Recent State-Sponsored Activity Impacting the Cyber Threat Landscape

The current state of heightened geopolitical unrest has led to nation-state threat actors launching cyberattacks to advance their political and economic agendas, thereby influencing and endangering critical information, as well as public safety and services. Recently exposed actions by advanced persistent threat (APT) groups and state-aligned hacking groups indicate an evolution in the cyber threat landscape and a fundamental shift in the goals and techniques of state-sponsored cyber operations. The main objectives of state-sponsored APT activities often involve strategic and industrial espionage, with their primary efforts focused on infiltrating systems to steal valuable data. However, recent changes in tactics, intensity, and expected outcomes were observed.

China

Increased tensions in the Asian Pacific region involving US allies like the Philippines and Taiwan have subsequently escalated cyber threat activity. The People’s Republic of China (PRC) modus operandi typically aims to position itself in systems to disrupt capabilities and could involve sabotaging critical infrastructure and industrial capacities, causing disruption and potential panic. A recent analysis report revealed that threat actors in the PRC-aligned cyberespionage ecosystem are engaging in an alarming trend of using ransomware as a final stage in their operations for financial gain, disruption, distraction, misattribution, or removal of evidence. Two clusters of activity involve ransomware or data encryption tooling – one linked to a suspected Chinese cyberespionage threat group, ChamelGang, and the second cluster resembling previous intrusions involving artifacts linked to suspected PRC and North Korean (DPRK) APT groups. Most affected organizations were primarily in the US, with manufacturing the most significantly impacted sector. Education, finance, healthcare, and legal sectors were also affected to a lesser degree. The use of ransomware by threat actors associated with the PRC and DPRK against government and critical infrastructure sectors denotes a shift in the intensity of cyber threats. Their dual objectives of financial gain and espionage underscore the need for heightened international cooperation and the implementation of robust defense strategies.

Another PRC State-sponsored cyber threat includes the hacking group Volt Typhoon, which has engaged in cyberespionage campaigns and aims to maintain a covert presence in networks while avoiding detection. There are concerns that the group is developing capabilities to disrupt critical infrastructure during future crises, posing a risk to various sectors, including communications, transportation, water and wastewater, energy, military, defense, and maritime in the US and its territories, such as Guam.

A joint international cybersecurity advisory from agencies and law enforcement across eight countries, including the US, warns of the recently observed tactics used by the PRC State-sponsored threat group APT40, also known as Kryptonite Panda and GINGHAM TYPHOON. This group conducts malicious cyber operations for the PRC Ministry of State Security (MSS) and is based in Haikou, Hainan Province, PRC.

Russia

Recorded Future analysts identified a likely Russian government-aligned influence network known as CopyCop has shifted its focus to the 2024 US elections. CopyCop creates and spreads political content using AI and inauthentic websites to disseminate targeted content through YouTube videos. In June, analysts discovered the network expanded its influential content sources to include mainstream news outlets in the US and UK, conservative-leaning US media, and Russian State-affiliated media. Within twenty-four hours of registering and posting the original articles, CopyCop scrapes, modifies, and disseminates content to US election-themed websites using over 1,000 fake journalist personas. Despite the content being generated rapidly, AI-generated content for this campaign was not observed being widely shared on social media platforms.

Earlier this year, Microsoft identified an ongoing cyberattack, cautioning that the Russian APT Midnight Blizzard (APT 29, Cozy Bear) continues to attempt to exploit various shared secrets for further attacks via email. Recent Microsoft notifications on social media reveal that the hack had a broader impact on the company’s customer base. Additionally, Midnight Blizzard was attributed to the recent cyberattack that breached the remote access software company TeamViewer. The company noted that the incident occurred on June 26 after their security team detected an irregularity in TeamViewer’s internal corporate IT environment.

The US intends to prohibit Kaspersky Labs antivirus software, a company headquartered in Moscow that serves 400 million users and 250,000 corporate customers globally, over national security concerns. The US Department of Commerce’s Bureau of Industry and Security (BIS) indicated that the ban will take effect on September 29. BIS reached this decision due to the potential influence of the Russian military and intelligence authorities on the company, which is subject to Russian Government jurisdiction. Individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties; however, any individual or business that continues to use Kaspersky products and services assumes all cybersecurity and associated risks, which could spell disaster with cyber insurance claims.

DPRK

Recently, American cybersecurity company KnowBe4 hired a Principal Software Engineer who was later discovered to be a DPRK State cyber threat actor who attempted to install information-stealing malware on the network. Despite passing background checks and interviews, the threat actor used a stolen identity and AI tools to deceive the hiring process. This type of impersonation and insider threat highlights the advanced tactics of DPRK nation-state threat actors’ attempts to infiltrate US companies.

A DPRK-linked cyberespionage group, now known as APT45, has expanded its operations to include financially motivated attacks involving ransomware. The group has used ransomware families known as SHATTEREDGLASS and Maui to target organizations in South Korea, Japan, and the US. This shift in focus emphasizes the importance of staying updated on threat intelligence to address current threats.

Kimsuky is a DPRK APT cyber threat group that conducts worldwide attacks to gather intelligence aligned with the DPRK government’s interest. Kimsuky’s primary focus is gathering intelligence on foreign policy, national security considerations regarding the Korean peninsula, and nuclear policy. A 2023 United Nations report revealed the involvement of DPRK State hackers in unprecedented levels of cryptocurrency theft in the previous year. The theft was estimated to be between $630 million and over $1 billion in 2022 alone, doubling Pyongyang’s illicit gains from cyber theft.

Iran

MuddyWater, an Iranian cyber threat group linked to the Ministry of Intelligence and Security (MOIS), has intensified cyberattacks on Israel and its allies during the Israeli-Hamas War. The group typically uses phishing campaigns and has recently introduced a new custom backdoor called BugSleep. They increasingly use English to target various sectors and regions using themes like webinars and online courses in phishing emails. Their malware can execute multiple commands and target a wide range of global entities, primarily focusing on Israeli and Saudi Arabian targets. MuddyWater targets various sectors, including telecommunications, government (IT services), and the oil industry. They have expanded their cyberespionage operations, focusing on governmental and defense institutions in Central and Southwest Asia and businesses in North America and Europe.

Recommendations:

Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats as detailed on the NJCCIC Guidance and Best Practices webpage, in addition to the following:
  • Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
  • Use strong, unique passwords and enable MFA for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Keep systems up to date and apply patches after appropriate testing.
  • Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
  • Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).
  • Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments.
  • Cyber incidents can be reported to the FBI’s IC3 and the NJCCIC.