Japanese authorities, the National Police Agency (NPA) and the Cabinet Cyber Security Center, have attributed a persistent cyber-espionage campaign to "MirrorFace," a hacking group linked to the Chinese state. This operation, ongoing since 2019, primarily aims to extract sensitive information about Japan's technological advancements and national defense.

Continuous Espionage Efforts

This sophisticated campaign demonstrates several distinct phases, each with specific targets and methodologies. The attackers are particularly keen on breaching networks to exfiltrate critical data.

Targets Identified: Japanese politicians, think tanks, government departments, technology sectors, and media outlets.

Attack Tactics: Utilization of phishing emails, infection through malicious software vulnerabilities, and sophisticated evasion techniques.

Key Technical Details

MirrorFace, also known as "Earth Kasha," has employed various strategies to infiltrate and remain within targeted systems:

Known Exploits: Including vulnerabilities like CVE-2023-28461 (Array Networks), CVE-2023-27997 (Fortinet), and CVE-2023-3519 (Citrix ADC/Gateway).

Malware Deployment: The group uses malware such as LODEINFO, ANEL, and NOOPDOOR to ensure long-term footholds and continuous data exfiltration.

Campaigns Over the Years

The NPA has outlined three major campaigns conducted by MirrorFace: 1.

Campaign A (2019–2023): Focused on political and governmental entities through phishing emails to deploy malware. 2.

Campaign B (2023): Targeted technological sectors by exploiting software flaws in networked devices. 3.

Campaign C (2024–present): Using malicious email links to infiltrate academia and industrial targets.

Advanced Evasion Methods

To maintain prolonged access without detection, MirrorFace has adopted innovative evasion techniques:

VSCode Tunnel Method: Starting in June 2024, hackers used Visual Studio Code tunnels for covert command execution, a tactic also linked to other Chinese state-backed groups like STORM-0866.

Windows Sandbox Usage: Since mid-2023, malware execution within Windows Sandbox has enabled the bypassing of traditional antivirus solutions, allowing covert communication with remote C2 servers.

Recommendations for Mitigation

The NPA advises system administrators to enhance monitoring efforts by:

Tracking unusual PowerShell activity and unauthorized VSCode communications.

Auditing for unexpected Windows Sandbox launches and related processes, even though direct command logging within the Sandbox is not feasible.

By implementing these monitoring strategies, organizations can better detect and counter the ongoing threats posed by the MirrorFace group.

The link has been copied!