In recent times, Japanese organizations have faced a series of advanced cyber espionage campaigns exploiting critical vulnerabilities in VPN devices, notably Ivanti Connect Secure and FortiGate. These attacks, observed throughout fiscal year 2024, have primarily targeted manufacturing companies and government-related entities.
Exploitation of VPN Vulnerabilities
Attackers have leveraged specific vulnerabilities—CVE-2025-22457 in Ivanti systems and CVE-2024-55591 in FortiGate infrastructure—to gain unauthorized access to corporate networks. By exploiting these weaknesses, threat actors have infiltrated overseas manufacturing bases through compromised VPN endpoints, underscoring the strategic focus on external public assets as entry points.
Identified Threat Actors and Techniques
Security researchers have identified multiple threat groups orchestrating these attacks, including North Korean-affiliated actors and the MirrorFace group, known for deploying the ANEL backdoor. These attackers exhibit sophisticated reconnaissance capabilities, utilizing Living off the Land (LotL) techniques that leverage legitimate system tools to avoid detection.
Attack Methodology and Persistence
The attack methodology begins with the exploitation of unpatched VPN vulnerabilities, allowing threat actors to establish persistent access to corporate networks. Once inside, attackers deploy various malware families, including RokRAT, which enables data exfiltration to legitimate cloud storage services, and PlugX, utilized by the TELEBOYi attack group for command and control operations.
Infection Mechanism and Persistence Tactics
Technical analysis reveals that attackers exploit the Ivanti Connect Secure vulnerability (CVE-2025-22457) by bypassing authentication mechanisms through crafted HTTP requests. Post-exploitation, the malware establishes persistence by modifying system registry entries and creating scheduled tasks that survive system reboots, ensuring continuous access to compromised networks for sustained espionage operations.
Broader Context of Cyber Threats in Japan
This campaign is part of a broader trend of increasing cyber threats targeting Japanese organizations. For instance, in early 2025, a Japanese cybersecurity firm identified distributed denial of service (DDoS) attacks targeting 46 companies and organizations in Japan, including major companies like Japan Airlines, MUFG Bank, and NTT Docomo. These attacks resulted in system glitches and disrupted access to their websites. Additionally, in January 2025, the Japanese government published an alert accusing a Chinese hacking group called MirrorFace of targeting and breaching dozens of government organizations, companies, and individuals in the country since 2019. The primary objective of these attacks was to steal information related to Japan’s national security and advanced technology.
Mitigation Strategies
To defend against such sophisticated attacks, organizations should:
– Patch Systems Promptly: Regularly update and patch VPN devices and other critical systems to remediate known vulnerabilities.
– Restrict Unauthorized Access: Implement strict access controls and monitor for unauthorized access attempts.
– Deploy Endpoint Detection and Response (EDR) Solutions: Utilize EDR tools to detect and respond to malicious activities promptly.
– Conduct Regular Security Audits: Perform periodic security assessments to identify and mitigate potential vulnerabilities.
The discovery of these attacks underscores the growing trend of threat actors exploiting public-facing applications and infrastructure for initial access. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against evolving adversarial tactics.
