China-Linked APT MirrorFace Expands Targeting to EU Diplomatic Entity

Executive Summary

In its April 2024 APT Activity Report, ESET researchers revealed a significant evolution in the targeting strategy of MirrorFace, a China-aligned advanced persistent threat (APT) group. The group, which has historically concentrated its espionage efforts on targets in Japan, was observed attacking a diplomatic organization in the European Union. This expansion of operations indicates a shift in the intelligence-gathering priorities of the group's sponsors. The attack highlights the persistent and evolving threat that nation-state actors pose to diplomatic and governmental bodies worldwide. ESET also noted a broader trend among Chinese APTs of leveraging the legitimate, open-source SoftEther VPN tool to maintain stealthy, persistent access to compromised networks.

Threat Overview

MirrorFace is a sophisticated threat actor focused on cyber-espionage. Their campaigns are characterized by the use of custom malware, spear-phishing for initial access, and a focus on long-term intelligence gathering. The shift to targeting an EU diplomatic entity suggests that the group's mission has expanded to include gathering political and economic intelligence related to European affairs. This development is a direct threat to EU member states and their diplomatic missions globally.

Technical Analysis

While the specific infection vector for the EU attack was not detailed, MirrorFace campaigns typically involve:

Spear-phishing: Emails with malicious attachments or links tailored to the target's interests.
Custom Malware: Use of unique backdoors and loaders to evade signature-based detection.
Living Off the Land: The use of legitimate tools, like SoftEther VPN, for command and control (C2) and persistence. Using a legitimate VPN client for C2 makes the malicious traffic difficult to distinguish from normal network activity.

MITRE ATT&CK Mapping

T1566.001 - Phishing: Spearphishing Attachment: A likely initial access vector.
T1204.002 - User Execution: Malicious File: The victim is tricked into opening the malicious document.
T1572 - Protocol Tunneling: The use of SoftEther VPN to tunnel C2 traffic.
T1071.001 - Application Layer Protocol: Web Protocols: The C2 traffic is often disguised as normal HTTPS traffic.
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys: A common method for malware persistence.

Impact Assessment

The expansion of MirrorFace's targeting has significant geopolitical and security implications:

Espionage: The primary impact is the loss of sensitive diplomatic communications, negotiation strategies, and political intelligence, which can undermine the EU's foreign policy objectives.
Loss of Trust: A breach of a diplomatic mission can erode trust between nations and compromise ongoing diplomatic efforts.
Escalation of Cyber Conflict: The targeting of diplomatic missions is a serious escalation in cyberspace and can lead to retaliatory actions.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) were provided in the source articles.

Cyber Observables — Hunting Hints

To hunt for MirrorFace and similar APT activity:

Type

Process Name

Value

sevpn.exe or sevpnclient.exe

Description

The presence of the SoftEther VPN client on workstations or servers where it is not authorized is a major red flag.

Type

Network Traffic Pattern

Value

Encrypted traffic to unknown VPN servers

Description

Monitor for persistent VPN connections to non-corporate VPN endpoints.

Type

File Name

Value

LNK files in startup folders

Description

APTs often use LNK files for persistence. Scrutinize any LNK files in user or system startup directories.

Detection & Response

Application Control: Use application allowlisting to prevent the execution of unauthorized software, including legitimate tools like SoftEther VPN that can be used maliciously.
Network Egress Filtering: Block outbound traffic to known malicious IPs and domains. Also, consider blocking outbound traffic for common VPN protocols on non-standard ports.
Email Security: Implement advanced email security solutions to detect and block spear-phishing emails with malicious attachments or links.

Mitigation

User Training: Train employees, especially those in sensitive diplomatic roles, to identify and report spear-phishing attempts.
Principle of Least Privilege: Ensure that user accounts do not have administrative privileges, limiting an attacker's ability to install software or make system changes.
EDR and Network Monitoring: Deploy and actively monitor EDR solutions on endpoints and NDR solutions on the network to detect the behavioral indicators of an APT attack, such as the installation of new software or unusual network connections.

To counter the tactic of using legitimate tools like SoftEther VPN for malicious purposes, diplomatic and government organizations should implement strict application allowlisting. This approach shifts from a reactive blocklist model to a proactive one where only explicitly approved applications are allowed to run. For an organization targeted by MirrorFace, a policy would be created that does not include sevpnclient.exe or other components of SoftEther VPN. When the attacker attempts to install or run the tool post-compromise, the operating system will block the execution. This mitigation effectively neutralizes the attacker's ability to use this specific 'living off the land' technique for persistence and C2, forcing them to use other, potentially noisier methods that are easier to detect.

Chinese APT Group MirrorFace Shifts Focus, Targeting EU Diplomatic Mission