November 7, 2024 at 07:30PM
The Chinese APT group MirrorFace has expanded its espionage activities into the European Union, utilizing SoftEther VPN. Previously known for interfering in Japanese elections, MirrorFace now targets diplomatic entities. Other China-backed groups are also adopting SoftEther VPN to avoid detection, indicating a rise in cyber espionage tactics in Europe.
### Meeting Takeaways
1. **MirrorFace APT Group Expansion**: The Chinese advanced persistent threat group “MirrorFace” is expanding its operations into the European Union, focusing on diplomatic espionage, particularly targeting an unidentified diplomatic entity.
2. **Past Activities**: MirrorFace gained notoriety in 2022 for interfering in Japanese elections and has continued its activities in Japan.
3. **Use of SoftEther VPN**: The group is increasingly utilizing SoftEther VPN to maintain access and blend malicious traffic with legitimate traffic, a trend observed in other Beijing-backed APT groups such as Flax Typhoon, Gallium, and Webworm.
4. **Emerging Threats**: The emergence of another group, Hydrochasma, has been noted for abusing SoftEther VPN in cyber-espionage against Asia-based shipping companies. Similarly, ToddyCat has been using the VPN to target government and defense entities in the Asia-Pacific region.
5. **Challenges in Detection**: The use of legitimate software like SoftEther VPN complicates detection efforts for security analysts, as it allows attackers to masquerade as authorized users.
6. **Collaboration Among Threat Actors**: Chinese-backed APTs are reportedly providing cybercrime expertise to Iranian-backed adversaries, facilitating cyber-espionage in Iraq, Azerbaijan, and against French diplomats.
7. **Targeting Educational Institutions**: Chinese and North Korean threat actors have heightened their focus on attacks against educational institutions in the US, South Korea, and Southeast Asia.
8. **Future Trends**: There is an expectation of increased usage of SoftEther VPN and other legitimate remote access tools by threat actors to avoid detection and blend malicious activities with normal traffic.
This information highlights the need for heightened vigilance and updated security measures to address the evolving landscape of cyber threats.