By Ashwani Mishra, Editor-Technology, 63SATS Cybertech
When Japan’s National Police Agency (NPA) publicly attributed more than 200 cyberattacks to a China-linked hacking group earlier this year, it marked a new phase of cyber conflict—one no longer confined to shadowy reports and private advisories. The group in question, known as MirrorFace or Earth Kasha, has operated discreetly since at least 2019, targeting institutions at the heart of Japan’s national security and innovation ecosystem.
But what once appeared as a localized campaign is now revealing international ambitions.
MirrorFace, suspected to be a sub-cluster within China’s notorious APT10 umbrella, has evolved into a persistent threat actor with expanding targets and advanced capabilities. In recent months, security researchers from Trend Micro and ESET have tracked the group’s increasing reach, highlighting their operations not just in Japan, but in Taiwan and even Europe.
Cybersecurity firm Trend Micro detected a sophisticated spear-phishing campaign by MirrorFace aimed at Japanese and Taiwanese government agencies. The campaign deployed a familiar malware strain known as ANEL—also called UPPERCUT—alongside newer tools such as ROAMINGMOUSE and NOOPDOOR. This latest operation used phishing emails sent from compromised legitimate accounts, leading recipients to Microsoft OneDrive links that downloaded ZIP files embedded with malware.
The campaign, according to Trend Micro researcher Hara Hiroaki, included a notable evolution in tactics. ANEL had been updated with the ability to execute Beacon Object Files (BOF) in memory—an indication that MirrorFace continues to refine its toolset for stealth and efficiency. The group also likely used a framework called SharpHide to facilitate the launch of secondary payloads, including the NOOPDOOR backdoor.
But the attacks go beyond malware innovation. In August 2024, ESET discovered that MirrorFace had targeted a Central European diplomatic organization connected to Expo 2025 in Osaka, Japan. Dubbed Operation AkaiRyū, the attack illustrates how geopolitical events increasingly serve as lures and leverage points in cyber campaigns.
While Japan remains the group’s primary focus, Taiwan’s public institutions have also come under attack, reflecting broader regional objectives likely aligned with Beijing’s geopolitical interests. Analysts view these campaigns as part of a long-term strategy to steal sensitive diplomatic, technological, and defense-related data.
MirrorFace’s targets are wide-ranging
Japan’s NPA reported that victims between 2019 and 2024 included the Ministries of Foreign Affairs and Defense, Japan’s space agency, and think tanks involved in cutting-edge technologies. Individual politicians and journalists were also on the radar, suggesting the campaign’s dual aim: intelligence gathering and influence operations.
Indeed, MirrorFace’s cyber campaigns mirror Beijing’s broader digital strategy, which seeks to expand global influence while maintaining plausible deniability. The group’s increased use of compromised infrastructure—legitimate email accounts, cloud services like OneDrive—makes attribution difficult and reduces detection rates.
In response to the escalating threat, Japan has urged its government agencies and private sector leaders to bolster cyber defenses. The January 2025 public disclosure by the NPA represents a shift in strategy: from quiet resilience to active deterrence. Officials are hoping that greater transparency will galvanize collective defense efforts across sectors.
Experts, however, warn that Japan and its allies must remain vigilant. As Expo 2025 in Osaka approaches, the international spotlight may only intensify MirrorFace’s activities.
In an interconnected world, cyberattacks are no longer limited by geography. MirrorFace’s evolution from a Japan-focused espionage group to a transnational actor underscores a sobering reality: Nation-state hacking is a global game, and the stakes are higher than ever.
As MirrorFace’s campaigns grow in scope and complexity, they reflect a new era in cyber conflict—one defined by stealth, subversion, and strategic calculus. For nations like Japan, the battle is no longer about preventing isolated breaches but defending the very pillars of national resilience: technology, diplomacy, and trust. The digital battlefield may be invisible, but its consequences are all too real.
