Photo/Illutration The building housing the National Police Agency (Asahi Shimbun file photo)

The National Police Agency on Jan. 8 announced that a Chinese hacker group known as “MirrorFace” has repeatedly conducted cyberattacks on Japanese government agencies and companies to steal information related to security and advanced technology.

As a result of investigations and other efforts, the NPA has determined that the cyberattacks were organized and suspected the involvement of the Chinese government.

According to the NPA, 210 companies, institutions, organizations and individuals have been attacked since 2019.

The NPA has not revealed the names of the specific entities affected.

However, sources said that they include the Japan Aerospace Exploration Agency (JAXA), lawmakers of the Liberal Democratic Party, Foreign Ministry, Defense Ministry and the Cabinet Secretariat.

More than 10,000 files may have been leaked in the attack on JAXA.

The NPA believes that MirrorFace may be related to “APT10,” a hacker group that U.S. authorities and others believe is affiliated with the Chinese Ministry of State Security.

The NPA said that the announcement was made with a priority on damage prevention, although this time it has not led to a “public attribution” to identify and condemn the state behind the incident.

According to the NPA, the series of attacks began in 2019. 

The technique of "targeted email attacks" was used to infect terminals with malware by attaching files or links in emails.

The hacker group has also exploited vulnerabilities in VPN equipment to infiltrate networks, the NPA said. 

Targets of the attacks included mass media, politicians and government ministries and agencies. Companies, organizations and individuals in the fields of semiconductors, manufacturing, information and communications, aerospace, think tanks and academia were also targeted. 

In these ploys, the name of the email's sender may appear as an intellectual figure or former employee at the victimized company or organization. 

The subject line may include words such as “Japan-US Alliance,” “Taiwan Strait,” “Russia-Ukraine War” or “Free and Open Indo-Pacific” to attract the recipient's attention.

In some cases, legitimate email addresses of third parties are used.

These types of email-based attacks are ongoing, the NPA said.

PRE-ATTACK DEFENSE BILL

The NPA’s cyber special investigation department and prefectural and metropolitan police cooperated in the investigation.

Based on the analysis of the malware used in the attacks, modus operandi, the attributes of targets and the fact that the timing of the attack was consistent with the situation in China, the NPA determined that Chinese involvement was suspected.

Cyberattacks by Chinese-backed groups have occurred in succession in recent years.

“Tick,” an affiliate of the People's Liberation Army, is suspected of having been involved in the attacks on JAXA and Japanese companies around 2016.

“BlackTech” is suspected of taking part in the 2020 attacks on Mitsubishi Electric Corp. where data related to the Defense Ministry was reportedly leaked.

“APT40” is also believed to have attacked critical infrastructure in other countries.

The NPA and the National Center of Incident Readiness and Strategy for Cybersecurity called for taking measures such as paying attention to the addresses of emails, even if they appear to be from regular contacts.

In response to the growing threat of cyberattacks against government agencies and critical infrastructure, the central government plans to submit a bill related to “active cyberdefense" (ACD) to the ordinary Diet session that convenes this month. The intent is to prevent attacks before they occur.

ACD involves the government collecting and analyzing information on online communications. To realize this bill, lawmakers must solve the immediate issue of making ACD consistent with the Constitution's "protection of the secrecy of communications."

Related News