The Register: Japanese Police claim China ran five-year cyberattack campaign

Jan 9, 2025

—

Source URL: https://www.theregister.com/2025/01/09/japan_mirrorface_china_attack/
Source: The Register
Title: Japanese Police claim China ran five-year cyberattack campaign

Feedly Summary: ‘MirrorFace’ group found ways to run malware in the Windows sandbox, which is worrying
Japan’s National Police Agency and Center of Incident Readiness and Strategy for Cybersecurity have confirmed third party reports of attacks on local orgs by publishing details of a years-long series of attacks attributed to a China-backed source.…

AI Summary and Description: Yes

Summary: The text details a series of cyberattacks attributed to a China-backed threat actor known as “MirrorFace”. Japanese authorities have documented three waves of attacks from 2019 to 2024, targeting various sectors including government and academia with methods like phishing, malware, and exploiting vulnerabilities in established software. The findings emphasize the need for enhanced cybersecurity measures.

Detailed Description: This report outlines a significant cyber threat landscape, focusing on documented attacks led by the “MirrorFace” group, which reflect serious implications for security across infrastructure, particularly regarding cybersecurity readiness in organizations. Here are the major points:

– **Attack Attribution**: The Japan’s National Police Agency attributes the attacks to a China-backed group, indicating a persistent threat from nation-state actors.
– **Timeline**: The report covers a timeline from 2019 to 2024, highlighting the evolving nature of cyber threats. The three waves of attacks exhibit a strategic approach over an extended period.
– **Methodologies**:
– **Phishing Campaigns**: Initial attacks involved sending sophisticated phishing emails to various organizations. This included malware-laden attachments and misleading communications.
– **Exploitation of Vulnerabilities**: The attackers utilized known vulnerabilities in TLS 1.0 and SQL injection, demonstrating an understanding of target weaknesses.
– **Use of Advanced Tools**: The employment of tools like Cobalt Strike BEACON and Neo-reGeorg constructs indicates a highly organized attack framework. The use of open-source WebShells is also a critical tactic as it can facilitate unauthorized access and further attacks.
– **Targets**: The sectors affected include semiconductors, manufacturing, academia, and government, underscoring a broad range of vulnerabilities across crucial infrastructures.
– **Malware Deployment**: The document mentions several malware strains including LODEINFO, LilimRAT, and NOOPDOOR, indicating the varied toolkit of the attackers.
– **Sandboxes Utilization**: The attackers’ ability to leverage Windows sandbox environments to run code without establishing a permanent presence shows advanced tactics in evasion.
– **Recommendations for Defense**: Authorities recommend that organizations rigorously apply defensive measures based on documented attack vectors to prevent future breaches.

This analysis serves as a cautionary note for cybersecurity professionals, emphasizing the need for continuous monitoring, robust incident response strategies, and educating employees about phishing and social engineering tactics. It highlights the importance of maintaining updated security protocols and adapting to evolving threats in the cyber landscape.

1 2 2024 4 5 a academia access Act advanced tools AI analysis art as attack attack vectors attackers attacks attribution based breach breaches by C China CIA Cobalt Strike code communication Communications. continuous monitoring critical cross cyber cyber threat cyber threat landscape cyber threats cyberattack Cyberattacks Cybersecurity cybersecurity measures Cybersecurity Professionals cybersecurity readiness D de defense defensive measures demo deployment document e email employment end engineering environment evasion event evolving threats exp exploit Exploitation eXtended face fact for framework future g Gen geo GIS Go government Group gs high Highlight http HTTPS ICO implications in incident incident response incident response strategies infrastructure injection k l led long malware malware deployment manufacturing Mir Monitor monitoring nation nation-state actors no o of on open open-source organization organizations over party phi phishing phishing campaign phishing campaigns phishing emails pre professionals protocol protocols publishing R rag RCE readiness response response strategies s sandbox sandbox environment sandbox environments sec security security measures security professionals security protocols semiconductor Sig SoC social social engineering social engineering tactics software source sql SSE state state actors Strategy structures T tactics Tails text the third threat actor threat landscape threats Time TLS to toolkit tools Tor TP unauthorized access up update US uth utilization vectors vulnerabilities web Wi Wind Windows x