Cyberattack Strikes – Japanese Firms Targeted Over Ivanti and Fortinet VPN Flaws

Japanese organizations faced a significant escalation in cyber espionage campaigns during fiscal year 2024, with attackers exploiting critical vulnerabilities in Ivanti and FortiGate VPN devices to infiltrate corporate networks.

According to a comprehensive report released by Macnica’s Security Research Center, North Korean threat actors have dramatically increased their targeting of Japanese firms, with a particular focus on software developers and manufacturing companies.

North Korean Groups Intensify Cryptocurrency-Focused Attacks

The report reveals that North Korean attack groups have shifted their focus toward cryptocurrency-related targets, deploying sophisticated malware, including BeaverTail and InvisibleFerret, to compromise software developers.

These attacks represent an evolution from the groups’ previous focus on traditional financial institutions, particularly their notorious 2016 SWIFT banking system attacks that resulted in substantial fraudulent transfers.

Security researchers observed increased deployment of the RokRAT backdoor, which enables attackers to exfiltrate stolen data by uploading it to legitimate cloud storage services, making detection significantly more challenging.

The strategy appears designed to access cryptocurrency exchange wallets through compromised developer accounts, allowing threat actors to obtain digital assets illegally.

VPN Vulnerabilities Provide Entry Points

Critical vulnerabilities in widely used VPN solutions became primary attack vectors throughout 2024. The Ivanti Connect Secure zero-day vulnerability (CVE-2025-0282) was actively exploited, with attacks detected as early as January 2025.

Similarly, FortiGate devices were compromised through CVE-2024-55591, allowing attackers to gain direct access to corporate networks.

Manufacturing companies with overseas operations were particularly vulnerable, with multiple incidents detected during the reconnaissance phase of Living-off-the-Land (LotL) attacks.

These sophisticated intrusions utilized legitimate system tools to avoid detection while mapping network infrastructure and identifying valuable targets.

Multi-Vector Attack Campaign Emerges

Beyond VPN exploits, threat actors employed a diverse range of attack methodologies. The TELEBOY attack group utilized PlugX malware for persistent access, while Mustang Panda deployed USB-propagated variants of the same malware.

Notably, attackers began using WinDivert to disrupt endpoint security communications, effectively rendering security monitoring systems blind.

MirrorFace operations intensified in March 2025, with spear-phishing campaigns designed to deploy the ANEL backdoor.

Social engineering tactics expanded beyond traditional email to include LinkedIn messaging, demonstrating attackers’ adaptation to modern communication platforms.

The manufacturing sector bore the brunt of these attacks, representing the highest percentage of targeted industries according to Macnica’s analysis.

Organizations are advised to immediately patch VPN vulnerabilities, implement multi-factor authentication, and enhance monitoring for LotL attack indicators to defend against these evolving threats.