China-Backed MirrorFace Trains Sights on EU Diplomatic Corps

Infamous Chinese advanced persistent threat (APT) group "MirrorFace" has made notable moves into diplomatic espionage in the European Union using SoftEther VPN, the emerging tool of choice among these threat groups.

MirrorFace gained wide notoriety with its 2022 efforts to interfere in Japanese elections, and it has maintained operations in the country ever since. But researchers at ESET noticed the group recently popped up in the EU with espionage attacks against an unidentified diplomatic entity.

"For the first time, we observed MirrorFace targeting a diplomatic organization within the EU, a region that remains a focal point for several China-, North Korea-, and Russia-aligned threat actors," Jean-Ian Boutin, director of threat research at ESET, said in a statement about the findings. "Many of these groups are particularly focused on governmental entities and the defense sector."

SoftEther VPN Abuse Surges Among Beijing-Backed APT Groups

Beyond expanding operations to an entirely new continent, ESET said MirrorFace has started increasingly relying on SoftEther VPN to maintain access, but it is not the only group. Other China-backed APTs — Flax Typhoon, Gallium, and Webworm — have also shifted to the open source, cross-platform VPN software favored by many cybercriminals.

In February, a previously unknown adversary group called Hydrochasma was discovered abusing SoftEther VPN in a cyber-espionage campaign against Asia-based shipping companies. In April, Chinese language-speaking threat group ToddyCat was discovered using SoftEther VPN to steal data from government and defense targets in the Asia-Pacfic region on an "industrial scale."

Now, researchers warn, those tactics have landed in Europe.

"Some China-aligned APT groups have shifted to rely more on SoftEther VPN for various reasons. It’s a legitimate software, which helps avoid detection," says Mathiew Tartare senior malware researcher at ESET. "Setting an HTTPS VPN tunnel between the compromised network and the attacker’s infrastructure allows them to easily blend the malicious traffic in the legitimate HTTPS traffic."

Tartare adds SoftEther VPN also lets attackers appear to be an authorized remote user accessing the network using everyday remote desk protocol (RDP) tools.

"We would not be surprised to observe an increase in the use of SoftEther VPN and other legitimate VPN or remote access tools to bypass detections and blend into legitimate traffic," he says.

Notably, Chinese-backed APTs are also lending their cybercrime know-how to Iranian-backed adversaries for cyber-espionage against Iraq and Azerbaijan, as well as French diplomats, according to ESET. Additionally, Iran is putting its hackers to work gaining unauthorized access into financial services organizations across Africa.

Both Chinese and North Korean threat actors have upped the intensity of attacks on educational institutions in the US, South Korea, and Southeast Asia, the ESET report added.