategies in cyber espionage and data theft.

Historically known for their sophisticated cyber-attacks, MirrorFace’s focus on Japan has meant rigorous defenses in that region. By turning attention to the EU, they exploit potentially less fortified cyber landscapes. This shift signifies not just a change in tactics but a strategic repositioning aimed at capturing more diverse intelligence. Such maneuvers underscore the persistent global threat posed by state-sponsored hacking groups. Their growing activity and expanding target range highlight the critical need for robust cybersecurity measures worldwide.

Explore more

Leadership: The Key to Scaling Skilled Trades Businesses

Imagine a small plumbing firm with a backlog of projects, a team stretched thin, and an owner-operator buried under administrative tasks while still working on-site, struggling to keep up with demand. This scenario is all too common in the skilled trades industry, where technical expertise often overshadows the need for strategic oversight, leading to stagnation. The reality is stark: without

How Can Businesses Support Domestic Violence Victims?

Introduction Imagine a workplace where employees silently grapple with the trauma of domestic violence, fearing judgment or job loss if their struggles become known, while the company suffers from decreased productivity and rising costs due to this hidden crisis. This pervasive issue affects millions of individuals across the United States, with profound implications not only for personal lives but also

Why Do Talent Management Strategies Fail and How to Fix Them?

What happens when the systems meant to reward talent and dedication instead deepen unfairness in the workplace? Across industries, countless organizations invest heavily in talent management strategies, aiming to build a merit-based culture where the best rise to the top. Yet, far too often, these efforts falter, leaving employees disillusioned and companies grappling with inequity and inefficiency. This pervasive issue

Mastering Digital Marketing for NGOs in 2025: A Guide

In a world where over 5 billion people are online daily, NGOs face an unprecedented opportunity to amplify their missions through digital channels, yet the challenge of cutting through the noise has never been greater. Imagine an organization like Dianova International, working across 17 countries on critical issues like health, education, and gender equality, struggling to reach the right audience

How Can Leaders Prepare for the Cognitive Revolution?

Embracing the Intelligence Age: Why Leaders Must Act Now Imagine a world where machines not only perform tasks but also think, learn, and adapt alongside human workers, transforming every industry from manufacturing to healthcare in ways we are only beginning to comprehend. This is not a distant dream but the reality of the cognitive industrial revolution, often referred to as