Updated 16:43 IST, January 21st 2025
Japan Forced to Deal with 210+ Cyber Breaches Linked to China’s MirrorFace Hackers
The cyber-espionage campaign has targeted critical sectors, including government agencies and defence contractors.

New Delhi, India - Japan is facing an escalating cyber onslaught from Chinese state-sponsored hacker groups, with MirrorFace (Earth Kasha) emerging as a major threat to the country’s national security and technological infrastructure. Since 2019, the group has carried out over 210 cyberattacks on high-value targets, ranging from government agencies to defence contractors and cutting-edge research institutions. The goal? To steal sensitive intelligence related to national security, defence capabilities, and advanced technology—raising serious alarms in Tokyo and beyond.
Operating in the shadows, MirrorFace has gained notoriety for its precision-targeted phishing attacks that masquerade as legitimate communications from diplomats, researchers, and even former employees. These emails, often laced with malware like LODEINFO, LilimRAT, and NOOPDOOR, have successfully infiltrated institutions such as the Japanese Ministry of Defence and the Japan Aerospace Exploration Agency (JAXA).
If that wasn't enough, recent reports suggest the group has shifted gears, exploiting weaknesses in VPN systems and leveraging advanced macro-based malware to gain persistent access to government networks.
How They Did It: Three Waves of Cyberattacks
Let’s break down how MirrorFace has systematically targeted Japan:
The Phishing Frenzy (Dec 2019 – Jul 2023)
The first wave kicked off with classic yet effective spear-phishing attacks. Emails with subject lines referencing geopolitical flashpoints—think Japan-U.S. alliance, Taiwan, and Ukraine—were sent to key personnel within the government and private sectors. Once opened, these emails deployed malware, giving hackers a backdoor into Japan’s classified networks.

The targets? Ministries, media houses, and even academic institutions. The damage? A treasure trove of stolen intelligence.
VPN Vulnerability Exploits (Feb 2023 – Mid 2024)
In the second wave, MirrorFace moved beyond emails, exploiting vulnerabilities in FortiOS and Proself VPNs. These weaknesses allowed hackers to bypass security controls and establish deep, persistent access across government and corporate networks.
Once inside, they deployed sophisticated tools like Neo-reGeorg tunnelling malware and Web Shells, allowing them to exfiltrate data undetected. The semiconductor and aerospace industries bore the brunt of this assault, with critical research reportedly stolen.
The Macro Malware Game (June 2024 – Ongoing)
This time, MirrorFace has upped its game with macro-based phishing emails, which exploit vulnerabilities in Microsoft Office. Using malware like NOOPDOOR and ANEL, the hackers have learned to evade security measures by running their code in Windows Sandbox environments.
In plain terms, this means even after the system reboots, the malware remains operational—giving them a long-term presence inside Japanese networks.
China’s Denial: The Same Old Story
As expected, China has denied any involvement, calling the accusations “baseless” and “politically motivated.” Beijing’s well-practised response of outright denial isn’t surprising, especially given its long history of using cyber warfare as a tool for strategic advantage.
But cybersecurity experts and intelligence agencies aren’t buying it. With MirrorFace’s tactics mirroring those of APT10 (another Chinese cyber-espionage group), it’s becoming increasingly clear that these attacks are far from random—they’re part of a larger strategy to undermine Japan’s security and technological edge.
Why It Matters: What’s at Stake?
These relentless cyber intrusions aren’t just a nuisance—they pose a serious threat to Japan’s:
- National Security: Sensitive military data related to Japan's defence strategies could fall into the wrong hands.
- Technological Superiority: The theft of cutting-edge research in aerospace and semiconductors could set Japan back by years.
- Economic Stability: Attacks targeting critical infrastructure—such as energy grids and hospitals—could disrupt daily life and dent investor confidence.
Japan’s Response: Playing Catch-Up?
So, what’s Japan doing about it? Officials have acknowledged the cyber threat but have been playing a defensive game. Efforts to modernize digital infrastructure and invest in advanced threat detection systems are ongoing, but experts argue that it’s still not enough.

Japan is also considering introducing an Active Cyber Defence (ACD) bill, which could allow authorities to take a more proactive stance—intercepting potential threats before they wreak havoc. However, legal and constitutional challenges, particularly around privacy concerns, are slowing down its implementation.
Turning to Allies for Help
Recognizing the global nature of cyber threats, Japan has sought assistance from international partners such as the United States, Australia, and the UK. These partnerships aim to boost intelligence-sharing and enhance Japan’s defensive capabilities against persistent cyber intrusions.
MirrorFace’s activities underscore an uncomfortable truth—cyber warfare is no longer just a theoretical threat; it's an active and ongoing challenge. As Japan continues to face mounting pressure from state-sponsored hacking groups, cyber resilience needs to be at the forefront of its national security strategy.
If Japan wants to stay ahead of these threats, it must act swiftly, bolster cybersecurity infrastructure, and implement stricter countermeasures to prevent further breaches. The digital battlefield is evolving, and complacency is no longer an option.
Published 16:43 IST, January 21st 2025