The United States on Friday blacklisted six Chinese entities it said were linked to Beijing’s aerospace programs as part of its retaliation over an alleged Chinese spy balloon that traversed U.S. airspace.
The economic restrictions followed the Biden administration’s pledge to consider broader efforts to address Chinese surveillance activities and will make it more difficult for the five companies and one research institute to obtain American technology exports.
The move is likely to further escalate the diplomatic row between the U.S. and China sparked by the balloon, which was shot down last weekend off the Carolina coast. The U.S. said the balloon was equipped to detect and collect intelligence signals, but Beijing insists it was a weather craft that had blown off course.
The incident prompted Secretary of State Antony Blinken to abruptly cancel a high-stakes trip to Beijing aimed at easing tensions.
The U.S. Bureau of Industry and Security said the six entities were being targeted for “their support to China’s military modernization efforts, specifically the People’s Liberation Army’s (PLA) aerospace programs including airships and balloons.”
“The PLA is utilizing High Altitude Balloons (HAB) for intelligence and reconnaissance activities,” it said.
Deputy Secretary of Commerce Don Graves said on Twitter his department “will not hesitate to continue to use” such restrictions and other regulatory and enforcement tools “to protect U.S. national security and sovereignty.”
The six entities are Beijing Nanjiang Aerospace Technology Co., China Electronics Technology Group Corporation 48th Research Institute, Dongguan Lingkong Remote Sensing Technology Co., Eagles Men Aviation Science and Technology Group Co., Guangzhou Tian-Hai-Xiang Aviation Technology Co., and Shanxi Eagles Men Aviation Science and Technology Group Co.
The research institute did not immediately respond to a request for comment. The other five entities could not be reached.
On Friday, a U.S. military fighter jet shot down an unknown object flying off the remote northern coast of Alaska on orders from President Joe Biden. The object was downed because it reportedly posed a threat to the safety of civilian flights, instead of any knowledge that it was engaged in surveillance.
But the twin incidents in such close succession reflect heightened concerns over China’s surveillance program and public pressure on Biden to take a tough stand against it.
An alleged Chinese surveillance balloon over the United States last week sparked a diplomatic furore and renewed fears over how Beijing gathers intelligence on its largest strategic rival.
FBI Director Christopher Wray said in 2020 that Chinese spying poses “the greatest long-term threat to our nation’s information and intellectual property, and to our economic vitality”.
China’s foreign ministry said in a statement to AFP that it “resolutely opposed” spying operations and that American accusations are “based on false information and sinister political aims”.
The United States also has its own ways of spying on China, deploying surveillance and interception techniques as well as networks of informants.
Former US president Barack Obama said in 2015 that his Chinese counterpart Xi Jinping had promised not to conduct commercial cyber spying. Subsequent statements by Washington have indicated the practice has continued.
Here are some of the ways Beijing has worked to spy on the United States in recent years:
Cyber warfare
The United States warned in a major annual intelligence assessment in 2022 that the Asian giant represents “the broadest, most active, and persistent cyber espionage threat” to the government and private sector.
According to researchers and Western intelligence officials, China has become adept at hacking rival nations’ computer systems to make off with industrial and trade secrets. In 2021, the United States, NATO and other allies said China had employed “contract hackers” to exploit a breach in Microsoft email systems, giving state security agents access to emails, corporate data and other sensitive information.
Chinese cyber spies have also hacked the US energy department, utility companies, telecommunications firms and universities, according to US government statements and media reports.
Tech fears
Fears of the threat from Beijing have seeped into the technology sector, with concerns that state-linked firms would be obliged to share intel with the Chinese government.
In 2019, the US Department of Justice charged tech giant Huawei with conspiring to steal US trade secrets, evade sanctions on Iran, and other offenses.
Washington has banned the firm from supplying US government systems and strongly discouraged the use of its equipment in the private sector over fears that it could be compromised.
Huawei denies the charges.
Similar anxiety over TikTok animates Western political debate, with some lawmakers calling for an outright ban on the hugely popular app developed by China’s ByteDance over data security fears.
Industrial and military espionage
Beijing has leaned on Chinese citizens abroad to help gather intelligence and steal sensitive technology, according to experts, US lawmakers and media reports.
One of the most high-profile cases was that of Ji Chaoqun, who in January was sentenced to eight years in a US prison for passing information on possible recruitment targets to Chinese intelligence.
An engineer who arrived in the United States on a student visa in 2013 and later joined the army reserves, Ji was accused of supplying information about eight people to the Jiangsu province ministry of state security, an intelligence unit accused of engaging in the theft of US trade secrets.
Last year, a US court sentenced a Chinese intelligence officer to 20 years in prison for stealing technology from US and French aerospace firms.
The man, named Xu Yanjun, was found guilty of playing a leading role in a five-year Chinese state-backed scheme to steal commercial secrets from GE Aviation, one of the world’s leading aircraft engine manufacturers, and France’s Safran Group.
In 2020, a US court jailed Raytheon engineer Wei Sun — a Chinese national and naturalized US citizen — for bringing sensitive information about an American missile system into China on a company laptop.
Spying on politicians
With the goal of advancing Beijing’s interests, Chinese operatives have allegedly courted American political, social and business elites.
US news website Axios ran an investigation in 2020 claiming that a Chinese student enrolled at a university in California had developed ties with a range of US politicians under the auspices of Beijing’s main civilian spy agency.
The student, named Fang Fang, used campaign financing, developed friendships and even initiated sexual relationships to target rising politicians between 2011 and 2015, according to the report.
Police stations
Another technique used by Chinese operatives is to tout insider knowledge about the Communist Party’s opaque inner workings and dangle access to top leaders to lure high-profile Western targets, researchers say.
The aim has been to “mislead world leaders about (Beijing’s) ambitions” and make them believe “China would rise peacefully — maybe even democratically,”
Chinese-Australian author Alex Joske wrote in his book, “Spies and Lies: How China’s Greatest Covert Operations Fooled the World”.
Beijing has also exerted pressure on overseas Chinese communities and media organizations to back its policies on Taiwan, and to muzzle criticism of the Hong Kong and Xinjiang crackdowns.
In September 2022, Spain-based NGO Safeguard Defenders said China had set up 54 overseas police stations around the world, allegedly to target Communist Party critics.
Beijing has denied the claims.
The Netherlands ordered China to close two “police stations” there in November.
A month later, the Czech Republic said China had closed two such centers in Prague.
North Korean hackers working for the government stole record-breaking virtual assets last year estimated to be worth between $630 million and more than $1 billion, U.N. experts said in a new report.
The panel of experts said in the wide-ranging report seen Tuesday by The Associated Press that the hackers used increasingly sophisticated techniques to gain access to digital networks involved in cyberfinance, and to steal information that could be useful in North Korea’s nuclear and ballistic missile programs from governments, individuals and companies.
With growing tensions on the Korean Peninsula, the report said North Korea continued to violate U.N. sanctions, producing weapons-grade nuclear material, and improving its ballistic missile program, which “continued to accelerate dramatically.”
In 2022, the Democratic People’s Republic of Korea – the North’s official name – launched at least 73 ballistic missiles and missiles combining ballistic and guidance technologies including eight intercontinental ballistic missiles, the panel said. And 42 launches, including the test of a reportedly new type of ICBM and a new solid-fueled ICBM engine, were conducted in the last four months of the year.
North Korea’s leader Kim Jong Un ordered an “exponential increase of the country’s nuclear arsenal” in January, and the panel said “a new law discussed an increased focus on tactical nuclear capability, a new first-use doctrine, and the `irreversible nature’ of the DPRK’s nuclear status.”
“The ability to carry out an unexpected nuclear strike on any regional or international target, described in DPRK’s new law on nuclear doctrine and progressively in public statements since 2021, is consistent with the observed production, testing, and deployment of its tactical and strategic delivery systems,” the experts said in the report to the U.N. Security Council.
The panel said that South Korean authorities quoted in media reports “estimated that state sponsored DPRK cyber threat actors had stolen virtual assets worth around $1.2 billion globally since 2017, including about $630 million in 2022 alone.”
The experts monitoring sanctions against North Korea said an unnamed cybersecurity firm “assessed that in 2022, DPRK cybercrime yielded cyber currencies worth over $1 billion at the time of the threat, which is more than double the total proceeds in 2021.”
The variation in the U.S. dollar value of cryptocurrency in recent months is likely to have affected these estimates, the panel said, “but both show that 2022 was a record-breaking year for DPRK virtual asset theft.”
The panel said three groups that are part of the Reconnaissance General Bureau, North Korea’s primary foreign intelligence organization, “continued illicitly to target victims to generate revenue and solicit information of value to the DPRK including its weapons programs” – Kimsuky, Lazarus Group and Andariel.
Between February and July 2022, the panel said, the Lazarus Group “reportedly targeted energy providers in multiple member states using a vulnerability” to install malware and gain long-term access. It said this “aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies … to siphon off proprietary intellectual property.”
Lazarus Group’s primary focus is on specific types of industry, aerospace and defense and conventional finance and cryptocurrencies, with the objective of accessing the internal knowledge bases of the compromised companies, the experts said. They quoted the cybersecurity section of an internet technology company as saying Lazarus has been targeting engineers and technical support employees “using malicious versions of open source applications.”
In December 2022, the panel said, South Korea’s national police agency announced that Kimsuky had targeted 892 foreign policy related experts “in an effort to steal personal data and email lists.”
The police reported that the hackers didn’t manage to steal sensitive information, but they “laundered IP addresses of the victims and employed 326 detour servers and 26 member states to make tracing difficult,” the experts said. The police noted it was the first time they detected Kimsuky using ransomware, saying 19 servers and 13 businesses were affected, of which two paid 2.5 million South Korean won ($1,980) in Bitcoin to the hackers.
On military-related issues, the experts said they investigated the “apparent export” of military communications equipment from a North Korean company under U.N. sanctions to Ethiopia’s defense ministry in June 2022.
The panel said it has not yet received a reply from Ethiopia’s government about a photo published by the Ethiopian media in November allegedly showing a piece of equipment from the Global Communications Co., known as Glocom, being used by a top military official. Eritrea also hasn’t responded to questions about its alleged procurement of Glocom equipment, the experts said.
North Korea may also have illegally traded arms and related material with a number of countries, including sending artillery shells, infantry rockets and missiles to Russia – claims Pyongyang and Moscow have consistently denied, the panel said. And the experts said they are investigating the reported sale of weapons from a North Korean company on the U.N. sanctions list to the Myanmar military through a Myanmar company.
The German government announced the appointment Tuesday of the European Central Bank’s head of IT systems to lead the national cybersecurity agency, months after her predecessor was removed following reports of possible problematic ties to Russia.
Interior Minister Nancy Faeser said Claudia Plattner “brings the experience and expertise with her that we need for cybersecurity in these particularly challenging times.” She will take charge of the BSI agency on July 1, becoming the first woman in the role.
Faeser dismissed the BSI’s previous head, Arne Schoenbohm, in October. He had been in charge of the agency since 2016.
Schoenbohm co-founded a cybersecurity group a decade ago that brought together experts from public institutions and the private sector. German media reported that one of its members was a company founded by a former Russian intelligence agent. The group said last week that it had thrown out the company.
The Interior Ministry said in the fall that the allegations “damaged the necessary confidence of the public in the neutrality and impartiality” of Schoenbohm’s management.
Schoenbohm defended himself against the allegations. He has since taken up a new job as the head of another body overseen by the Interior Ministry, the Federal Academy of Public Administration.
Plattner worked for German railway operator Deutsche Bahn’s IT provider, DB Systel, before joining the ECB in July 2021. The Frankfurt-based central bank said it would announce a successor “in due course.”
After the French satirical magazine Charlie Hebdo launched a cartoon contest to mock Iran’s ruling cleric, a state-backed Iranian cyber unit struck back with a hack-and-leak campaign that was designed to provoke fear with the claimed pilfering of a big subscriber database, Microsoft security researchers say.
The FBI blames the same Iranian cyber operators, Emennet Pasargad, for an influence operation that sought to interfere in the 2020 U.S. presidential election, the tech giant said in a blog published Friday. Iran has in recent years stepped up false-flag cyber operations as a tool for discrediting foes.
Calling itself “Holy Souls” and posing as hacktivists, the group claimed in early January to have obtained personal information on 200,000 subscribers and Charlie Hebdo merchandise buyers, according to Microsoft’s Digital Threat Analysis Center.
As proof of the data theft, “Holy Souls” released a 200-record sample with names, phone numbers and home and email addresses of Charlie Hebdo subscribers that “could put the magazine’s subscribers at risk for online or physical targeting” by extremists. The group then advertised the supposed complete data cache on several dark web sites for $340,000.
Microsoft said it did not know whether anyone purchased the cache.
A representative for Charlie Hebdo said Friday that the newspaper would not comment on the Microsoft research. Iran’s mission to the United Nations did not immediately respond to a request for comment Friday.
The Jan. 4 sample release coincided with the publication of Charlie Hebdo’s cartoon contest issue. Entrants were asked to draw offensive caricatures of Iran’s supreme leader, Ayatollah Ali Khamenei.
The French newspaper Le Monde verified multiple victims of the leak from the sample, Microsoft said. The Iranian cyber operators sought to boost news of the hack-and-leak operation — and fuel outrage at the cartoon edition — through fake French “sock-puppet” accounts on social media platforms that included Twitter, Microsoft said.
The operation coincided with verbal attacks by Tehran condemning Charlie Hebdo’s “insult.”
The provocatively irreverent magazine has a long history of publishing vulgar cartoons which critics consider deeply insulting to Muslims. Two French-born al-Qaida extremists attacked the newspaper’s office in 2015, killing 12 cartoonists, and it Charlie Hebdo has been the target of other attacks over the years.
The magazine billed the Khamenei caricature contest as a show of support for nationwide antigovernment protests that have convulsed Iran since the mid-September death of Mahsa Amini, a 22-year-old woman detained by Iran’s morality police for allegedly violating the country’s strict Islamic dress code.
After the cartoon issue was published, Iran shut down a decades-old French research institute. Last week, it announced sanctions targeting more than 30 European individuals and entities, including three senior Charlie Hebdo staffers. The sanctions are largely symbolic as they bar travel to Iran and allow its authorities to block bank accounts and confiscate property in Iran.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | The Geopolitical Effect – Geopolitics describes the effect of geography on politics, and usually refers to the political relationship between nations. That relationship is always mirrored in cyber. The Russia/Ukraine war that started in early 2022 has been mirrored by a major disturbance in cyber – and that disturbance will continue through 2023.
The physical conflict has forced much of the world to take sides. The US, NATO, the EU, and their allies are providing major support – short of troops – to Ukraine. China, Iran, and North Korea are all supporting Russia. The cyber conflict is similar, largely conforming to the George W Bush ‘axis of evil’ (Iran, Iraq, and North Korea, with the popular addition of Russia and China) versus the US, EU, and their allies.
Here we’re going to discuss how the current state of global geopolitics might play out in cyber during 2023.
Background
“Russia may well resort to increased cyber offensive actions as it contends with on-the-ground setbacks in Ukraine,” comments Bob Ackerman, MD and founder of AllegisCyber. This has been considered likely throughout 2022, but as Russian military setbacks have increased toward the end of 2022, so the likelihood of increasingly aggressive Russian cyber activity will rise. Such offensive actions will not simply target Ukraine – they will be aimed at all countries seen to be supporting Ukraine.
“While we haven’t seen those feared attacks materialize yet,” says Christopher Budd, senior manager of threat research at Sophos, “it would be premature to say that those risks have passed. In 2023, so long as the uncertainty of war exists, everyone should plan for the real possibility of unexpected, large-scale cyberattacks.”
Indeed, the mirror between the kinetic and cyberworlds suggests it is inevitable in 2023. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, expects to see Russian cyber activity becoming more ‘feral’. “We’re increasingly seeing its kinetic war tactics becoming more untamed, targeting energy and water infrastructure with missile strikes,” he says. “We expect the same to apply to cyberwarfare.”
He is concerned that Russia’s more feral activity will have the potential to spill over into other nations, “as Russia becomes more daring, trying to win the war by any means, and Russia could look to use the conflict as a distraction as it targets other nations with cyberattacks.”
Malwarebytes believes that large-scale attacks will appear first in Ukraine, but be accompanied by attacks against European allies. “In recent weeks [Oct/Nov 2022] Russia has been launching a barrage of missiles to cripple Ukraine’s electricity infrastructure. We could expect that at some point availability of such weapons will run low and that the Kremlin will want to increase the cyber effort. We may see further successful malware attacks from the Sandworm group as we have seen previously with the blackouts caused by the BlackEnergy malware,” comments Jerome Segura, senior director of threat intelligence at Malwarebytes.
While malware used to destroy or wipe systems is likely to be used against Ukraine,” he adds, “more stealthy malware such as backdoors are likely to hit European allies as attempts to compromise key leaders, gather intelligence and possibly expose or extort via ‘kompromat’.”
In one sense, the Russia/Ukraine conflict has taken the gloves off the lower-level cyberwarfare that has existed for years. You could say that 2023 may well prove to be a new era of bare-knuckle cyberwarfare. “Nation state cyber warfare will become more openly prevalent,” suggests Chris Gray, AVP of security strategy at Deepwatch. “The Russia/Ukraine conflict has taken away much of the ‘cloak and dagger’ aspects of this area and, in doing so, has also broadened the scope of available targets. Financial impact and the ability to increase chaos due to service interruption will increasingly grow over former levels.”
While we concentrate on Russia as the primary current protagonist in offensive cyber, we should not forget that Russian ‘allies’ will take advantage of the situation. “China is likely to expand the full spectrum of its cyber initiatives targeting economic, political, and military objectives,” continues Ackerman. “Bit actors on the global stage may well exploit Great Power conflict and related global distractions to launch targeted regional cyberattacks,” he added. Such as Iran targeting Israel.
Difficulty in attribution will remain
Increased nation-state cyber activity will become more obvious, but not necessarily legally attributable. The major powers will still seek to avoid direct retribution that could escalate into additional kinetic warfare. “The reality with nation-state attacks is you might never know you’ve been hit by one until another country’s intelligence agency actively identifies it,” warns Andrew Barratt, VP at Coalfire. “The attribution of attacks to specific parties is a highly contentious area with a lot of room for error and deniability. What we really need is crossover from friendly military intelligence partners to support a reasonable conclusion.”
SecurityWeek was told years ago by Luis Corrons, now security evangelist at Gen and co-chairman of the board at AMTSO, “The only people who really know what’s going on are the intelligence agencies, who have close knowledge drawn from signals intelligence and covert agents.” Historically, the intelligence agencies have been reluctant to make too many public accusations of attribution for fear that it might expose their sources.
Marcus Fowler
Direct attribution from countries with mature intelligence agencies is likely to increase in 2023 – as will the strident denials coming from the perpetrators – but it will remain difficult. “The rapid expansion of non-state affiliated cyber actors including hobbyists, hacktivists, criminals, privateers, proxies, vigilantes, or cyber response reserve units, is unlike anything ever seen in traditional warfare,” explains Marcus Fowler, CEO of Darktrace Federal. “The surge in ‘vigilante’ approaches to cyber-crime will continue to alter the course of modern warfare in 2023, introducing unprecedented adversaries and allies for nation-states.”
Zero-day stockpiles
What remains largely unknown is the potential capability of unfettered cyberwarfare – all major nations have been stockpiling zero-days for years. “I dare not speak of the unused kinetic powers available to the nation-states,” comments Brian NeuHaus, CTO of Americas at Vectra AI, “but will digress to one which has only, I believe, been partially used. Cyberwarfare is still a real threat from a broader use of known TTPs, tools tactics procedures, and an unknown equity of zero-days just waiting for the right strategic moment to deploy against one’s foes.”
Zero-days are not used lightly, especially by nation-states. Once used, they instantly lose their value. The problem is that we have no knowledge of our adversaries’ zero-day stockpiles, nor their ability to unleash widespread destructive capabilities against critical infrastructure. Their use is likely to be one of desperation – a cyber version of nuclear weapons with the potential to escalate into open kinetic conflict.
We must hope this day never comes, for it is worth remembering Putin’s warning on the use of nuclear weapons: “For the planet, it will be a catastrophe. But for me as a citizen of the Russian Federation and the head of the Russian State, I must ask myself the question. What is the point of a world without Russia?”
Wiperware and other destructive attacks
Our hope must therefore be that no nation-state feels so backed into a corner that it unleashes the full power of stockpiled zero-days against the opponent’s critical infrastructure. That doesn’t mean we can relax – the threat from what we could perhaps describe as conventional cyberweapons remains real and likely to increase through 2023. Wiperware is probably top of the list.
Fleming Shi
“Russia’s invasion of Ukraine this year revealed the modern digital battlefield. Most notably, we have witnessed an increased use of wiperware, a form of destructive malware against Ukrainian organizations and critical infrastructure,” comments Fleming Shi, CTO at Barracuda. “The frequency has dramatically increased as we saw WhisperGate, CaddyWiper, HermeticWiper, and others hitting the news since the war broke out.”
Unlike the financial motivations and decryption potential of ransomware, wiperware is typically deployed by nation-state actors with the sole intent to damage and destroy an adversary’s systems beyond recovery. “In addition,” he added, in 2023, wiperware emanating from Russia will likely spill over into other countries as geopolitical tensions continue.”
Wiperware can easily be disguised as criminal ransomware with non-functioning decryption, adding deniability to destructive nation-state attacks. There are suspicions that WannaCry was a version of this. “Given the current political climate, Kaspersky experts foresee a record number of disruptive and destructive cyberattacks, affecting both the government sector and key industries,” says Ivan Kwiatkowski, senior security researcher at Kaspersky`s GReAT.
“It is likely that a portion of them will not be easily traceable to cyberattacks and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations to provide plausible deniability for their real authors,” he added. “High-profile cyberattacks against civilian infrastructure, such as energy grids or public broadcasting, may also become targets, as well as underwater cables and fiber distribution hubs, which are challenging to defend.”
A particular target area for such attacks will likely be ‘dual use’ technologies; that is, those that serve both military and commercial purposes. “Satellite technologies and other advanced communication platforms come under a higher level of focus. Both intellectual property theft and disruption of data delivery to governments and militaries around the world become a stronger focus,” says Kurt Baumgartner, principal security researcher at Kaspersky.
It is noticeable that the cyberattack against Viasat by Russia just prior to the Russian invasion of Ukraine, designed to disrupt Ukrainian military communications, spilled out of the region to also affect some 9,000 European users. Russia seems to have ‘got away with it’ on this occasion, but it effectively remains a nation-state cyberattack against civilians outside of the war zone. We are not aware of any clandestine response from the West, but must wonder if the response would have been different if the spillover had directly affected US users.
John Pescatore, director of emerging security trends at SANS Institute, endorses Baumgartner’s view. “The war in Ukraine will have broader impacts on the commercial sector as operatives on both sides attack dual-use technologies (that is, services used by both the military and civilians) to take down communication and critical infrastructures systems.” He expects to see more attacks in 2023 that will impact business internet connections, communication, and logistics systems.
“Increasing attacks on key dual-use technologies like cell towers, GPS, and commercial satellites – such as Star Link,” he adds, “will damage connectivity and business operations for private sector companies that depend on these technologies, even if they are not directly targeted themselves.”
Beyond Russia
While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea will all increase their activity through 2023 under cover of the European war. China will likely continue concentrating on espionage rather than destruction – although this may change if the separate geopolitical tensions over Taiwan escalate into kinetic activity.
“China has high priority targets to meet in terms of economic and social development, made more pressing by continuing Covid outbreaks and a zero-tolerance stance on Covid,” warns Mike McLellan, director of intelligence at Secureworks. “Chinese intelligence collection will remain both broad and deep, as the Chinese Communist Party will not accept failure on any of its key focus areas.”
This focus will be on upgrades to its manufacturing base, food stability, housing, energy supply, and natural resources. “Organizations operating in or supplying any of those areas, particularly hightech industries,” he continues, “are potential targets of Chinese cyberespionage.”
But he adds, “As tensions continue to rise around Taiwan and the South China Sea, and China continues to drive forward with its Belt Road Initiative (BRI), a large proportion of China’s cyber espionage apparatus will be regionally focused targeting governments and critical infrastructure projects, as well as dissidents and other individuals opposed to the Chinese state.”
Iran and North Korea are less concerned with maintaining any semblance of diplomacy with the US and EU. Iran may engage in more destructive cyberattacks, largely in the Middle East but potentially elsewhere. “Iran will exploit the blurring of state-sponsored activity with cybercrime, both against regional adversaries and more broadly,” says McLellan.
The country will make use of offensive cyber operations under the guise of hacktivist and cybercrime personas to harass and intimidate regional adversaries, particularly Israel. This will probably extend beyond the Middle East with Iran merging state and criminal activity. Citing the IRGC-affiliated Cobalt Mirage threat group, McLellan warns, “Iran will exploit this financially motivated activity as a plausible cover for state espionage or disruption operations, which can be dismissed as part of a ‘cybercrime problem’.”
“We’re also seeing North Korea flexing its muscles by flying long range weapons over borders,” adds Venafi’s Bocek. If the mirror between kinetic and cyber activity holds true, we can expect North Korea to become more aggressive in cyber in 2023. Such cyber activity, adds Bocek, “will be replicated by North Korea as it looks to advance its economic and political goals.”
Summary
A particular concern for 2023 and beyond is that the diplomatic seal may now be permanently broken. The Russia/Ukraine war will eventually end – but tensions between the two countries and their allies will continue. Aggressive international cyber activity may never return to pre-war levels. “Nation-states will continue to cause each other digital problems amid the constant fight for power and status on the world stage,” comments Zac Warren, chief security advisor for EMEA at Tanium.
“Nations will come to the table to discuss norms; China, Russia and others will inhibit progress,” warns Mike Hamilton, founder and CISO at Critical Insight. He has two specific predictions for 2023 that might take cyber relations beyond the point of no return. Firstly, he suggests, “Russia will have its infrastructure disrupted as a demonstration of seriousness.” Secondly, he adds, “Operational technologies will be disrupted/wiped, likely in the US water sector.”
If either of these incidents occur and can be reliably attributed to a foreign state, they will not be easily forgiven.
As it is in the kinetic world, so it is in the digital. “For everything in the real world, there is a shadow on the Internet,” says Sam Curry, CSO at Cybereason. “More-and-more, we are going to see the Internet as a primary forum for geopolitical activity. The classic diplomacy, information, military and economic (or ‘DIME’) options are seeing the rise of information options and a resurgence of military options from 2022. Going into 2023, it’s to be hoped that diplomacy and economics rise to the fore, but for that to happen, the world would need to see an amenable-to-all-parties resolution to the Russia-Ukraine War or at least motion in that direction with a meaningful ceasefire; and detente in the South China Sea, which although a secondary area is another potential area of rising concern and clash of superpowers.”
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
The websites of German airports, public administration bodies and financial sector organizations have been hit by cyberattacks instigated by a Russian “hacker group”, authorities said Thursday.
The Federal Cyber Security Authority (BSI) had “knowledge of DDoS attacks against targets in Germany”, a spokesman told AFP.
A distributed denial-of-service (DDoS) attack is designed to overwhelm the target with a flood of internet traffic, preventing the system from functioning normally.
The attacks were aimed “in particular at the websites of airports”, as well as some “targets in the financial sector” and “the websites of federal and state administrations”, the spokesman said.
The attack had been “announced by the Russian hacker group Killnet”, the BSI spokesman said.
The group’s call to arms was in response to Chancellor Olaf Scholz’s announcement Wednesday that Germany would send Leopard 2 tanks to Ukraine to help repel the Russian invasion, according to financial daily Handelsblatt.
Attributing Thursday’s attacks directly to the hacker group, however, was “particularly hard”, the BSI spokesman said.
“They call for action and then a lot of people take part,” he said. The attacks made “some websites unavailable”, the BSI said, without there being “any indication of direct impacts on (the organisations’) services”.
Attacks on public administrations were “largely repelled with no serious impacts”, the BSI said.
The interior ministry for southwestern Baden-Wuerttemberg state acknowledged “nationwide” DDoS attacks since Wednesday evening against websites, including those of public administration and the regional police.
Germany is on high alert for cyberattacks in the wake of Russia’s war in Ukraine.
The Federal Office for Information Security said in October that the threat level for hacking attacks and other cybercrime activities was higher “than ever”.
The advanced persistent threat (APT) tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated (that is, has had its infrastructure abused by other hackers).
TA444 is a North Korean state-sponsored threat group tracked by Proofpoint as actively targeting cryptocurrencies since at least 2017. It has overlaps with other DPRK groups such as APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and Copernicum – but not enough in Proofpoint’s telemetry to be specifically tied to any one of these.
For example, Mandiant has described activity known as CryptoCore and Dangerous Password as a “likely subgroup of APT38”. Proofpoint adds SnatchCrypto, and defines all three as campaigns operated by TA444. If both sets of researchers are correct, it may be that TA444 is a subgroup of APT38. Nevertheless, the overlapping nature of differently named DPRK groups makes it difficult to delineate them clearly, and many people still refer to the umbrella name of Lazarus.
In its first publicly available report on the TA444 group, Proofpoint notes that like other DPRK groups, it is likely tasked with stealing currency to offset sanctions against the state. Around 2017 it began to focus on stealing cryptocurrency. “TA444 had two main avenues of initial access,” notes the report: “an LNK-oriented delivery chain and a chain beginning with documents using remote templates.”
In 2022, however, while continuing to use these methods, it increased its usage of macros for malware delivery. Usually, when threat actors experiment with new delivery mechanisms, they continue to use their existing payloads. Not so with TA444 in 2022. “This suggests,” say the researchers, “that there is an embedded, or at least a devoted, malware development element alongside TA444 operators.”
In early December 2022, the researchers observed a new approach from TA444 – a relatively basic credential harvesting phishing campaign. A TA444 C2 domain began distributing OneDrive phishing emails “rife with typos” to targets in the US and Canada. The infrastructure used suggests it was TA444; the campaign suggests otherwise.
The researchers offer three possibilities: it could be TA444 simply expanding its repertoire; the group could be moonlighting from its primary purpose of sidestepping North Korea’s sanctions; or a different threat actor could have hijacked TA444’s infrastructure.
Whatever the reason, the phishing campaign in December nearly doubled the total volume of TA444 emails observed by Proofpoint for the whole of 2022. Emails were sent to Admin at the target domain. The From entry was “admin[@]sharedrive[.]ink – and the subject was ‘linvoice’ (that is, Invoice starting with a lowercase L rather than uppercase I).
New style phishing email from TA444
The lure entices the target to click on a SendGrid URL, which redirects to the attackers’ credential harvesting page, which in turn uses common phishing tactics such as loading the victim’s iconography via the logo-rendering service ClearBit.
Proofpoint has ‘moderate to moderately high’ confidence that the campaign is operated by TA444, based on the exclusivity of TA444’s infrastructure. “The emails also had valid DMARC and SPF records, indicating that the sender has control of that domain,” add the researchers.
The FBI has officially attributed last year’s Horizon bridge hack and cryptocurrency heist to a threat group widely believed to be operating on behalf of the North Korean government.
The Horizon bridge is designed to enable cryptocurrency holders to move assets between Harmony’s network and the Ethereum network, Binance Chain and Bitcoin.
In June 2022, news broke that someone had managed to steal $100 million from the Horizon bridge — specifically the Ethereum side — after obtaining and decrypting private keys.
The agency noted that US authorities are identifying and disrupting North Korea’s cryptocurrency theft and laundering activities, which are used by the regime to fund its ballistic missile and weapons of mass destruction programs.
“On Friday, January 13, 2023, North Korean cyber actors used Railgun, a privacy protocol, to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist. A portion of this stolen ethereum was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC),” the FBI said.
The agency said part of these funds were frozen with the help of virtual asset service providers, while the rest have been moved to nearly a dozen addresses, which have been made public.
North Korean state-sponsored hackers are believed to be behind several high-profile cryptocurrency heists and this is not the first time the US government has officially blamed them for an attack.
FBI Director Christopher Wray said Thursday that he was “deeply concerned” about the Chinese government’s artificial intelligence program, asserting that it was “not constrained by the rule of law.”
Speaking during a panel session at the World Economic Forum in Davos, Switzerland, Wray said Beijing’s AI ambitions were “built on top of massive troves of intellectual property and sensitive data that they’ve stolen over the years.”
He said that left unchecked, China could use artificial intelligence advancements to further its hacking operations, intellectual property theft and repression of dissidents inside the country and beyond.
“That’s something we’re deeply concerned about, and I think everyone here should be deeply concerned about,” he said.
More broadly, he said, “AI is a classic example of a technology where I have the same reaction every time. I think, ‘Wow, We can do that?’ And then I think, ‘Oh god, they can do that.’”
Such concerns have long been voiced by U.S. officials. In October 2021, for instance, U.S. counterintelligence officials issued warnings about China’s ambitions in AI as part of a renewed effort to inform business executives, academics and local and state government officials about the risks of accepting Chinese investment or expertise in key industries.
Earlier that year, an AI commission led by former Google CEO Eric Schmidt urged the U.S. to boost its AI skills to counter China, including by pursuing “AI-enabled” weapons.
A spokesperson for the Chinese Embassy in Washington did not immediately respond to a request seeking comment Thursday about Wray’s comments. Beijing has repeatedly accused Washington of fearmongering and attacked U.S. intelligence for its assessments of China.
