MirrorFace hacker group targets EU Diplomats | Update

In November 2024, it was reported that MirrorFace - also known as Earth Kasha -, a hacker group aligned with China, targeted on August 2024 a Central European diplomatic institute during the so-called Operation AkaiRyū. The group is best known for its operations against Japanese organizations, and this is the first time - at least as far as the sources report - that a European institution is the target of their actions. It must be noted, though, that the targets were still related to Japan.

ESET, a major Slovak cyber-security firm, has released today a new report with more information on the attack, which, as it was known, started with a malicious email that pretended to be sent on behalf of a Japanese NGO, with the pretext of Expo 2025, which will take place in Japan starting from this April.

As the report indicates, MirrorFace updated its techniques, which involved the use of a publicly available remote access trojan known as AsyncRAT, and the ANEL backdoor, which has been around since at least 2018 and was considered abandoned. For context, a backdoor is a method to bypass regular authentication or encryption methods in a computer system. Additionally, it appears that Visual Studio Code, a popular Microsoft-distributed IDE, had its remote tunnels feature exploited. This feature is a built-in capability of VS Code that allows users to connect to a remote machine. It was noted in December of the previous year that other groups had exploited similar vulnerabilities in the past.

This shows the real risks that cyber-security threats pose, even if not exclusively, to governmental organisations, which can be a persistent target of hyper-specialised and tailored attacks. And sophisticated as it is, it all started with a malicious mail.