A Chinese hacking group called MirrorFace has been caught targeting a diplomatic institute in Central Europe. This is the first known attack by MirrorFace in Europe, according to cybersecurity experts from ESET. Until now, the group has mainly focused on Japan, but this latest incident shows they are expanding their reach.
A Rising Cyber Threat in Europe
APT10, a well-known state-sponsored hacking group believed to be backed by the Chinese government, is linked to MirrorFace. The group has a long history of targeting important organizations in Japan, including government ministries, space agencies, and private companies. However, their recent activity in Europe shows they are widening their scope.
The hackers carried out a highly sophisticated attack by using spear-phishing emails. These are fake but convincing emails designed to trick people into opening malicious files. Once the target opened the infected attachment, the hackers installed dangerous programs like Anel and AsyncRAT to steal data and gain access to the system.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
How the Attack Unfolded
The attack on the Central European diplomatic institute occurred between June and September 2024.The attackers started the attack with spear-phishing emails carrying carefully crafted messages about the upcoming World Expo 2025 in Osaka, Japan. The hackers used this event as bait, hoping that the recipients would be curious enough to open the attachments.
Once the malicious files were opened, the hackers deployed Anel, a type of backdoor malware. A backdoor is a sneaky program that allows attackers to secretly access and control a system without the user’s knowledge. APT10 specifically uses Anel, strongly suggesting that MirrorFace is a subgroup of this larger hacking organization.
Cyber Attacks on Connected Cars
The group also used AsyncRAT, a remote access tool that lets them control the infected computers from afar. This tool was cleverly run inside Windows Sandbox, a virtual environment meant to isolate potentially unsafe programs. Running it this way helped the hackers avoid detection by antivirus software.
Later in the attack, the hackers deployed HiddenFace, their main backdoor tool. This helped them stay on the infected systems for longer periods, making it easier to steal more data and continue their operations.
The Tools and Techniques Used
During the attack, MirrorFace used a variety of advanced tools and techniques to avoid detection and increase their control over the targeted systems.
- Anel – This is a backdoor program used by APT10. It allows the attackers to remotely access and control infected systems.
- AsyncRAT – A remote access tool that provides hackers with the ability to execute commands, steal information, and manipulate the system.
- Anelldr – This is a program used to load Anel onto the infected system.
- HiddenFace – A more advanced backdoor used in later stages of the attack to strengthen their hold on the compromised system.
- FaceXInjector – A tool used to load the HiddenFace backdoor.
- Hidden Start – A tool that bypasses User Account Control (UAC), making it easier for the malware to run without triggering security warnings.
In some cases, the group used legitimate software like VS Code (a popular programming tool) to create hidden tunnels. These tunnels allowed the attackers to sneak in and out of the system without being noticed.
The hackers also stole sensitive data, including contact lists, stored passwords, autofill information, and even saved credit card details from Google Chrome. To gain deeper access, they installed additional tools on another system within the diplomatic institute’s network. This allowed them to move through the network more easily and potentially access more critical information.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
Expanding Beyond Japan
Although MirrorFace has been mainly active in Japan, their latest attack in Europe indicates a broader, more ambitious operation. The group continues to focus on Japan-related events, such as the World Expo 2025, even when targeting other countries.
This incident highlights how hacking groups linked to powerful nations are growing bolder and using more sophisticated techniques. By employing backdoors, remote access tools, and stealthy execution methods, MirrorFace is becoming increasingly dangerous and difficult to detect.
Cybersecurity experts warn that these types of attacks could become more frequent and widespread, making it essential for organizations worldwide to remain vigilant against evolving cyber threats.
