China Hackers Target Japan: Years of Cyberattacks Revealed

Japanese Government Identifies Chinese Hacking Group

The government of Japan issued a public warning on Wednesday, directly accusing a Chinese-based hacking group of infiltrating numerous organizations and individuals within the nation since 2019.

The National Police Agency of Japan, alongside the National Center of Incident Readiness and Strategy for Cybersecurity, has attributed a sustained cyber campaign to a group identified as MirrorFace.

Details of the MirrorFace Campaign

Authorities state that the MirrorFace operation is a sophisticated, organized cyberattack believed to originate from China. Its primary goal is the acquisition of sensitive information pertaining to Japan’s national security interests and cutting-edge technological advancements.

The alert details that targets have included critical government entities such as the Foreign and Defense ministries. Japan’s space agency, along with politicians, members of the press, private sector companies, and technology-focused research institutions, have also been affected.

Evolution of Targeting

Initial targets of the MirrorFace group, as noted in a July 2024 report by Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC), were primarily focused on media outlets, political organizations, academic institutions, and universities.

However, since 2023, the group’s focus has demonstrably shifted towards manufacturers and research facilities.

Spearphishing Tactics Employed

Cybersecurity firm ESET published research in 2022 outlining a spearphishing email campaign conducted by MirrorFace. This campaign specifically targeted Japanese political figures and entities in the lead-up to national elections.

ESET’s analysis indicated that MirrorFace operates independently and doesn’t appear to be directly affiliated with other known Chinese government-backed hacking groups.

The same spearphishing techniques have been consistently utilized throughout the multi-year campaign that was publicly disclosed this Wednesday.

Campaign Phases and Targets

MirrorFace has deployed malicious attachments via email in three distinct phases:

• 2019-2023: Targeting individuals connected to think tanks, current and former politicians, and journalists.
• Since 2023: Focusing on network devices within companies operating in the semiconductor, manufacturing, information technology, academic, and aerospace industries.
• June 2024 – Present: Targeting academics, think tanks, politicians, and media professionals in Japan.

Broader Context of Cybersecurity Concerns

Japan maintains a strong alliance with the United States. However, its constitutionally defined pacifist stance is argued by some experts to limit its defensive capabilities in the cyber domain.

Reports from The Washington Post in 2023 revealed that the U.S. National Security Agency discovered in 2020 that Chinese military hackers had successfully compromised highly classified defense networks belonging to Japan.

This latest incident underscores the ongoing and evolving cybersecurity challenges faced by Japan in the face of persistent cyber threats.