Chinese APT Group Is Ransacking Japan's Secrets

The National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity warned Japanese organizations of a sophisticated Chinese state-backed cyber-espionage effort called "MirrorFace" to steal technology and national security secrets.

Japanese authorities said the advanced persistent threat group (APT) MirrorFace has been operating since 2019.

"By publicizing the modus operandi of 'MirrorFace' cyberattacks, the purpose of this alert is to make targeted organizations, business operators, and individuals aware of the threats they face in cyberspace and to encourage them to take appropriate security measures to prevent the damage caused by cyberattacks from spreading and to prevent damage from occurring in the first place," read a statement from Japanese police.

MirrorFace Cyberattacks Against Japan

Japanese law enforcement identified three types of MirrorFace attacks. The earliest and most enduring tactic used by MirrorFace to steal Japanese secrets was an elaborate phishing campaign between 2019 and 2023 aimed at delivering malware to the country's think tanks, governments, and politicians, according to the warning issued by Japan's National Police Agency and translated to English.

In 2023, MirrorFace pivoted to finding vulnerabilities in network devices across healthcare, manufacturing, information and communications, education, and aerospace, the police continued. MirrorFace exploited vulnerabilities in devices that included Fortinet FortiOS and FortiProxy (CVE-2023-28461), Citrix ADC (CVE-2023-27997,) and Citrix Gateway (CVE-2023-3519).

Another phishing campaign began around June 2024 and used basic phishing tactics against the media, think tanks, and Japanese politicians, according to police. And from February 2023 to October 2023, the group was observed exploiting an SQL injection in an external public server to gain access to Japanese organizations.

The revelations about MirrorFace's activities come amid other headline-grabbing Chinese-sponsored cyberattacks against US and global telecom companies, and even the US Department of the Treasury, carried out by a fellow APT group "Salt Typhoon."

MirrorFace appears to operating as a a People's Liberation Army (PLA) cyber-warfare unit, according to Mark Bowling, former FBI special agent and current chief information security and risk officer at ExtraHop.

"Since 2019, the MirrorFace APT has consistently utilized well-crafted spear-phishing campaigns, and used weaponized code/logic such as LODEINFO and MirrorStealer to steal credentials, escalate privileges, and exfiltrate data which could be utilized to better position the PLA in the event of hostilities with Japan," Bowling says.

As geopolitical tensions continue to flare up around the world, Bowling expects to see an increasing uptick in APT activity in kind, particularly by nation-state actors targeting the US.

"The consequences of those strained relations over Ukraine, Taiwan, and the ongoing Iran hostility against Israel though its proxies are now increasingly spilling over into aggressive and relentless digital campaigns," Bowling explains. "There is no doubt threats from nation-state groups will increase in volume and sophistication this year, targeting our critical infrastructure like utilities, telecommunications, and healthcare."