Cybersecurity company Group-IB claims it was repeatedly targeted by a Chinese APT called Tonto Team, CactusPete, and Karma Panda.
The post Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT appeared first on SecurityWeek.
A newly identified threat actor has been targeting military organizations in Pakistan with sophisticated malware, BlackBerry reports.
Tracked as NewsPenguin, the adversary has been observed sending phishing emails that use the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as bait and which carry weaponized documents to deliver an advanced espionage tool.
Running February 10-12, PIMEC is an initiative of the Pakistani Navy that helps private and public organizations showcase products and develop relationships.
NewsPenguin’s malicious documents, which pose as an exhibitor manual that appears to target PIMEC visitors, carry embedded Visual Basic for Applications (VBA) macros to execute malware.
Once opened, the lure document uses a remote template injection technique to fetch the next stage from a remote server that only serves the payload to Pakistani IP addresses.
The victim is prompted to enable editing in the document and, once that happens, embedded VBA macro code is executed to save an RTF file on the machine. The script also checks the OS version, invokes the command prompt, and adds a registry key for persistence.
Multiple other files leading to the final payload are also downloaded on the victim’s machine. NewsPenguin’s agent, which is injected into explorer.exe, is a previously undocumented espionage tool that can bypass sandboxes and virtual machines (VMs).
NewsPenguin performs multiple checks to determine whether it runs in a sandbox environment, then connects to a hardcoded remote server to receive the IP of the command-and-control (C&C) server and start receiving commands, which are base64 encoded.
The researchers discovered that the malware waits five minutes between commands, likely another attempt to bypass sandboxes, which typically have a time limit of fewer than five minutes per sample.
Based on received commands, the malware collects and sends information about the machine, runs an additional thread, copies or moves files, deletes files, creates directories, sends the content of files to the server, executes files, and uploads or downloads files from the server.
Domains associated with these attacks were registered in the second half of 2022, showing that NewsPenguin has been planning the operation for a while.
The threat actor’s targets include military technology companies, nation-states, and military organizations in Pakistan, including PIMEC organizers, exhibitors, and visitors.
“Given the highly focused nature of the targets (the Pakistan maritime industry), previously unseen tooling, and new network infrastructure, it is unlikely that the threat actor behind it is connected to casual cybercrime. Instead, we consider it highly likely that the attacker is a nation-state or an outsourced team working for a nation-state threat actor,” BlackBerry concludes.
Related: Nation-State Hacker Attacks on Critical Infrastructure Soar: Microsoft
Related: After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool to Arsenal
Related: Sophisticated Cyberattack Targets Pakistani Military
The post Military Organizations in Pakistan Targeted With Sophisticated Espionage Tool appeared first on SecurityWeek.
The United States and South Korea have issued a joint advisory on ransomware attacks on critical infrastructure that are funding North Korea’s malicious cyber activities.
North Korean government-backed threat actors have been using ransomware in attacks against critical infrastructure for years, with at least two ransomware families attributed to them, namely Maui and H0lyGh0st.
In July last year, the US government issued a warning on North Korea’s use of Maui ransomware in attacks targeting healthcare and public health sectors.
This week, the US and South Korea issued an updated advisory, warning that North Korea is relying on ransomware attacks against healthcare and other critical infrastructure organizations to fund various objectives, including malicious cyber operations.
Typically, after compromising an organization’s network, the threat actors deploy ransomware and use it to encrypt the victim’s files. The attackers then demand a ransom to be paid in cryptocurrency in exchange for a decryption key.
“The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments,” the alert reads.
As part of the observed ransomware operations, the North Korean threat actors build infrastructure (domains, online personas and accounts) and rely on cryptocurrency services to receive ransom proceeds that are then used to procure infrastructure for other malicious activities.
The attackers attempt to hide their identity by operating with or under third-party foreign affiliate identities, use intermediaries to receive ransom payments, and use virtual private networks (VPNs) and virtual private servers (VPSs) to hide their real IP addresses.
The threat actors have been observed exploiting known vulnerabilities for initial access, including Apache Log4j and SonicWall security bugs, but also deploying malware via trojanized files in attacks targeting small and medium-size hospitals in South Korea.
Following initial access, the attackers perform reconnaissance and lateral movement, and then deploy either custom ransomware, such as Maui and H0lyGh0st, or publicly available tools, including BitLocker, Deadbolt, Hidden Tear, Jigsaw, LockBit, Ryuk, and others.
Typically, North Korean threat actors demand from their victims a ransom in Bitcoin and communicate with them via Proton Mail email accounts.
Organizations are advised to encrypt connections with all devices on the network, implement the principle of least privilege, turn off unused network protocols and services, secure the collection, transfer and storing of personally identifiable and protected healthcare information (PII and PHI), implement multi-layer network segmentation, and monitor networks for suspicious behavior.
Furthermore, organizations should keep isolated data backups, should implement a cyber incident response plan, should keep all applications and operating systems updated, enforce strong passwords and multi-factor authentication, educate employees and users on phishing, and make sure that all remote desktop protocol (RDP) and similar connections are monitored and secured.
Related: US Disrupts North Korean Hackers That Targeted Hospitals
Related: US Healthcare Organizations Warned of ‘Daixin Team’ Ransomware Attacks
Related: US Says Chinese Military Behind Vast Aerial Spy Program
The post US, South Korea: Ransomware Attacks Fund North Korea’s Cyber Operations appeared first on SecurityWeek.
An alleged Chinese surveillance balloon over the United States last week sparked a diplomatic furore and renewed fears over how Beijing gathers intelligence on its largest strategic rival.
FBI Director Christopher Wray said in 2020 that Chinese spying poses “the greatest long-term threat to our nation’s information and intellectual property, and to our economic vitality”.
China’s foreign ministry said in a statement to AFP that it “resolutely opposed” spying operations and that American accusations are “based on false information and sinister political aims”.
The United States also has its own ways of spying on China, deploying surveillance and interception techniques as well as networks of informants.
Former US president Barack Obama said in 2015 that his Chinese counterpart Xi Jinping had promised not to conduct commercial cyber spying. Subsequent statements by Washington have indicated the practice has continued.
Here are some of the ways Beijing has worked to spy on the United States in recent years:
Cyber warfare
The United States warned in a major annual intelligence assessment in 2022 that the Asian giant represents “the broadest, most active, and persistent cyber espionage threat” to the government and private sector.
According to researchers and Western intelligence officials, China has become adept at hacking rival nations’ computer systems to make off with industrial and trade secrets. In 2021, the United States, NATO and other allies said China had employed “contract hackers” to exploit a breach in Microsoft email systems, giving state security agents access to emails, corporate data and other sensitive information.
Chinese cyber spies have also hacked the US energy department, utility companies, telecommunications firms and universities, according to US government statements and media reports.
Tech fears
Fears of the threat from Beijing have seeped into the technology sector, with concerns that state-linked firms would be obliged to share intel with the Chinese government.
In 2019, the US Department of Justice charged tech giant Huawei with conspiring to steal US trade secrets, evade sanctions on Iran, and other offenses.
Washington has banned the firm from supplying US government systems and strongly discouraged the use of its equipment in the private sector over fears that it could be compromised.
Huawei denies the charges.
Similar anxiety over TikTok animates Western political debate, with some lawmakers calling for an outright ban on the hugely popular app developed by China’s ByteDance over data security fears.
Industrial and military espionage
Beijing has leaned on Chinese citizens abroad to help gather intelligence and steal sensitive technology, according to experts, US lawmakers and media reports.
One of the most high-profile cases was that of Ji Chaoqun, who in January was sentenced to eight years in a US prison for passing information on possible recruitment targets to Chinese intelligence.
An engineer who arrived in the United States on a student visa in 2013 and later joined the army reserves, Ji was accused of supplying information about eight people to the Jiangsu province ministry of state security, an intelligence unit accused of engaging in the theft of US trade secrets.
Last year, a US court sentenced a Chinese intelligence officer to 20 years in prison for stealing technology from US and French aerospace firms.
The man, named Xu Yanjun, was found guilty of playing a leading role in a five-year Chinese state-backed scheme to steal commercial secrets from GE Aviation, one of the world’s leading aircraft engine manufacturers, and
France’s Safran Group.
In 2020, a US court jailed Raytheon engineer Wei Sun — a Chinese national and naturalized US citizen — for bringing sensitive information about an American missile system into China on a company laptop.
Spying on politicians
With the goal of advancing Beijing’s interests, Chinese operatives have allegedly courted American political, social and business elites.
US news website Axios ran an investigation in 2020 claiming that a Chinese student enrolled at a university in California had developed ties with a range of US politicians under the auspices of Beijing’s main civilian spy agency.
The student, named Fang Fang, used campaign financing, developed friendships and even initiated sexual relationships to target rising politicians between 2011 and 2015, according to the report.
Police stations
Another technique used by Chinese operatives is to tout insider knowledge about the Communist Party’s opaque inner workings and dangle access to top leaders to lure high-profile Western targets, researchers say.
The aim has been to “mislead world leaders about (Beijing’s) ambitions” and make them believe “China would rise peacefully — maybe even democratically,”
Chinese-Australian author Alex Joske wrote in his book, “Spies and Lies: How China’s Greatest Covert Operations Fooled the World”.
Beijing has also exerted pressure on overseas Chinese communities and media organizations to back its policies on Taiwan, and to muzzle criticism of the Hong Kong and Xinjiang crackdowns.
In September 2022, Spain-based NGO Safeguard Defenders said China had set up 54 overseas police stations around the world, allegedly to target Communist Party critics.
Beijing has denied the claims.
The Netherlands ordered China to close two “police stations” there in November.
A month later, the Czech Republic said China had closed two such centers in Prague.
The post Spies, Hackers, Informants: How China Snoops on the US appeared first on SecurityWeek.
President Joe Biden said on Saturday that he ordered U.S. officials to shoot down the suspected Chinese spy balloon earlier this week and that national security leaders decided the best time for the operation was when the it got over water.
“They successfully took it down and I want to complement our aviators who did it,” Biden said after getting off Air Force One en route to Camp David.
Fighter jets shot down the giant white balloon off the Carolina coast after it traversed sensitive military sites across North America and became the latest flashpoint in tensions between Washington and Beijing.
Defense Secretary Lloyd Austin said in a statement that Biden approved the shootdown on Wednesday, saying it should be done “as soon as the mission could be accomplished without undue risk to American lives under the balloon’s path.”
Austin said that due to the size and altitude of the balloon , which was moving at about 60,000 feet in the air, the military had determined that taking it down over land would pose an undue risk to people on the ground.
The balloon was spotted Saturday morning over the Carolinas as it approached the coast. In preparation for the operation, the FAA Administration temporarily closed airspace over the Carolina coastline, including the airports in Charleston and Myrtle Beach, South Carolina, and Wilmington, North Carolina. The FAA rerouted air traffic from the area and warned of delays as a result of the flight restrictions.
An operation was underway in U.S. territorial waters in the Atlantic Ocean to recover debris from the balloon, which had been flying at about 60,000 feet and was estimated to be about the size of three school buses. The balloon was downed by Air Force fighter aircraft, according to two officials who were not authorized to publicly discuss the matter and spoke on condition of anonymity.
President Joe Biden had told reporters earlier Saturday that “we’re going to take care of it,” when asked about the balloon. The Federal Aviation Administration and Coast Guard worked to clear the airspace and water below the balloon as it reached the ocean.
Television footage showed a small explosion, followed by the balloon descending toward the water. U.S. military jets were seen flying in the vicinity and ships were deployed in the water to mount the recovery operation.
Officials were aiming to time the operation so they could recover as much of the debris as possible before it sinks into the ocean. The Pentagon had previously estimated that any debris field would be substantial.
The balloon was spotted Saturday morning over the Carolinas as it approached the coast. In preparation for the operation, the FAA Administration temporarily closed airspace over the Carolina coastline, including the airports in Charleston and Myrtle Beach, South Carolina, and Wilmington, North Carolina. The FAA rerouted air traffic from the area and warned of delays as a result of the flight restrictions.
The Coast Guard advised mariners to immediately leave the area because of U.S. military operations “that present a significant hazard.”
Biden had been inclined to down the balloon over land when he was first briefed on it on Tuesday, but Pentagon officials advised against it, warning that the potential risk to people on the ground outweighed the assessment of potential Chinese intelligence gains.
The public disclosure of the balloon this week prompted the cancellation of a visit by U.S. Secretary of State Antony Blinken to Beijing scheduled for Sunday for talks aimed at reducing U.S.-China tensions. The Chinese government on Saturday sought to play down the cancellation.
“In actuality, the U.S. and China have never announced any visit, the U.S. making any such announcement is their own business, and we respect that,” China’s Ministry of Foreign Affairs said in a statement Saturday morning.
China has continued to claim that the balloon was merely a weather research “airship” that had been blown off course. The Pentagon rejected that out of hand — as well as China’s contention that it was not being used for surveillance and had only limited navigational ability.
The balloon was spotted over Montana, which is home to one of America’s three nuclear missile silo fields at Malmstrom Air Force Base.
The Pentagon also acknowledged reports of a second balloon flying over Latin America. “We now assess it is another Chinese surveillance balloon,” Brig. Gen. Pat Ryder, Pentagon press secretary, said in a statement.
China’s Ministry of Foreign Affairs did not immediately respond to a question about the second balloon.
Blinken, who had been due to depart Washington for Beijing late Friday, said he had told senior Chinese diplomat Wang Yi in a phone call that sending the balloon over the U.S. was “an irresponsible act and that (China’s) decision to take this action on the eve of my visit is detrimental to the substantive discussions that we were prepared to have.”
Uncensored reactions on the Chinese internet mirrored the official government stance that the U.S. was hyping the situation. Some used it as a chance to poke fun at U.S. defenses, saying it couldn’t even defend against a balloon, and nationalist influencers leapt to use the news to mock the U.S.
China has denied any claims of spying and said it is a civilian-use balloon intended for meteorology research. The Ministry of Foreign Affairs emphasized that the balloon’s journey was out of its control and urged the U.S. not to “smear” it based on the balloon.
The post US Downs Chinese Balloon Off Carolina Coast appeared first on SecurityWeek.
The Pentagon said at midday Friday that a Chinese spy balloon had moved eastward and was over the central United States, and that the U.S. rejected China’s claims that it was not being used for surveillance.
Brig. Gen. Pat Ryder, Pentagon press secretary, refused to provide details on exactly where the balloon was or whether there was any new consideration of shooting it down. The military had ruled that option out, officials had said, due to potential risks to people on the ground.
Ryder said it was at an altitude of about 60,000 feet, was maneuverable and had changed course. He said it currently was posing no threat. He said there was only one balloon being tracked.
Earlier, the U.S. announced that Secretary of State Antony Blinken had postponed a planned high-stakes weekend diplomatic trip to China as the Biden administration weighed a broader response to the discovery of a high-altitude Chinese balloon flying over sensitive sites in the western United States.
That abrupt decision came despite China’s claim that the balloon was a weather research “airship” that had blown off course. The U.S. has described it as a surveillance vehicle.
The development came just before Blinken had been due to depart Washington for Beijing and marked a new blow to already strained U.S.-Chinese relations.
President Joe Biden declined to comment when questioned at an economic event. Two 2024 reelection challengers, former President Donald Trump, and Nikki Haley, the former South Carolina governor and U.N. ambassador, said the U.S. should immediately shoot down the balloon.
Discovery of the balloon was announced by Pentagon officials who said one of the places it was spotted was over the state of Montana, which is home to one of America’s three nuclear missile silo fields at Malmstrom Air Force Base.
A senior defense official said the U.S. prepared fighter jets, including F-22s, to shoot down the balloon if ordered. The Pentagon ultimately recommended against it, noting that even as the balloon was over a sparsely populated area of Montana, its size would create a debris field large enough that it could have put people at risk.
The official said the balloon was headed over the Montana missile fields, but the U.S. has assessed that it had only “limited” value in terms of providing intelligence China couldn’t obtain by other technologies, such as spy satellites.
The discovery alarmed many in Washington across the country and, besides the U.S. protests lodged with Chinese officials, it attracted strong criticism of the administration from Republican members of Congress who have advocated taking a tougher stance with China.
China, which angrily denounces surveillance attempts by the U.S. and others over areas it considers to be its territory and once forced down an American spy plane, offered a generally muted reaction to the Pentagon announcement.
In a relatively conciliatory statement, the Chinese foreign ministry said late Friday that the balloon was a civilian airship used mainly for meteorological research. The ministry said the airship has limited “self-steering” capabilities and “deviated far from its planned course” because of winds.
“The Chinese side regrets the unintended entry of the airship into U.S. airspace due to force majeure,” the statement said, citing a legal term used to refer to events beyond one’s control.
Blinken had been prepared as late as Thursday to travel to Beijing this weekend but the administration had begun to reconsider the trip following the discovery of the balloon on Wednesday, even before its presence was made public, an official said.
The official, who spoke to reporters on condition of anonymity due to the sensitivity of the matter, said the administration had “ noted” China’s expression of regret.
Blinken’s long-anticipated meetings with senior Chinese officials had been seen in both countries as a way to find some areas of common ground at a time of major disagreements over Taiwan, human rights, China’s claims in the South China Sea, North Korea, Russia’s war in Ukraine, trade policy and climate change.
Although the trip, which was agreed to in November by President Biden and Chinese President Xi Jinping at a summit in Indonesia, had not been formally announced, officials in both Beijing and Washington had been talking in recent days about Blinken’s imminent arrival.
The meetings were to begin on Sunday and go through Monday.
The post Big China Spy Balloon Moving East Over US, Pentagon Says appeared first on SecurityWeek.
China said Friday it is looking into reports that a Chinese spy balloon has been flying in U.S. airspace and urged calm, adding that it has “no intention of violating the territory and airspace of any sovereign country.”
Foreign Ministry spokesperson Mao Ning also said she had no information about whether a trip to China by U.S. Secretary of State Antony Blinken planned for next week will proceed as scheduled.
At a daily briefing, Mao said that politicians and the public should withhold judgment “before we have a clear understanding of the facts” about the spy balloon reports.
Blinken would be the highest-ranking member of President Joe Biden’s administration to visit China, arriving amid efforts to mitigate a sharp downturn in relations between Beijing and Washington over trade, Taiwan, human rights and China’s claims in the South China Sea.
“China is a responsible country and has always strictly abided by international laws, and China has no intention of violating the territory and airspace of any sovereign country. As for the balloon, as I’ve mentioned just now, we are looking into and verifying the situation and hope that both sides can handle this together calmly and carefully,” Mao said.
“As for Blinken’s visit to China, I have no information,” she said.
A senior defense official told Pentagon reporters that the U.S. has “very high confidence” that the object was a Chinese high-altitude balloon and was flying over sensitive sites to collect information.
One of the places the balloon was spotted was over the state of Montana, which is home to one of America’s three nuclear missile silo fields at Malmstrom Air Force Base. The official spoke on condition of anonymity to discuss sensitive information.
Pentagon press secretary Brig. Gen. Patrick Ryder said the balloon is “currently traveling at an altitude well above commercial air traffic and does not present a military or physical threat to people on the ground.”
Ryder said similar balloon activity has been seen in the past several years and the government has taken steps to ensure no sensitive information was stolen.
President Biden was briefed and asked the military to present options, according to a senior administration official, who was also not authorized to publicly discuss sensitive information.
Defense Secretary Lloyd Austin and Army Gen. Mark Milley, chairman of the Joint Chiefs of Staff, advised against taking “kinetic action” because of risks to the safety of people on the ground. Biden accepted that recommendation.
The defense official said the U.S. has “engaged” Chinese officials through multiple channels and communicated the seriousness of the matter.
Blinken’s visit was expected to start this Sunday in an effort to try to find common ground on issues from trade policy to climate change. Although the trip has not been formally announced, both Beijing and Washington have been talking about his imminent arrival.
The senior defense official said the U.S. prepared fighter jets, including F-22s, to shoot down the balloon if ordered. The Pentagon ultimately recommended against it, noting that even as the balloon was over a sparsely populated area of Montana, its size would create a debris field large enough that it could have put people at risk.
It was not clear what will happen with the balloon if it isn’t brought down.
The defense official said the spy balloon was trying to fly over the Montana missile fields, but the U.S. has assessed that it has “limited” value in terms of providing intelligence it couldn’t obtain by other technologies, such as spy satellites.
The official would not specify the size of the balloon but said commercial pilots could spot it from their cockpits. All air traffic was halted at Montana’s Billings Logan International Airport from 1:30 p.m. to 3:30 p.m. Wednesday, as the military provided options to the White House.
A photograph of a large white balloon lingering over the area was captured by The Billings Gazette. The balloon could be seen drifting in and out of clouds and had what appeared to be a solar array hanging from the bottom, said Gazette photographer Larry Mayer.
The balloon’s appearance adds to national security concerns among lawmakers over China’s influence in the U.S., ranging from the prevalence of the hugely popular smartphone app TikTok to purchases of American farmland.
“China’s brazen disregard for U.S. sovereignty is a destabilizing action that must be addressed,” Republican Party House Speaker Kevin McCarthy tweeted.
Tensions with China are particularly high on numerous issues, ranging from Taiwan and the South China Sea to human rights in China’s western Xinjiang region and the clampdown on democracy activists in Hong Kong. Not least on that list of irritants are China’s tacit support for Russia’s invasion of Ukraine, its refusal to rein in North Korea’s expanding ballistic missile program and ongoing disputes over trade and technology.
On Tuesday, Taiwan scrambled fighter jets, put its navy on alert and activated missile systems in response to nearby operations by 34 Chinese military aircraft and nine warships that are part Beijing’s strategy to unsettle and intimidate the self-governing island democracy.
Twenty of those aircraft crossed the central line in the Taiwan Strait that has long been an unofficial buffer zone between the two sides, which separated during a civil war in 1949.
Beijing has also increased preparations for a potential blockade or military action against Taiwan, which has stirred increasing concern among military leaders, diplomats and elected officials in the U.S., Taiwan’s key ally.
The surveillance balloon was first reported by NBC News.
From an office window in Billings, Montana, Chase Doak said he saw a “big white circle in the sky” that he said was too small to be the moon.
“I thought maybe it was a legitimate UFO,” Doak said. “So I wanted to make sure I documented it and took as many photos as I could.”
The post China Says It’s Looking Into Report of Spy Balloon Over US appeared first on SecurityWeek.
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | The Geopolitical Effect – Geopolitics describes the effect of geography on politics, and usually refers to the political relationship between nations. That relationship is always mirrored in cyber. The Russia/Ukraine war that started in early 2022 has been mirrored by a major disturbance in cyber – and that disturbance will continue through 2023.
The physical conflict has forced much of the world to take sides. The US, NATO, the EU, and their allies are providing major support – short of troops – to Ukraine. China, Iran, and North Korea are all supporting Russia. The cyber conflict is similar, largely conforming to the George W Bush ‘axis of evil’ (Iran, Iraq, and North Korea, with the popular addition of Russia and China) versus the US, EU, and their allies.
Here we’re going to discuss how the current state of global geopolitics might play out in cyber during 2023.
“Russia may well resort to increased cyber offensive actions as it contends with on-the-ground setbacks in Ukraine,” comments Bob Ackerman, MD and founder of AllegisCyber. This has been considered likely throughout 2022, but as Russian military setbacks have increased toward the end of 2022, so the likelihood of increasingly aggressive Russian cyber activity will rise. Such offensive actions will not simply target Ukraine – they will be aimed at all countries seen to be supporting Ukraine.
“While we haven’t seen those feared attacks materialize yet,” says Christopher Budd, senior manager of threat research at Sophos, “it would be premature to say that those risks have passed. In 2023, so long as the uncertainty of war exists, everyone should plan for the real possibility of unexpected, large-scale cyberattacks.”
Indeed, the mirror between the kinetic and cyberworlds suggests it is inevitable in 2023. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, expects to see Russian cyber activity becoming more ‘feral’. “We’re increasingly seeing its kinetic war tactics becoming more untamed, targeting energy and water infrastructure with missile strikes,” he says. “We expect the same to apply to cyberwarfare.”
He is concerned that Russia’s more feral activity will have the potential to spill over into other nations, “as Russia becomes more daring, trying to win the war by any means, and Russia could look to use the conflict as a distraction as it targets other nations with cyberattacks.”
Malwarebytes believes that large-scale attacks will appear first in Ukraine, but be accompanied by attacks against European allies. “In recent weeks [Oct/Nov 2022] Russia has been launching a barrage of missiles to cripple Ukraine’s electricity infrastructure. We could expect that at some point availability of such weapons will run low and that the Kremlin will want to increase the cyber effort. We may see further successful malware attacks from the Sandworm group as we have seen previously with the blackouts caused by the BlackEnergy malware,” comments Jerome Segura, senior director of threat intelligence at Malwarebytes.
While malware used to destroy or wipe systems is likely to be used against Ukraine,” he adds, “more stealthy malware such as backdoors are likely to hit European allies as attempts to compromise key leaders, gather intelligence and possibly expose or extort via ‘kompromat’.”
In one sense, the Russia/Ukraine conflict has taken the gloves off the lower-level cyberwarfare that has existed for years. You could say that 2023 may well prove to be a new era of bare-knuckle cyberwarfare. “Nation state cyber warfare will become more openly prevalent,” suggests Chris Gray, AVP of security strategy at Deepwatch. “The Russia/Ukraine conflict has taken away much of the ‘cloak and dagger’ aspects of this area and, in doing so, has also broadened the scope of available targets. Financial impact and the ability to increase chaos due to service interruption will increasingly grow over former levels.”
While we concentrate on Russia as the primary current protagonist in offensive cyber, we should not forget that Russian ‘allies’ will take advantage of the situation. “China is likely to expand the full spectrum of its cyber initiatives targeting economic, political, and military objectives,” continues Ackerman. “Bit actors on the global stage may well exploit Great Power conflict and related global distractions to launch targeted regional cyberattacks,” he added. Such as Iran targeting Israel.
Increased nation-state cyber activity will become more obvious, but not necessarily legally attributable. The major powers will still seek to avoid direct retribution that could escalate into additional kinetic warfare. “The reality with nation-state attacks is you might never know you’ve been hit by one until another country’s intelligence agency actively identifies it,” warns Andrew Barratt, VP at Coalfire. “The attribution of attacks to specific parties is a highly contentious area with a lot of room for error and deniability. What we really need is crossover from friendly military intelligence partners to support a reasonable conclusion.”
SecurityWeek was told years ago by Luis Corrons, now security evangelist at Gen and co-chairman of the board at AMTSO, “The only people who really know what’s going on are the intelligence agencies, who have close knowledge drawn from signals intelligence and covert agents.” Historically, the intelligence agencies have been reluctant to make too many public accusations of attribution for fear that it might expose their sources.
Direct attribution from countries with mature intelligence agencies is likely to increase in 2023 – as will the strident denials coming from the perpetrators – but it will remain difficult. “The rapid expansion of non-state affiliated cyber actors including hobbyists, hacktivists, criminals, privateers, proxies, vigilantes, or cyber response reserve units, is unlike anything ever seen in traditional warfare,” explains Marcus Fowler, CEO of Darktrace Federal. “The surge in ‘vigilante’ approaches to cyber-crime will continue to alter the course of modern warfare in 2023, introducing unprecedented adversaries and allies for nation-states.”
What remains largely unknown is the potential capability of unfettered cyberwarfare – all major nations have been stockpiling zero-days for years. “I dare not speak of the unused kinetic powers available to the nation-states,” comments Brian NeuHaus, CTO of Americas at Vectra AI, “but will digress to one which has only, I believe, been partially used. Cyberwarfare is still a real threat from a broader use of known TTPs, tools tactics procedures, and an unknown equity of zero-days just waiting for the right strategic moment to deploy against one’s foes.”
Zero-days are not used lightly, especially by nation-states. Once used, they instantly lose their value. The problem is that we have no knowledge of our adversaries’ zero-day stockpiles, nor their ability to unleash widespread destructive capabilities against critical infrastructure. Their use is likely to be one of desperation – a cyber version of nuclear weapons with the potential to escalate into open kinetic conflict.
We must hope this day never comes, for it is worth remembering Putin’s warning on the use of nuclear weapons: “For the planet, it will be a catastrophe. But for me as a citizen of the Russian Federation and the head of the Russian State, I must ask myself the question. What is the point of a world without Russia?”
Our hope must therefore be that no nation-state feels so backed into a corner that it unleashes the full power of stockpiled zero-days against the opponent’s critical infrastructure. That doesn’t mean we can relax – the threat from what we could perhaps describe as conventional cyberweapons remains real and likely to increase through 2023. Wiperware is probably top of the list.
“Russia’s invasion of Ukraine this year revealed the modern digital battlefield. Most notably, we have witnessed an increased use of wiperware, a form of destructive malware against Ukrainian organizations and critical infrastructure,” comments Fleming Shi, CTO at Barracuda. “The frequency has dramatically increased as we saw WhisperGate, CaddyWiper, HermeticWiper, and others hitting the news since the war broke out.”
Unlike the financial motivations and decryption potential of ransomware, wiperware is typically deployed by nation-state actors with the sole intent to damage and destroy an adversary’s systems beyond recovery. “In addition,” he added, in 2023, wiperware emanating from Russia will likely spill over into other countries as geopolitical tensions continue.”
Wiperware can easily be disguised as criminal ransomware with non-functioning decryption, adding deniability to destructive nation-state attacks. There are suspicions that WannaCry was a version of this. “Given the current political climate, Kaspersky experts foresee a record number of disruptive and destructive cyberattacks, affecting both the government sector and key industries,” says Ivan Kwiatkowski, senior security researcher at Kaspersky`s GReAT.
“It is likely that a portion of them will not be easily traceable to cyberattacks and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations to provide plausible deniability for their real authors,” he added. “High-profile cyberattacks against civilian infrastructure, such as energy grids or public broadcasting, may also become targets, as well as underwater cables and fiber distribution hubs, which are challenging to defend.”
A particular target area for such attacks will likely be ‘dual use’ technologies; that is, those that serve both military and commercial purposes. “Satellite technologies and other advanced communication platforms come under a higher level of focus. Both intellectual property theft and disruption of data delivery to governments and militaries around the world become a stronger focus,” says Kurt Baumgartner, principal security researcher at Kaspersky.
It is noticeable that the cyberattack against Viasat by Russia just prior to the Russian invasion of Ukraine, designed to disrupt Ukrainian military communications, spilled out of the region to also affect some 9,000 European users. Russia seems to have ‘got away with it’ on this occasion, but it effectively remains a nation-state cyberattack against civilians outside of the war zone. We are not aware of any clandestine response from the West, but must wonder if the response would have been different if the spillover had directly affected US users.
John Pescatore, director of emerging security trends at SANS Institute, endorses Baumgartner’s view. “The war in Ukraine will have broader impacts on the commercial sector as operatives on both sides attack dual-use technologies (that is, services used by both the military and civilians) to take down communication and critical infrastructures systems.” He expects to see more attacks in 2023 that will impact business internet connections, communication, and logistics systems.
“Increasing attacks on key dual-use technologies like cell towers, GPS, and commercial satellites – such as Star Link,” he adds, “will damage connectivity and business operations for private sector companies that depend on these technologies, even if they are not directly targeted themselves.”
While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea will all increase their activity through 2023 under cover of the European war. China will likely continue concentrating on espionage rather than destruction – although this may change if the separate geopolitical tensions over Taiwan escalate into kinetic activity.
“China has high priority targets to meet in terms of economic and social development, made more pressing by continuing Covid outbreaks and a zero-tolerance stance on Covid,” warns Mike McLellan, director of intelligence at Secureworks. “Chinese intelligence collection will remain both broad and deep, as the Chinese Communist Party will not accept failure on any of its key focus areas.”
This focus will be on upgrades to its manufacturing base, food stability, housing, energy supply, and natural resources. “Organizations operating in or supplying any of those areas, particularly hightech industries,” he continues, “are potential targets of Chinese cyberespionage.”
But he adds, “As tensions continue to rise around Taiwan and the South China Sea, and China continues to drive forward with its Belt Road Initiative (BRI), a large proportion of China’s cyber espionage apparatus will be regionally focused targeting governments and critical infrastructure projects, as well as dissidents and other individuals opposed to the Chinese state.”
Iran and North Korea are less concerned with maintaining any semblance of diplomacy with the US and EU. Iran may engage in more destructive cyberattacks, largely in the Middle East but potentially elsewhere. “Iran will exploit the blurring of state-sponsored activity with cybercrime, both against regional adversaries and more broadly,” says McLellan.
The country will make use of offensive cyber operations under the guise of hacktivist and cybercrime personas to harass and intimidate regional adversaries, particularly Israel. This will probably extend beyond the Middle East with Iran merging state and criminal activity. Citing the IRGC-affiliated Cobalt Mirage threat group, McLellan warns, “Iran will exploit this financially motivated activity as a plausible cover for state espionage or disruption operations, which can be dismissed as part of a ‘cybercrime problem’.”
“We’re also seeing North Korea flexing its muscles by flying long range weapons over borders,” adds Venafi’s Bocek. If the mirror between kinetic and cyber activity holds true, we can expect North Korea to become more aggressive in cyber in 2023. Such cyber activity, adds Bocek, “will be replicated by North Korea as it looks to advance its economic and political goals.”
A particular concern for 2023 and beyond is that the diplomatic seal may now be permanently broken. The Russia/Ukraine war will eventually end – but tensions between the two countries and their allies will continue. Aggressive international cyber activity may never return to pre-war levels. “Nation-states will continue to cause each other digital problems amid the constant fight for power and status on the world stage,” comments Zac Warren, chief security advisor for EMEA at Tanium.
“Nations will come to the table to discuss norms; China, Russia and others will inhibit progress,” warns Mike Hamilton, founder and CISO at Critical Insight. He has two specific predictions for 2023 that might take cyber relations beyond the point of no return. Firstly, he suggests, “Russia will have its infrastructure disrupted as a demonstration of seriousness.” Secondly, he adds, “Operational technologies will be disrupted/wiped, likely in the US water sector.”
If either of these incidents occur and can be reliably attributed to a foreign state, they will not be easily forgiven.
As it is in the kinetic world, so it is in the digital. “For everything in the real world, there is a shadow on the Internet,” says Sam Curry, CSO at Cybereason. “More-and-more, we are going to see the Internet as a primary forum for geopolitical activity. The classic diplomacy, information, military and economic (or ‘DIME’) options are seeing the rise of information options and a resurgence of military options from 2022. Going into 2023, it’s to be hoped that diplomacy and economics rise to the fore, but for that to happen, the world would need to see an amenable-to-all-parties resolution to the Russia-Ukraine War or at least motion in that direction with a meaningful ceasefire; and detente in the South China Sea, which although a secondary area is another potential area of rising concern and clash of superpowers.”
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Related: Wipers Are Widening: Here’s Why That Matters
Related: Economic Warfare: Attacks on CI Part of Geopolitical Conflict
Related: Security Pros Believe Cybersecurity Now Aligned With Cyberwar
Related: U.S. Issues Fresh Warning Over Russian Cyber Threats
The post Cyber Insights 2023: The Geopolitical Effect appeared first on SecurityWeek.
Russia-linked cyberespionage group APT29 has been observed staging new malware for attacks likely targeting embassy-related individuals, Recorded Future reports.
Also referred to as Cozy Bear, the Dukes, Nobelium, and Yttrium, APT29 is a Russian advanced persistent threat (APT) group believed to be sponsored by the Russian Foreign Intelligence Service (SVR). It’s also believed to have orchestrated multiple high-profile attacks, including the 2020 SolarWinds attack.
In October 2022, Recorded Future identified new infrastructure and malware that the cyberespionage group likely set up for attacks targeting embassy staff or an ambassador.
A compromised site containing the text “Ambassador’s schedule November 2022” was used as a lure to infect visitors with new malware called GraphicalNeutrino.
The threat, which uses the US-based business automation service Notion for command and control (C&C), is a loader that packs numerous anti-analysis capabilities, including sandbox evasion, API unhooking, and string encryption.
According to Recorded Future, which tracks the activity as BlueBravo (PDF), the staging and deployment of the malware is similar to previously observed tactics, techniques, and procedures (TTPs) attributed to APT29.
The lure webpage contained within HTML code an obfuscated ZIP file set to be automatically downloaded on the visitors’ system, showing overlaps with previous observed deployment of the EnvyScout dropper.
The ZIP file contains two DLLs and a benign executable masquerading as a PDF, which was designed to load the libraries using DLL search order hijacking. One of the DLLs contains the GraphicalNeutrino malware, implemented in a thread spawned when the library is initialized.
When launched, GraphicalNeutrino attempts to remove API hooks from specific modules, checks whether persistence is required (which it achieves by creating a new registry key), and then establishes communication with the C&C.
The malware creates a unique identifier for the victim, based on username and computer name, adds the ItIEQ prefix to it, and then uses a Notion API database query filter to determine whether the victim has previously connected to the C&C.
A second, nearly identical GraphicalNeutrino sample that Recorded Future identified and which was compiled only two days after the first, contained only small changes, such as a different Notion database ID, a new identifier prefix, a new key for string decryption, a renamed DLL export function, and modified wait time for C&C communication.
“While we are unable to assess the intended targets of this operation based on the data available, it is likely that ambassadorial or embassy-themed lures are particularly effective during periods of heightened geopolitical tensions, such as is the case with the ongoing war in Ukraine. During such periods, Russian APT groups are highly likely to make extensive use of diplomatically themed lures,” Recorded Future notes.
Related: Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability
Related: Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers
Related: Microsoft Details New Post-Compromise Malware Used by Russian Cyberspies
The post Russia-Linked APT29 Uses New Malware in Embassy Attacks appeared first on SecurityWeek.
The Iran-linked advanced persistent threat (APT) actor known as Moses Staff is leaking data stolen from Saudi Arabia government ministries using a recently created online persona.
Also referred to as Cobalt Sapling, Moses Staff has been likely active since November 2020, but its existence was not revealed until September 2021.
A declared anti-Israeli and pro-Palestinian group, the APT has posted on its leaks website 16 activities as of December 2022, mainly consisting of data stolen from Israeli companies, or the personal information of individuals affiliated with an Israeli intelligence unit of the Israel Defense Forces.
The group was previously linked to the use of the PyDCrypt custom loader, the DCSrv cryptographic wiper that encrypts data and displays a bootloader message, the StrifeWater remote access trojan (RAT), and the DriveGuard auxiliary tool deployed to monitor the RAT’s execution.
In November 2022, a seemingly new hacktivist group claiming affiliation to the Hezbollah Ummah Lebanese Shia Islamist political party and militant group announced their existence under the Abraham’s Ax name, but Secureworks believes that this new persona is operated by Cobalt Sapling, the same APT that operates Moses Staff.
Connections between the two groups, the cybersecurity firm says, are plenty, starting with the use of a similar logo, similarities in leak sites (both of which have Tor versions), and the hosting of these sites on the same subnet, nearly adjacent to each other.
Like Moses Staff, Abraham’s Ax uses a biblical figure for their persona, and their claimed affiliation to Hezbollah has yet to be proven, Secureworks says.
As part of their activities, both groups have released videos, often depicting “Hollywood-style hacking involving satellites, CCTV, 3D building models, and fast scrolling through documents allegedly stolen as part of their operations”.
The videos show repetition and evolution of visual themes, with Abraham’s Ax reusing stock video elements from Moses Staff, with additional visual embellishments on top.
To date, Abraham’s Ax has leaked data allegedly stolen from Saudi Arabia’s Ministry of the Interior and a video purportedly depicting an intercepted phone conversation between Saudi Arabian government ministers.
“Rather than attacking Israel directly, Abraham’s Ax attacks government ministries in Saudi Arabia. […] The group may be attacking Saudi Arabia in response to Saudi Arabia’s leadership role in improving relationships between Israel and Arab nations,” Secureworks notes.
The cybersecurity firm also notes that Abraham’s Ax does not appear to replace the Moses Staff persona, which has remained active, claiming in late November the hack of a CCTV system monitoring the site of a terrorist attack in Israel.
“Malware and technical indicators from Abraham’s Ax operations have not been identified. Assuming that both personas are operated by Cobalt Sapling, it is plausible that the threat actors use the same tools and techniques in their intrusions,” Secureworks notes.
Related: UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
Related: Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack
Related: Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware
The post Iranian APT Leaks Data From Saudi Arabia Government Under New Persona appeared first on SecurityWeek.
Impostazioni privacy
Questo sito utilizza i cookie per migliorare la tua esperienza di navigazione su questo sito.
