The world of cyber-espionage is evolving, and one of the most sophisticated threats has just broadened its horizon. The MirrorFace group, a China-backed advanced persistent threat (APT), is now targeting diplomatic organizations in the European Union (EU). This marks a significant shift from its previous operations, which were primarily focused on Japan. The group’s latest tactics, particularly its use of the SoftEther VPN, reveal how these APTs are adapting to avoid detection and carry out more sophisticated espionage campaigns. In this post, we’ll take a deep dive into the MirrorFace group’s latest activities, how they’re leveraging new tools, and how organizations can protect themselves against such attacks.
MirrorFace Shifts Focus to the EU Diplomatic Sector
MirrorFace first gained notoriety for its interference in Japan’s 2022 elections, where it used cyber-attacks to steal sensitive data. Since then, the group has maintained a persistent presence in Japan. However, researchers from ESET recently discovered that MirrorFace has expanded its operations to the EU, specifically targeting diplomatic entities for espionage. This shift highlights the growing reach of Chinese-backed APT groups, who are increasingly focusing on high-value targets in the diplomatic and governmental sectors across the globe.
According to Jean-Ian Boutin, director of threat research at ESET, “For the first time, we observed MirrorFace targeting a diplomatic organization within the EU, a region that remains a focal point for several China-, North Korea-, and Russia-aligned threat actors.” These groups, including MirrorFace, have been increasingly focused on governmental and defense sectors due to the sensitive nature of the data they handle.
The Rise of SoftEther VPN in Cyber-Espionage
One of the most significant changes in the tactics of MirrorFace and other Chinese-backed APT groups is their increasing reliance on SoftEther VPN. SoftEther is an open-source, cross-platform VPN software that has become a favored tool among threat actors. It allows cybercriminals to blend malicious traffic with legitimate HTTPS traffic, making it more difficult for traditional security systems to detect unauthorized activity.
SoftEther VPN also enables attackers to masquerade as legitimate remote users, accessing compromised networks using common remote desktop protocols (RDP). This helps them remain undetected for longer periods, making it a powerful tool for maintaining persistent access to a network.
The shift to SoftEther VPN isn’t unique to MirrorFace. Other Chinese-backed APT groups, including Flax Typhoon, Gallium, and Webworm, have also adopted this tool for their espionage campaigns. Even previously unknown groups, such as Hydrochasma, have utilized SoftEther VPN in cyber-espionage attacks targeting Asian shipping companies and government entities.
Why SoftEther VPN?
The growing use of SoftEther VPN among APT groups can be attributed to several key benefits:
1. Legitimacy: SoftEther is a legitimate, widely used tool, which helps attackers evade detection by blending their malicious activities with normal, trusted traffic.
2. Encrypted Traffic: By establishing an HTTPS VPN tunnel, attackers can mask their malicious traffic, making it appear like standard encrypted web traffic.
3. Persistent Access: The tool allows attackers to maintain long-term access to compromised networks without raising alarms.
As Mathiew Tartare, senior malware researcher at ESET, explains, “We would not be surprised to observe an increase in the use of SoftEther VPN and other legitimate VPN or remote access tools to bypass detections and blend into legitimate traffic.” This evolving tactic is making it harder for security professionals to identify and neutralize threats in real-time.
Collaboration Across Borders: Chinese and Iranian Cyber Actors
Another alarming trend is the growing collaboration between Chinese-backed cybercriminals and adversaries from other nations. ESET researchers have revealed that Chinese threat actors are sharing their expertise with Iranian-backed hackers, helping them execute cyber-espionage campaigns against Iraq, Azerbaijan, and even French diplomats. This cross-border collaboration is part of a broader trend where cyber-espionage groups are increasingly working together, blending their resources and know-how to enhance their operations.
In addition to targeting diplomatic and governmental sectors, Chinese and North Korean-backed actors have also escalated attacks on educational institutions in regions like the US, South Korea, and Southeast Asia. These institutions often store vast amounts of sensitive research and intellectual property, making them prime targets for cyber-espionage.
How to Protect Against MirrorFace and Similar Threats
Given the increasing sophistication of MirrorFace and other APT groups, it’s crucial for organizations, especially those in the diplomatic, governmental, and defense sectors, to implement robust cybersecurity measures to defend against these evolving threats.
1. Enhance Endpoint Security
• Use Endpoint Detection and Response (EDR) tools to continuously monitor for unusual behaviors, like unauthorized network connections or the use of remote access tools like RDP.
• Set up alerts for suspicious activities and regularly update security software to detect the latest malware strains.
2. Monitor and Filter Network Traffic
• Implement network traffic analysis tools to detect and block unusual VPN or proxy traffic. Look for SoftEther VPN usage and other remote access tools that could indicate a breach.
• Consider using intrusion detection systems (IDS) to analyze network packets and identify suspicious encrypted traffic.
3. Educate Employees About Phishing Attacks
• As MirrorFace and other APT groups often use spear-phishing to gain access, educating employees on how to identify phishing emails and suspicious links is crucial.
• Implement strong email filtering systems to block malicious attachments and links before they reach end users.
4. Implement Strict Access Controls
• Use least-privilege access policies, ensuring that employees only have access to the data they need to perform their jobs.
• Segment your network to minimize the impact of a breach. If one part of your network is compromised, it can help limit the scope of the attack.
5. Regularly Patch and Update Systems
• Keep all systems, particularly those running VPN software, up-to-date with the latest security patches to close vulnerabilities that APT groups could exploit.
6. Perform Threat Hunting and Red Team Exercises
• Regularly conduct threat-hunting activities to proactively look for indicators of compromise (IoCs) related to APT groups like MirrorFace.
• Engage in red team exercises to simulate cyber-attacks and test the effectiveness of your incident response plans.
Comments