banner

Over the past five years, Japan has faced a series of sophisticated cyberattacks attributed to a Chinese-linked hacking group known as MirrorFace. This group also referred to as Earth Kasha, has been identified as part of the broader APT10 collective, which is associated with China’s Ministry of State Security. The attacks have targeted critical sectors in Japan, including national security and advanced technology industries, raising alarms about the nation’s cybersecurity vulnerabilities.

The Scope and Objectives of the Attacks

The Japanese National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) have confirmed that MirrorFace orchestrated over 200 cyberattacks between 2019 and 2024. These attacks were systematic and aimed at stealing sensitive data related to Japan’s national security and high-tech advancements. 

Key targets included Japan’s Foreign and Defense Ministries, the Japan Aerospace Exploration Agency (JAXA), private companies in the semiconductor and aerospace sectors, politicians, journalists, and think tanks.

MirrorFace’s activities were not limited to governmental entities. 

The group also infiltrated academic institutions and private organizations involved in cutting-edge research. Their objective was clear: to gain a strategic advantage by exfiltrating intellectual property and classified information critical to Japan’s geopolitical standing and technological innovation.

Techniques and Tools MirrorFace Used

MirrorFace employed a range of advanced techniques to carry out its cyberattacks, demonstrating a high level of sophistication:

Spear-Phishing Campaigns

The group relied heavily on spear-phishing emails to compromise targets. These emails often appeared to originate from trusted sources, such as Gmail or Microsoft Outlook accounts using stolen identities. They contained malicious attachments disguised as legitimate documents. Common subject lines included geopolitical themes like “Japan-U.S. alliance,” “Taiwan Strait,” or “Russia-Ukraine war,” designed to entice recipients into opening the files.

Exploitation of Network Vulnerabilities

Between February and October 2023, MirrorFace exploited vulnerabilities in virtual private networks (VPNs) and other network devices. This allowed them to gain unauthorized access to networks in sectors like semiconductors, aerospace, and information technology.

Custom Malware Deployment

MirrorFace deployed custom malware tools such as LODEINFO, ANEL (also known as UPPERCUT), NOOPDOOR (HiddenFace), and LilimRAT. These tools enabled them to establish backdoors into compromised systems, steal credentials, execute commands remotely, and evade detection by antivirus software. For example:

  • LODEINFO was used for credential theft.
  • ANEL facilitated covert data exfiltration.
  • NOOPDOOR provided persistent backdoor access.

The malware often operated within Windows Sandbox environments—a virtualized space that prevents permanent infections—allowing it to run undetected while erasing traces upon system reboot.

Advanced Tunneling Techniques

The group leveraged Visual Studio Code’s development tunnels for covert remote control of compromised systems. This method bypassed traditional network defenses and enabled persistent access.

Notable Incidents Linked to MirrorFace

Several high-profile incidents illustrate the scope and impact of MirrorFace’s activities:

Nagoya Port Ransomware Attack (July 2023)

In July 2023, MirrorFace launched a ransomware attack on Nagoya Port, Japan’s largest port, disrupting operations for three days. The attack paralyzed container handling systems, delaying shipments and causing significant economic losses. Authorities identified vulnerabilities in the port’s critical infrastructure as the entry point for the hackers. 

Japan Airlines Cyber Attack (December 25, 2024)

On Christmas Day 2024, MirrorFace targeted Japan Airlines, causing delays for over 20 domestic flights. While flight safety systems remained unaffected, the attack exposed vulnerabilities in operational systems during a peak travel period. Investigators linked the incident to phishing emails containing malware designed to infiltrate internal networks. 

Operation LiberalFace (June–July 2022)

MirrorFace conducted a campaign called “Operation LiberalFace,” targeting Japanese politicians ahead of the House of Councillors election in July 2022. The group sent spear-phishing emails disguised as official communications from political parties, deploying malware such as LODEINFO and MirrorStealer. These tools exfiltrated credentials and sensitive documents from political entities. 

EU Diplomatic Targeting (November 2024)

In November 2024, MirrorFace expanded its operations beyond East Asia by targeting a European Union diplomatic organization. This marked the first known instance of the group attacking an entity in Europe. The campaign used spear-phishing emails referencing Expo 2025 in Osaka, Japan, as a lure. These emails contained links to a malicious ZIP archive hosted on Microsoft OneDrive, which delivered the ANEL and NOOPDOOR malware.

Impact on Japan’s Strategic Sectors

The cyberattacks carried out by MirrorFace have had significant implications for Japan’s national security and technological sectors:

Government Agencies

The MirrorFace cyberattacks have raised concerns about the exposure of sensitive data from Japan’s Foreign Affairs and Defense Ministries. While no catastrophic breaches have been confirmed, the potential compromise of internal communications could undermine Japan’s diplomatic strategies and military planning, especially as it strengthens ties with the United States.

Aerospace Industry

The Japan Aerospace Exploration Agency (JAXA) experienced multiple cyberattacks since 2023, leading to the compromise of accounts belonging to top officials. Although JAXA confirmed that no sensitive data related to rockets or satellites was leaked, attackers accessed personal data and files shared with international partners like NASA and Mitsubishi Heavy Industries,

Private Enterprises

Japanese companies in semiconductors, telecommunications, and other high-tech industries faced targeted breaches aimed at stealing intellectual property. The attacks exploited VPN vulnerabilities and sought advanced technology data. These incidents threaten Japan’s global competitiveness and highlight the need for stronger defenses in sectors integral to economic security.

Response from Japanese Authorities

In response to these attacks, Japanese authorities have intensified their efforts to strengthen cybersecurity:

  • The NPA has issued alerts detailing MirrorFace’s tactics and urging organizations to adopt preventive measures such as enhanced monitoring of communication records and employee training on recognizing phishing attempts. 
  • Collaboration with international partners like the United States has been prioritized to share intelligence and develop coordinated responses.
  • Plans are underway to introduce active cyber defense legislation aimed at protecting critical infrastructure from future cyberattacks. 

However, experts warn that more comprehensive measures are necessary to address systemic weaknesses effectively.

How TeraDact Can Strengthen Your Cybersecurity Posture

For organizations seeking robust protection against advanced threats like those MirrorFace poses, TeraDact offers comprehensive solutions tailored to modern cybersecurity challenges. Our innovative tools provide multi-layered defenses designed to safeguard sensitive information across various platforms.

TeraDact’s key features include data anonymization techniques that render sensitive information unreadable without proper authorization. We also customize security frameworks and adapt defenses based on specific organizational needs. 

Lessons from MirrorFace

The sustained campaign by MirrorFace against Japanese entities serves as a stark reminder of the growing sophistication of state-sponsored cyber espionage operations. For governments and businesses alike, investing in advanced cybersecurity measures is no longer optional—it is essential for safeguarding sensitive information and maintaining operational resilience.

To learn more about this issue or explore solutions for enhancing your organization’s cybersecurity posture against threats, visit TeraDact today for a demo and free trial!

Leave a Reply

Your email address will not be published. Required fields are marked *