On January 8, 2025, the Japanese National Police Agency (NPA) issued a critical warning regarding ongoing cyberattacks attributed to the MirrorFace group, also known as “Earth Kasha.” Active since 2019, the group has targeted key Japanese sectors, including government, academia, media, and advanced industries such as aerospace and semiconductors.
MirrorFace has orchestrated three major cyberattack campaigns:
- Campaign A (2019-2023): This campaign primarily targeted think tanks, government personnel, politicians, and media organizations through spear-phishing emails containing malware-laden attachments. The malware, known as LODEINFO, exploited vulnerabilities in Microsoft Office macros, initiating a chain of infections that included advanced tools like LilimRAT and NOOPDOOR.
- Campaign B (2023): This phase marked a shift towards exploiting vulnerabilities in network devices, including VPN systems and SQL injection flaws. Targets included Japan’s semiconductor, manufacturing, and IT sectors. Attackers deployed tools like Neo-reGeorg tunneling software and web shells, compromising Active Directory servers and virtualization platforms.
- Campaign C (2024): MirrorFace returned to email-based attacks, leveraging embedded links that led recipients to download malware disguised as legitimate files. A new strain of malware, ANEL, was employed alongside innovative methods such as abusing Windows Sandbox and Visual Studio Code’s dev tunnels to evade detection and execute remote commands.
MirrorFace group’s sophisticated techniques include:
- Exploiting vulnerabilities in widely used network devices, such as:
- Array Networks Array AG (CVE-2023-28461)
- Fortinet FortiOS and FortiProxy (CVE-2023-27997)
- Citrix ADC and Gateway (CVE-2023-3519)
- Abusing Microsoft Windows Sandbox to execute malware in isolated environments, evading traditional antivirus and Endpoint Detection and Response (EDR) systems.
- Leveraging Visual Studio Code’s development tunnels for stealthy remote control of compromised systems.
Investigations by the NPA and other agencies suggest that Earth Kasha’s operations are linked to Chinese state interests. The campaigns appear to focus on stealing sensitive information related to national security and cutting-edge technologies, posing significant risks to Japan’s strategic industries.
Related Posts:
- JPCERT/CC Warns: MirrorFace LODEINFO & NOOPDOOR Malware Targeting Industry
- VPNs and Clouds: New Tools in the APT Arsenal, ESET Warns
- HiddenFace Unmasked: ESET’s Deep Dive into MirrorFace’s Complex Malware
- Operation Japan’s Cyber Response to Fukushima Decision
- Pro-Russian Threat Actors Launch Coordinated DDoS Attacks Against Japanese Organizations
