Japanese police claim China ran five-year cyberattack campaign targeting local orgs

January 9, 2025 TH Author

Japan’s National Police Agency and Center of Incident Readiness and Strategy for Cybersecurity have confirmed third party reports of attacks on local orgs by publishing details of a years-long series of attacks attributed to a China-backed source.

The agencies have named the actor “MirrorFace”, aka “Earth Kasha”, and outlined a campaign they allege started in 2019 and saw at least three waves of attack that continued into 2024. The agencies’ report follows similar allegations raised last year by infosec vendors Trend Micro and Broadcom. The alleged attacker has also been linked to the APT 10 gang.

The first wave of attacks ran from December 2019 to July 2023 and saw phishing emails sent to targets at think tanks, government agencies, politicians, and media organizations. The messages sometimes included malware in attached files, while others initiated conversations in which the sender offered to send info pursuant to the topic at hand and instead sent malware named “LODEINFO”, “LilimRAT” and “NOOPDOOR”. All are known malware strains.

A second campaign ran from February 2023 into mid-2024 and saw attackers exploit known weaknesses in TLS 1.0, use client certificates that they somehow obtained to authenticate, and employ use SQL injection attacks. The attackers also apparently installed the Neo-reGeorg tunneling tool and open source WebShells on VPNs.

After the attacks, Japanese authorities observed abuse of Active Directory servers and unauthorized access to Microsoft 365. Machine translation of National Police docs suggests “unauthorized access to virtualization servers, and acquisition of virtual machine images” was another outcome. So was deployment of Cobalt Strike BEACON, LODEINFO, and NOOPDOOR malware.

Japan’s semiconductor, manufacturing, information and communications, academic, and aerospace sectors were the target of the second attack wave.

The third campaign kicked off in June 2024 and again involved phishing, this time to send documents that enabled Macros to run in Microsoft Office apps.

Again, the NOOPDOOR malware was dropped when possible, along with another strain called “ANEL” that’s thought to be a part of APT10’s armory. Academia, think tanks, politicians, and the media were among the targets.

Scarily, Japan’s investigators observed this campaign sometimes saw malware running in the Windows sandbox, the not-quite-a-VM Microsoft offers to run code in isolation within some versions of Windows 10 and 11. A Japanse-language document [PDF] explains that the malware took advantage of the fact that the Windows sandbox can be set to allow it to interact with a host machine, and that instructions from a command-and-control server drove sandboxed code to do so.

Anything in the Windows sandbox should disappear after system reboots, which hides attackers’ tracks nicely and means they can’t establish a persistent presence.

These miscreants may not have needed that ongoing access as it appears they used the access afforded by their various attacks and tools to exploit known vulnerabilities in Fortinet and Citrix products, enabling further forays.

Japanese authorities have urged local businesses to learn from the documentation it has provided about the attacks and harden their defenses.

That call may be too little, too late, as in 2018 – before this wave of attacks commenced – Google warned that ATP 10 had launched a new phishing campaign at Japanese targets, and had conducted similar campaigns since 2009. ®