Chinese APT Group MirrorFace Interferes in Japanese Elections

The Chinese APT group MirrorFace attempted to influence the elections for the Japanese House of Representatives this year, an investigation has revealed.

According to researchers at European IT security vendor ESET, the group used spear-phishing attacks on individual members of a political party. The research team, which calls the campaign Operation LiberalFace, found the fraudulent emails contained the well-known malware LodeInfo, a backdoor used to spread malware or steal credentials, documents, and emails from its victims.

MirrorFace is a Chinese-language threat actor that targets companies and organizations based in Japan. It launched the attack on June 29, 2022, before the Japanese elections in July.

Under the pretext of being the PR department of a Japanese political party, MirrorFace asked the recipients of the emails to share the attached videos on their own social media profiles. This was allegedly to further strengthen the party's perception and secure victory in the Chamber of Deputies.

The message also contains clear instructions on the publishing strategy for the videos and was supposedly sent in the name of a prominent politician.

Malicious Attachments

All spear-phishing messages contained a malicious attachment that, when executed, triggered the LodeInfo malware program on the compromised machine.

LodeInfo is a MirrorFace backdoor that is under continuous development. Its functions include taking screenshots, keylogging, terminating processes, exfiltrating data, executing additional malware, and encrypting certain files and folders.

The sophisticated and ever-evolving LodeInfo has earlier been deployed against media, diplomatic, government, public sector, and think-tank targets, according to researchers at Kaspersky, who have been tracking the malware family since 2019.

A previously undocumented credential stealer, named MirrorStealer by ESET Research, was also used in the attack. It's capable of stealing credentials from various applications such as browsers and email clients.

"During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims," wrote ESET researcher Dominik Breitenbacher. "Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes."

There is speculation that this hacker group may be connected to APT10, but ESET could not find clear evidence of this or of cooperation with other APT groups in its analysis and is therefore pursuing MirrorFace as a separate entity.

The group reportedly primarily targets media, defense contractors, think tanks, diplomatic organizations, and academic institutions, with the goal of spying on and exfiltrating files of interest.

State-sponsored cyberattackers affiliated with China are actively building out a large network of attack infrastructure by compromising targets in the public and private spheres, according to a joint alert from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI.

The state-sponsored group RedAlpha APT, for example, has for years been targeting organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses.