Full Report
Japan's National Police Agency (NPA) and National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) accused a China-linked threat actor named MirrorFace of orchestrating a persistent attack campaign targeting organizations, businesses, and individuals in the country since 2019. The primary objective of the attack campaign is to steal information related to Japan's national
Analysis Summary
# Threat Actor: MirrorFace
## Attribution & Identity
**Attribution:** China-linked threat actor.
**Known Aliases and Associated Groups:** Earth Kasha, assessed to be a sub-group within APT10.
## Activity Summary
MirrorFace has been orchestrating persistent attack campaigns targeting organizations, businesses, and individuals in Japan since 2019. Recent reporting detailed spear-phishing campaigns (last month) aimed at delivering the ANEL and NOOPDOOR backdoors to Japanese targets. Overall activity is characterized by three major campaigns:
* **Campaign A (Dec 2019 – Jul 2023):** Targeted think tanks, governments, politicians, and media organizations, delivering LODEINFO, NOOPDOOR, and a custom version of Lilith RAT (LilimRAT) via spear-phishing.
* **Campaign B (Feb – Oct 2023):** Targeted semiconductor, manufacturing, communications, academic, and aerospace sectors. Breaches were achieved by exploiting vulnerabilities in internet-facing Array Networks, Citrix, and Fortinet devices, leading to the deployment of Cobalt Strike Beacon, LODEINFO, and NOOPDOOR.
* **Campaign C (Jun 2024 – Present):** Targeted academia, think tanks, politicians, and media organizations using spear-phishing to deliver the ANEL backdoor.
## Tactics, Techniques & Procedures
- Spear-phishing (used in Campaigns A and C).
- External Remote Services Exploitation (used in Campaign B against Array Networks, Citrix, and Fortinet devices).
- Stealthy execution of malicious payloads within the Windows Sandbox environment.
- Malware deployment: ANEL, LODEINFO, NOOPDOOR (HiddenFace), LilimRAT (custom Lilith RAT).
- Post-exploitation tool usage: Cobalt Strike Beacon.
## Targeting
- **Sectors:** Think tanks, government entities, politicians, media organizations, semiconductor, manufacturing, communications, academic, and aerospace sectors.
- **Geography:** Primarily Japan, with recent campaigns also observed directed against Taiwan and India.
- **Victims:** Organizations, businesses, and individuals within the specified sectors/geographies. Specific organizations were not named in the summary provided.
## Tools & Infrastructure
- **Malware families used:** ANEL, NOOPDOOR (HiddenFace), LODEINFO, LilimRAT (custom Lilith RAT), Cobalt Strike Beacon.
- **Infrastructure (C2, domains, IPs):** No specific URLs or IPs were mentioned or defanged in the provided text.
## Implications
MirrorFace represents a persistent, state-sponsored threat focused on espionage against critical sectors and governmental bodies in Japan. The combination of spear-phishing, vulnerability exploitation, and the use of custom backdoors (ANEL, NOOPDOOR) suggests a highly resourced group capable of long-term network presence to steal information related to Japan's national security and advanced technology.
## Mitigations
- Increased monitoring and patching for known vulnerabilities in internet-facing devices, specifically Array Networks, Citrix, and Fortinet products (related to Campaign B).
- Enhanced email filtering and security awareness training to defend against spear-phishing campaigns delivering LODEINFO, NOOPDOOR, and ANEL.
- Implement behavioral analytics to detect fileless execution attempts, especially activity occurring within the Windows Sandbox environment.