The MirrorFace Advanced Persistent Threat (APT) group, also known as Earth Kasha, has been linked to a series of cyber-attacks targeting Japan. These attacks have been ongoing since 2019 and have primarily focused on stealing data related to Japan’s national security and advanced technologies.
Key Details:
- Targets: The attacks have targeted government agencies, defense organizations, space research centers, and private firms involved in advanced technologies. Notable targets include Japan’s Foreign and Defense ministries, the Japan Aerospace Exploration Agency (JAXA), and various politicians, journalists, and think tanks.
- Methods: MirrorFace has used sophisticated techniques such as spear-phishing emails with malware-laden attachments, exploiting VPN vulnerabilities, and executing malware within virtualized environments like the Windows Sandbox to avoid detection.
- Vulnerabilities Exploited: MirrorFace exploited vulnerabilities in devices that included Fortinet FortiOS and FortiProxy (CVE-2023-28461), Citrix ADC (CVE-2023-27997,) and Citrix Gateway (CVE-2023-3519).
- Malware Tools: The group has employed various malware tools, including ANEL, LODEINFO, and NOOPDOOR, to infiltrate and compromise systems.
Notable Incidents:
- JAXA Attack: The Japan Aerospace Exploration Agency acknowledged a series of cyber-attacks since 2023, with hackers exploiting VPN vulnerabilities to gain unauthorized access to information. Although sensitive data related to rockets, satellites, and defense was not affected, the breach highlighted the need for stronger cybersecurity measures.
- Port of Nagoya: In 2023, a ransomware attack paralyzed operations at a container terminal in the Port of Nagoya for three days, causing significant disruption.
- Japan Airlines: On Christmas 2024, Japan Airlines experienced a cyber-attack that led to delays and cancellations of more than 20 domestic flights. The carrier managed to restore its systems within hours, ensuring flight safety was not compromised.
Response and Mitigation:
Japan’s National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) have been actively investigating these attacks and urging organizations to reinforce their cybersecurity measures. The NPA has publicly disclosed the methods used by MirrorFace to raise awareness and encourage the implementation of appropriate security measures.
These incidents underscore the importance of robust cybersecurity practices and the need for continuous vigilance against evolving cyber threats.
