China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait

China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait

November 7, 2024 at 06:21AM

The China-aligned hacking group MirrorFace has targeted a European Union diplomatic organization using a phishing lure related to the upcoming 2025 World Expo in Japan. This marks their first attack in the EU, continuing a trend of targeting Japan and expanding into Taiwan and India since 2023.

### Meeting Takeaways – Nov 07, 2024

1. **New Target for MirrorFace:**
– The China-aligned threat actor MirrorFace has targeted a European Union diplomatic organization for the first time, indicating an expansion of their geographical focus.

2. **Exploitation of Upcoming Event:**
– The attack utilized the lure of the 2025 World Expo in Osaka, Japan, reflecting the group’s continued interest in Japan-related events.

3. **Background on MirrorFace:**
– MirrorFace (also known as Earth Kasha) is part of APT10 and has been targeting Japanese organizations since 2019. Its campaigns have recently expanded to Taiwan and India.

4. **Evolution of Malware Arsenal:**
– The group’s malware tools include backdoors such as ANEL (UPPERCUT), LODEINFO, and NOOPDOOR (HiddenFace), plus a credential stealer named MirrorStealer.
– Notably, ANEL has resurfaced after several years of inactivity.

5. **Spear-Phishing Attack Details:**
– The recent attack involved a spear-phishing email containing a ZIP archive link that led to the deployment of malware upon opening a Windows shortcut file.

6. **Rising Threats from Chinese Actors:**
– Increased activity from other China-linked threat actors (Flax Typhoon, Granite Typhoon, Webworm) utilizing SoftEther VPN to access victims’ networks.
– Reports indicate Volt Typhoon’s breach of Singapore Telecommunications as a test run for broader campaigns targeting telecom and critical infrastructure.

7. **Recent U.S. Cybersecurity Risks:**
– U.S. telecom providers such as AT&T, Verizon, and Lumen Technologies have become targets for another adversarial group, Salt Typhoon, leading to compromises of critical communications.

### Conclusion
The meeting highlighted significant advancements in cyber espionage tactics, particularly from China-aligned groups, with a focus on geopolitical events and vulnerabilities in critical infrastructure. Increased vigilance and proactive defense strategies are essential in light of these emerging threats.

Full Article