Mirrorface

MirrorFace is a threat actor group known for its focus on Japanese hackers. The group has been particularly active in the cybersecurity landscape, with a history of malicious activities aimed at compromising systems and stealing valuable information. However, over the summer, Eset researchers discovered that MirrorFace had expanded its operations beyond Japan, targeting a diplomatic organization within the European Union. This marked the first time that Eset detected the threat actor group directing its efforts towards a European organization, signaling a significant shift in its operational strategy. Among Chinese users of SoftEther VPN or a SoftEther VPN bridge, three notable groups have been identified: Flax Typhoon (also known as RedJuliett), Gallium, and MirrorFace (also known as Earth Kasha). These groups have been implicated in various cyber espionage activities. For instance, Flax Typhoon was caught spying on Taiwanese firms, while Gallium unleashed stealthy LuaJIT-based malware. MirrorFace, on the other hand, zeroed in on Japan's manufacturing sector, causing significant disruptions and potentially leading to substantial financial losses. Despite this new geographic targeting, MirrorFace remains primarily focused on Japan and events related to it, according to Eset. This suggests that while the threat actor group is diversifying its targets, its primary interest remains rooted in Japan. This continued focus on Japan underscores the need for organizations in the country, especially those in the manufacturing sector, to bolster their cybersecurity measures to mitigate potential threats from MirrorFace and similar threat actors.