Introduction

The Chinese hacking group MirrorFace [2], also known as Earth Kasha [1], has expanded its operations beyond its traditional focus on Japan, targeting a diplomatic organization in the European Union for the first time in the summer of 2024 [2]. This development signifies a notable shift in the group’s strategy and highlights the evolving nature of cyber threats.

Description

The Chinese hacking group MirrorFace [2], also known as Earth Kasha [1], has expanded its targeting beyond Asia [2], specifically targeting a diplomatic organization in the European Union for the first time during the summer of 2024 [2]. This marks a significant shift from their historical focus on Japan [2], as noted by the Slovak cybersecurity company ESET [2]. The group leveraged the upcoming 2025 Osaka Expo to attract interest in its attacks [1], employing a spear-phishing strategy that involved sending emails with a ZIP file titled “The EXPO Exhibition in Japan in 2025.zip,” hosted on OneDrive [1]. Recipients were prompted to open a LNK file within the ZIP, which attempted to install the ANEL backdoor [1]. Although the ANEL backdoor was believed to have been discontinued between late 2018 and early 2019 [1], it has recently resurfaced in MirrorFace’s operations [1]. Additionally, a day after this attack [1], another backdoor known as HiddenFace [1], or NOOPDOOR [1], was deployed [1], serving as a primary tool in the group’s attack arsenal.

Despite this new targeting in the EU [2], ESET emphasizes that MirrorFace remains primarily focused on Japan [2], where attacks on various sectors [2], including media [2], political organizations [2], think tanks [2], universities [2], manufacturers [2], and research institutions [2], have been increasing [2]. Earlier this year, Japan’s national cybersecurity agency (NISC) reported a hacking incident that potentially compromised sensitive data for nine months [2], with state-backed Chinese hackers suspected of involvement [2]. Furthermore, a report indicated that Chinese military hackers had previously compromised Japan’s defense networks in 2020 [2].

Conclusion

The expansion of MirrorFace’s activities into the European Union underscores the growing complexity and reach of cyber threats posed by state-backed hacking groups. This shift necessitates enhanced vigilance and collaboration among international cybersecurity agencies to mitigate potential impacts. As cyber threats continue to evolve, it is crucial for organizations to strengthen their defenses and remain informed about emerging tactics used by such groups.

References

[1] https://rocket-boys.co.jp/10515/
[2] https://www.cybersecurityintelligence.com/blog/chinese-hackers-target-japan-and-eu–8062.html