Search This Blog

Showing posts with label China. Show all posts

Netherlands Restricts Key Tech Exports in US-China Chip Battle

According to sources, the Netherlands government would impose export limits on the nation's most cutting-edge microprocessor technology in order to safeguard national security.

Products manufactured by ASML, a significant company in the worldwide semiconductor supply chain, will be subject to the embargo. China has filed a formal complaint about the action in response.

The administration of US President Joe Biden has put restrictions on semiconductor exports to its chief superpower rival in an effort to halt the development of cutting-edge technology that might be employed in military modernization and human rights abuses as geopolitical tensions between the US and China increase. The US has also pressed its international allies to follow suit.

The Dutch trade minister, Ms. Schreinemacher, said that the Dutch government had taken into account the technological changes and geopolitical environment, but did not specifically mention China or ASML. To export technology, including the most modern Deep Ultra Violet (DUV) immersion lithography and deposition, enterprises would now need to apply for licenses.

The firm stated that it "does not expect these steps to have a major impact on our financial projection that we have released for 2023 or for our longer-term scenarios as indicated during our Investor Day in November last year."

No matter where in the globe the chips were produced, Washington stated in October that it would want licenses from businesses exporting them to China using US equipment or software.

The US position on semiconductors has drawn criticism from South Korea's trade ministry this week. The South Korean government shall make it abundantly clear that the terms of the Chips Act may increase economic uncertainty, undermine companies' management and intellectual property rights, and lessen the allure of investing in the United States. 

Cybersecurity in 2023: Russian Intelligence, Chinese Espionage, and Iranian Hacktivism

State-sponsored Activities 

In the year 2022, we witnessed a number of state-sponsored cyber activities originating from different countries wherein the tactics employed by the threat actors varied. Apparently, this will continue into 2023, since government uses its cyber capabilities as a means of achieving its economic and political objectives. 

Russian Cyber Activity will be Split between Targeting Ukraine and Advancing its Broader Intelligence Goals 

It can be anticipated that more conflict-related cyber activities will eventually increase since there is no immediate prospect of an end to the conflict in Ukraine. These activities will be aimed at degrading Ukraine's vital infrastructure and government services and gathering foreign intelligence, useful to the Russian government, from entities involved in the war effort. 

Additionally, organizations linked to the Russian intelligence services will keep focusing their disinformation campaigns, intelligence gathering, and potentially low-intensity disruptive attacks on their geographical neighbors. 

Although Russia too will keep working toward its longer-term, more comprehensive intelligence goals. The traditional targets of espionage will still be a priority. For instance, in August 2022, Russian intelligence services used spear phishing emails to target employees of the US's Argonne and Brookhaven national laboratories, which conduct cutting-edge energy research. 

It is further expected that new information regarding the large-scale covert intelligence gathering by Russian state-sponsored threat actors, enabled by their use of cloud environments, internet backbone technology, or pervasive identity management systems, will come to light. 

China Will Continue to Prioritize Political and Economic Cyber Espionage 

It has also been anticipated that the economic and political objectives will continue to drive the operation of China’s intelligence-gathering activities. 

The newly re-elected president Xi Jinping and his Chinese Communist Party will continue to employ its intelligence infrastructure to assist in achieving more general economic and social goals. It will also continue to target international NGOs in order to look over dissident organizations and individuals opposing the Chinese government in any way. 

China-based threat actors will also be targeting high-tech company giants that operate in or supply industries like energy, manufacturing, housing, and natural resources as it looks forward to upgrading the industries internally. 

Iranian Government-backed Conflicts and Cybercrimes will Overlap 

The way in which the Iranian intelligence services outsource operations to security firms in Iran has resulted in the muddled difference between state-sponsored activity and cybercrime. 

We have witnessed a recent incident regarding the same with the IRGC-affiliated COBALT MIRAGE threat group, which performs cyber espionage but also financially supports ransomware attacks. Because cybercrime is inherently opportunistic, it has affected and will continue to affect enterprises of all types and sizes around the world. 

Moreover, low-intensity conflicts between Iran and its adversaries in the area, mainly Israel, will persist. Operations carried out under the guise of hacktivism and cybercrime will be designed to interfere with crucial infrastructure, disclose private data, and reveal agents of foreign intelligence. 

How Can Organizations Protect Themselves from Opportunistic Cybercrime?

The recent global cyber activities indicate that opportunistic cybercrime threats will continue to pose a challenge to organizational operations. 

Organizations are also working on defending themselves from these activities by prioritizing security measures, since incidents as such generally occur due to a failure or lack of security controls. 

We have listed below some of the security measures organizations may follow in order to combat opportunistic cybercrime against nations, states, and cybercrime groups : 

  • Organizations can mitigate threats by investing in fundamental security controls like asset management, patching, multi-factor authentication, and network monitoring. 
  • Maintaining a strong understanding of the threat landscape and tactics utilized by adversaries. Security teams must also identify and safeguard their key assets, along with prioritizing vulnerability management. 
  • Traditional methods and solutions, such as endpoint detection and response, are no longer effective in thwarting today's attacks, so it is crucial to thoroughly monitor the entire network, from endpoints to cloud assets. However, in order to identify and effectively address their most significant business concerns, and prioritize threats in order to combat them more efficiently.  

ByteDance Employees Seized User Data Of Two Journalists

The Chinese company ByteDance, which owns  TikTok, disclosed on Thursday that some of its workers had illegally collected the data of American TikTok users, which included two journalists.

According to an email from ByteDance general counsel Erich Andersen, employees of the company had access to the data as part of a failed investigation into information leaks earlier this year. The employees had access to two reporters' IP addresses and other information via their TikTok accounts, as well as the data of a limited number of individuals connected to the journalist. The company stated that they were searching for connections between two journalists—a former BuzzFeed reporter and a Financial Times reporter—and  ByteDance, however, they were unable to find any breaches.

The inquiry, which was initiated in response to a Forbes story, emphasizes the privacy and security dangers associated with TikTok that have been brought up by American lawmakers, state governors, and administrations for more than two years, and supports some of the information in that study. More than a dozen states have prohibited TikTok from being used on government-issued devices, and the business has been in extensive discussions with the administration about security and privacy policies that would prevent ByteDance and the Chinese government from possibly gaining access to user data in the United States.

Two employees in China and two in the US of ByteDance who were associated with the incident were sacked. Company representatives announced that they were taking extra precautions to safeguard user data. In an effort to identify the source of leaks, ByteDance traced several Forbes journalists, including those who had previously worked for BuzzFeed, according to a Forbes investigation. 

In an effort to completely remove user data from China, TikTok has taken efforts to disassociate itself from ByteDance and is currently in talks with the US government. The fate of those talks is still up in the air.

A Cyberattack Sponsored by China Targeted Amnesty International Canada


It has come to light that Amnesty International's Canadian branch was the victim of a sophisticated cyber-security attack during the fall - and one that forensic investigators believe originated in China with the blessing of the authorities in Beijing. 

An announcement from the human rights group, published on Monday, said that the intrusion was detected for the first time on October 5. 

Based on the forensic investigation conducted by the cyber security firm, the attack appears to be the work of a group that has been classified as an advanced persistent threat group (APT). 

The attack on Amnesty was very different from any other hacker attack, as it involved covertly spying on the operating system of Amnesty's network to create a false sense of security, according to a report prepared by U.K.-based cybersecurity firm Secureworks on behalf of Amnesty International Canada. 

The hackers do not seem to have intended to steal data from Amnesty International but rather to gather its contacts and monitor its activities. 

According to the report, the revelation comes at a time when relations between Canada and China remain cold on many fronts. 

A spokesperson for Secureworks told CNN that the company is confident that Beijing - or a group affiliated with the Chinese government - was behind the breach. 

"The assessment in this report is based on the nature of the targeted information as well as the observable tools and behaviors, many of which are consistent with those associated with Chinese cyberespionage groups," the document stated. 

In an interview with BBC, Amnesty International Canada secretary general Ketty Nivyabandi stated that other human rights organizations and members of civil society, and the public must take note of the experience. Further, she stated that there is no question that this case of cyber espionage indicates the increasingly dangerous environment in which activists, journalists, as well as civil society have to strive to survive today. 

Earlier this month, Secureworks director of intelligence Mike McLellan said the targeting of human rights groups. He said that we are committed to raising awareness of human rights violations wherever they take place. He also added that we are committed to denouncing the use of digital surveillance by governments to stifle human rights and will continue to shine a light on human rights violations wherever we locate them and speak out against governments that use digital surveillance against their citizens. 

McLellan told CBC News that China uses its cyber capabilities to gather political and military intelligence, as well as to spy on its opponents. Organizations such as Amnesty International are intriguing to China because of the people they work with and the work they do. McLellan added, "As a result of China's interest in surveillance, we see organizations like this being targeted because of their activities." 

 According to McLellan, there is a definite connection between the current tensions between Canada and China and the timing of the cyberattack. McLellan thinks that the issue is primarily about Amnesty Canada and less about China and Canada. 

A report by another cybersecurity firm based in Massachusetts, Recorded Future, issued last summer, cited that hacking groups suspected to be working on behalf of the Chinese government have been conducting espionage against numerous governments, NGOs, think tanks, and news agencies for more than a decade. 

A report stated that since 2019, the campaign had targeted organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan, the Democratic Progressive Party (DPP) that governs Taiwan, and the National Informatics Centre of India. 

It has been reported that Citizens Lab is a Canadian group that investigates internet matters. The group published a paper in 2016 which revealed that it had been penetrated by cyberspies, including some linked to China. This was in addition to other civil society organizations. 

The target of spies sponsored by states 

Tibet Action, with nine other civil society associations that worked together on the study, had conducted four years of research. A total of eight of the organizations were focused on China or Tibet; two were large international human rights groups. 

A Citizen Lab study examined over 800 suspicious emails for malware as part of the ground-breaking study. Located at the Munk School of Global Affairs and Public Policy at the University of Toronto, it is an interdisciplinary laboratory that focuses on global issues. 

The Canadian chapter of Amnesty International is aware that its work may put Amnesty International in the crosshairs, as Nivyabandi mentioned. Several of our members are aware that our organization is vulnerable to state-sponsored attacks aiming to disrupt our work or to keep an eye on what we do as an organization advocating for human rights around the world," she said. 

Despite these threats, we will not be intimidated by them, and we will always put the security and privacy of our activists, staff, donors, and stakeholders as a top priority." 

A statement made by the official stated that the relevant authorities, staff, donors, and stakeholders had been informed of the breach. There will be an ongoing effort to safeguard the organization against future threats by working with security experts.

Data of UK and EU Users is Accessible to TikTok Staff in China


As part of an investigation by the BBC, it was disclosed that some of TikTok's workers had access to data from accounts in the UK and the European Union. These accounts have been made public by the Chinese company. 

As a result of a demonstrated need to do their work, Facebook said they had adopted the "privacy policy" as part of their "legal obligations." 

The company has come under scrutiny from authorities around the world in the past few years, including those from the UK and the US, over concerns over the possible transfer of data to Chinese officials. 

According to a report by the New York Times, the US government has called for the app to be banned in the country.
• US citizens can't be tracked by TikTok, the app's developers claim. 
• As far as I'm concerned, I've learned more on TikTok than I ever did in school. 

It has been stated that the policy applies to "the European Economic Area, the United Kingdom, and Switzerland" according to TikTok's website. 

As described in a statement on Wednesday by Elaine Fox, the platform's head of privacy and security for Europe, the platform's global team plays a key role in maintaining a "consistent, enjoyable, and safe" experience for users. 

Even though TikTok currently stores European user data in the US and Singapore, Ms. Fox explained that "we have allowed certain employees from our corporate group based in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States remote access to TikTok European user data." 

To limit the number of employees who have access to European user data, minimize data flows outside of the region, and store European user data locally, our main focus is on controlling access to European user data among employees. 

Additionally, she said the approach was subject to a series of robust security controls and approval protocols, and it was conducted in compliance with the General Data Protection Regulations (GDPR) regarding personal data use. 

An official at the US Communications Watchdog, the country's leading watchdog for communications, made the announcement the same week that he recommended a ban on TikTok. 

Brendan Carr, one of the commissioners at the Federal Communications Commission (FCC), told the Washington Post that there does not appear to be anything other than a ban as a solution to the problem.

There is no way in this world where you can come up with adequate protection. This is because the Chinese communist party will not fall into the hands of the Chinese communist regime. This is because he did not believe there was a world in which such protection could be implemented. 

In a series of interviews, ByteDance, the company behind TikTok, has denied that the organization is controlled by the Chinese government. 

Authorities in the UK, EU and the United States have systematically monitored the app for the past few years. 

The investigation is underway 

As a result of the public concern expressed in August by MPs regarding the risks of data being disclosed to the Chinese government, the UK Parliament closed the account for its TikTok service.

According to senior MPs and members of the parliament, the account should be removed until TikTok can give "credible assurances" that it will not be used to leak data to Beijing until that time. 

The Irish Data Protection Commission has also investigated the app about two privacy-related issues for which it acts as a lead regulator in the EU. 

A watchdog has begun investigating TikTok's processing of the personal data of children as part of a monitoring program. The company is also investigating whether its actions regarding the transfer of personal data overseas to other countries have been by EU law, for instance, to China. 

The same year, a US security panel ordered ByteDance to sell off its American operations. This was due to concerns that users' data may be shared with Chinese authorities, prompting ByteDance to sell off its American operations. 

In June this year, TikTok said it had migrated US users' information to servers run by American software giant Oracle in Austin, Texas. 

As reported last month, TikTok denied the report that a Chinese team at ByteDance was planning on using the app to track the locations of American citizens while they use the app. 

According to the social media company, TikTok has never been used as an instrument of targeting by the American government, activists, public figures, or journalists. 

Ms. Fox said on Wednesday that the app does not collect precise location data from its users in Europe, which is according to the European Union. 

With almost 4 billion downloads, TikTok is the world's fastest-growing social media app and has become one of the most popular in the world. 

According to analysis company Sensor Tower, the company has garnered more than $6.2 billion (£5.4 billion) in gross revenue from in-app purchases since its launch in 2017. It tracks trends related to mobile apps.

Hong Kong Will Legalize Retail Crypto Trading to Establish a Cryptocurrency Hub


A plan to legalize retail cryptocurrency trading has been announced by Hong Kong to create a more friendly regulatory regime for cryptocurrencies. There has been an opposite trend over the last few years in the city, with skeptical views, as well as China's ban on the practice. 

According to sources familiar with the matter, an upcoming mandatory licensing program for crypto platforms scheduled to take effect in March next year will allow retail traders access to crypto platforms. There has been a request not to name these people since they are not authorized to release this information publicly.

There have been reports that the regulators are planning to allow the listing of higher-value tokens in the coming months but will not endorse specific coins such as Bitcoin or Ether, according to the people. They noted that the details and timeframe are yet to be finalized since a public consultation is due first.

At a fintech conference that starts on Monday, the government is expected to provide more details regarding its recently announced goal of creating a top crypto hub in the region. To restore Hong Kong's reputation as a financial center after years of political turmoil and the aftermath of Covid curbs sparked a talent exodus, the marketing campaign comes amid a larger effort to put Hong Kong back on the map.

Gary Tiu, executive director at crypto firm BC Technology Group Ltd, said that, while mandatory licensing in Hong Kong is one of the most effective things regulators can do, they cannot forever satisfy the needs of retail investors who are investing in crypto assets. 

Criteria for listing 

According to people familiar with the matter, the upcoming regime for listing tokens on retail exchanges is likely to include criteria such as the token's market value, liquidity, and membership in third-party crypto indexes to determine eligibility for listing. Their approach resembles the one they used when it came to structured products such as warrants, they continued. 

Hong Kong's Securities and Futures Commission spokesperson did not respond to a request for comment regarding the details of the revised stance adopted by the agency. 

Several crypto-related Hong Kong companies that are listed on the stock exchange increased their share prices on Friday. In the same report, BC Technology climbed 4.8% to its highest in three weeks during the third quarter, whilst Huobi Technology Holdings Ltd. rose slightly. 

In a world where more and more regulators are grappling with how to manage the volatile area of digital assets. This area has gone through a $2 trillion rout, following a peak in early November 2021. The sector is finding it difficult to regain its previous strength. Firms that dealt in cryptocurrency were crushed by the crash because their leverage grew without limit and their risk management methods were exposed.

It is widely believed that Singapore has tightened up its digital-asset rules to curb retail trading in digital assets to deal with the implosion that has hit Hong Kong. 

There was a proposal earlier this week by Singapore to ban the purchase of leveraged retail tokens on the retail market. There was a ban on cryptos in China a year ago because it was largely illegal. 

Michel Lee, executive president of digital-asset specialist HashKey Group, said that Hong Kong is trying to frame a crypto regime that extends beyond the retail token trading market to incorporate all types of digital assets, including cryptocurrencies. 

Bringing the ecosystem to the next level 

Among other things, Lee believes that tokenized versions of stocks and bonds could become a much more significant segment in the future as time passes on. Lee said, "Just trading digital assets on its own is not the goal". According to Lee, digital assets are not intended to be traded on their own but the ecosystem must grow as quickly as possible.”

A big exchange such as Binance and FTX once had their base in Hong Kong. Their attraction was the reputation of a laissez-faire regime and their strong ties to China. A voluntary licensing regime, that was introduced by the city in 2018, limited crypto platforms' access to clients with portfolios exceeding HK$8 million ($1 million) to those with portfolios of less than that amount. 

It has been confirmed that only two firms have been approved to operate under the license, BC Group and HashKey. FTX successfully managed to turn away the more lucrative consumer-facing business to the Bahamas last year as a result of the signal of a tough approach. 

However, the plan to attract crypto entrepreneurs back to Hong Kong seems to be a bit short of what is needed to usher them back. Among other things, it remains to be seen if mainland Chinese investors would be able to trade in tokens through Hong Kong if that were to be permitted. 

Leonhard Weese, the co-founder of the Bitcoin Association of Hong Kong, expressed a fear that there might be a very strict licensing regime in the future. "The conversations I have had indicate that people still fear it will be very stressful," he said. The company claims that it is not competitive on the same level as overseas platforms. Therefore, it will not be as attractive to customers as it would be if it dealt directly with retail users. 

According to blockchain specialist Chainalysis Inc., the volume of digital-token transactions in Hong Kong through June declined less than 10% from a year earlier, the most modest increase in the region outside of a slump in China, in the 12 months through June. It has fallen two positions from its global ranking of 39 in 2021 to 46 in 2022 when it comes to crypto adoption throughout the city. 

The Securities and Futures Commission of Hong Kong's Fintech Department has also suggested that the city could take further steps in this area, including the establishment of a regime to authorize exchange-traded funds seeking exposure to mainstream virtual assets. 

It shows that the one country, two systems principle is being put into action in financial markets, Wong said at an event last week. He said that the fact that the city can introduce a cryptocurrency framework distinct from China's indicates how far it has come.

Fake Tor browser Containing Spyware Target Chinese Residents


Kaspersky threat analysts have unearthed multiple infections via malicious Tor Browser installers propagated via a Chinese-language YouTube video regarding the dark web. 

Dubbed OnionPoison, the malicious campaign targeted users located in China, where the Tor Browser is banned. Hence, internet users in China often attempt to download the Tor browser from third-party websites. 

“Most of the affected users were from China,” Kaspersky Leonid Bezvershenko and Georgy Kucherin said in findings published this week. “As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third–party websites. And cybercriminals are keen on spreading their malicious activity via such resources.” 

The Chinese-language YouTube channel has more than 180,000 subscribers, and the video has been viewed more than 64,000 times. It is a major setback damaging discovery for TOR browser users as it is an anonymity-based browser, employed as a gateway to the Dark Web. 

The Chinese residents use the browser to bypass Beijing’s extensive surveillance and censorship technologies, which are linked with the country’s strict intolerance of political dissent. 

Tor, named for The Onion Router, was originally designed by the US Naval Research Laboratory as a way to securely communicate between government agencies. It includes a series of volunteer-run servers that route internet traffic through a series of encrypted tunnels. 

The researchers warn that the trojanized version of the browser acts differently from the normal version by storing browsing history and data entered into website forms. It also includes a library compromised with spyware that allows the hackers to scan “exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities.”

The best way to avoid OnionPoison is to download Tor from the official website or, if that’s not viable, to scan digital the digital signature if it’s from a third-party site. 

“Regardless of the actor’s motives, the best way to avoid getting infected with OnionPoison implants is to always download software from official websites. If that’s not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures,” the researchers added. 

Modified Tor versions have been employed previously by nation-state hackers. In 2019, security experts at the Slovakian-based cybersecurity firm ESET unearthed a version designed to siphon cryptocurrency from Russian residents.

Hackers Group in China Creates Linux Version of Sidewalk Windows

One of the state-supported hacker groups in China has reportedly developed a Linux variant of a backdoor known as SideWalk backdoor targeting Windows systems in the academic sectors. The variant of sidewalk is believed to be assigned as a part of a Cyberespionage campaign by Earth Baku, an advanced persistent threat (APT) group with connections to APT41, termed as SparklingGoblin it is working against the entities based in the Indo-Pacific region.   
Sidewalk Linux Backdoor was detected in the past by security researchers back in 2020.  Sidewalk Backdoor, initially tracked as Stageclient was observed at the cybersecurity company ESET in May 2020, targeting the servers in a university in a university in Hong Kong. The group targeted in the same university in February 2021.   
“The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage students schedules and course registrations” ESET stated in reports shared with The Hacker News. 
In an analysis carried out by ESET, it was observed that StageClient and Spectre botnet (a subset of a security vulnerability) are both in fact Linux variants of SideWalk. ESET also observed the SideWalk variants for Linux and Windows, in which they detected that both the variants hold a great many similarities in their infrastructures and in the way both the malwares function deducing it is in fact a Linux variant of SideWalk as well. 
One of the similarities of the two malwares being connected to Sidewalk was they both used the same encryption key to transport data from the infected device to the C&C servers. Secondly, it was observed that both the variants used the Cha Cha20 encryption algorithm to "use a counter with an initial value of 0x0B”, something that is particular to SideWalk. Lastly, it was observed that for both the Window and Linux, the malware uses the exact five threats given below, which are programmed for specific tasks:
[StageClient::ThreadNetworkReverse] – fetching proxy configurations for alternate connections to the command and control (C2) server.

[StageClient::ThreadHeartDetect] – close connection to C2 server when commands are not received in the specified time.

[StageClient::ThreadPollingDriven] – send heartbeat commands to the C2 server if there is no info to deliver.

[StageClient::ThreadBizMsgSend] – check for data to be sent in message queues for all other threads and process it.

[StageClient::ThreadBizMsgHandler] – check for pending messages from the C2 server 
Although SparklingGoblin actively targets the regions of East and Southeast Asia, it has now been going global. hitting organizations outside the given regions. 

Chinese APT Group Target Government Officials in Europe, South America, and Middle East


A Chinese cyberespionage group tracked as Bronze President has launched a new campaign targeting the computer systems of government officials in Europe, the Middle East, and South America with a modular called malware PlugX. 

Threat analysts at Secureworks discovered the breach in June and July 2022, once again highlighting the hacker’s persistent focus on espionage against governments across the globe. 

The researchers have identified multiple pieces of evidence including the use of PlugX, naming schemes previously employed by the hacking group, and politically-themed lure documents that align with regions that are of strategic importance to China. 

“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored Bronze President threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically themed decoy documents that align with regions where China has interests,” Secureworks Counter Threat Unit (CTU) explained in a blogpost. 

Attack chains distribute RAR archive files that contain a Windows shortcut (.LNK) file masquerading as a PDF document, opening which executes a legitimate file present in a nested hidden folder embedded within the archive. 

Subsequently, it creates the path for installing a malicious document, while the PlugX payload sets up persistence on the exploited device. "Bronze President has demonstrated an ability to pivot quickly for new intelligence collection opportunities," the researchers added. 

"Organizations in geographic regions of interest to China should closely monitor this group's activities, especially organizations associated with or operating as government agencies." 

Bronze President, also known as RedDelta, Mustang Panda, or TA416 has been active since at least July 2018 and has a history of launching espionage campaigns by employing custom and publicly available tools to exploit, maintain long-term access, and exfiltrate data from targets of interest. 

The PlugX RAT continues to remain the Bronze President's preferred spying tool. The threat actor has used multiple variants of it for several years, together with other hackers originating from China. 

Earlier this year in March, the hacking group targeted Russian government officials with an updated version of the PlugX backdoor called Hodur, alongside organizations located in Asia, the European Union, and the U.S. 

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help


Security experts have discovered another Chinese information operation that is attempting to improve the country's image overseas by utilising a large number of fake news sites and social media assets. 

The content, which is available in 11 languages, tries to win hearts and minds over to Beijing's way of thinking by undermining criticism of the Xinjiang genocide and the deterioration of democracy in Hong Kong. 

According to Mandiant, among the Communist Party opponents targeted in the campaign are Chinese billionaire Guo Wengui and German anthropologist Adrian Zenz, who is known for his study on Uyghur oppression. The campaign's most striking feature is that it appears to leverage infrastructure owned by local public relations business Shanghai Haixun Technology, a company that promotes "positive thinking." 

According to Mandiant in a blog post, the word "positive energy" is particularly loaded in China since it is frequently used by the Xi Jinping government to refer to communications that reflect Beijing positively. As a result, Mandiant dubbed the information operations effort "HaiEnergy." 

“While we do not currently have sufficient evidence to determine the extent to which Haixun is involved in, or even aware of HaiEnergy, our analysis indicates that the campaign has at least leveraged services and infrastructure belonging to Haixun to host and distribute content,” the firm explained. 

“In total, we identified 72 websites (59 domains and 14 subdomains) hosted by Haixun, which were used to target audiences in North America, Europe, the Middle East and Asia.” 

The campaign has solely relied on Haixun's internet infrastructure to post information and host websites. In reality, those sites share significant commonalities, indicating a coordinated strategy, including: 
  • Nearly all the English language sites are built with a Chinese-language HTML template
  • Several of the sites that include a domain and subdomain are disguised to appear as different, independent sites
  • Many of the sites link directly to other sites in the network
  • The same articles are often published across multiple sites
If Haixun is actively involved in this effort, it would be a continuation of a pattern in which threat actors utilise "info ops for hire" organisations to perform their dirty work, according to Mandiant. The one advantage is that it does not appear to have paid off on this occasion.

“We note that despite the capabilities and global reach advertised by Haixun, there is at least some evidence to suggest HaiEnergy failed to generate substantial engagement,” the report concluded.

“Most notably, despite a significantly large number of followers, the political posts promoted by inauthentic accounts we attribute to this campaign failed to gain much traction outside of the campaign itself.”

Proofpoint Analysis : APT Groups Target Journalists

APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.

Private Details of 1 Billion Chinese Citizens up for Sale on Dark Web


In what could be the biggest-ever breach of personal information in history, the massive store of data containing information about more than a billion people has been leaked from a government agency, possibly from China, and put up for sale on Dark Web for 10 Bitcoins. 

More than 23TB of details apparently siphoned from a Shanghai police database stored in Alibaba’s cloud was put up for sale on the underground Breach Forums by someone with the handle ‘ChinaDan’. The leaked data included names, addresses, birthplaces, national ID numbers, cellphone numbers, and details of any related police records. 

"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen," Changpeng Zhao, CEO of cryptocurrency exchange Binance, posted on Twitter. "Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details."

How did the data leak? 

The root cause of the data leak remains unknown, but experts believe that the database may have been misconfigured and exposed by human error since April 2021 before it was identified. This would contradict a claim that the database’s credentials were inadvertently leaked as part of a technical blog post on a Chinese developer site in 2020 and later employed to steal a billion records from the police database since no passwords were required to access it. 

But according to Bob Diachenko, a Ukrainian security researcher, this may not be correct. In late April, the researchers’ monitoring records show the database was exposed via a Kibana dashboard, a web-based software used to visualize and search massive Elasticsearch databases. If the database didn’t require a password as believed, anyone could have accessed the data if they knew its web address. 

Cybersecurity experts frequently search the internet for leaked exposed databases or other sensitive data. But hackers also run the same scans, often with the motive of copying data from an exposed database, deleting it, and offering the data’s return for a ransom payment — the standard methodology employed by attackers in recent years. 

Diachenko believes that’s what exactly happened on this occasion; a hacker discovered, raided, and deleted the exposed database, and left behind a ransom note demanding 10 bitcoins for its return. 

“My hypothesis is that the ransom note did not work and the threat actor decided to get money elsewhere. Or, another malicious actor came across the data and decided to put it up for sale,” said Diachenko.

China-linked APT Went Under Radar for Decade


Researchers have discovered a small but effective China-linked APT that has been operating in Southeast Asia and Australia for more than a decade, running campaigns against government, education, and telecommunications institutions. 

SentinelLabs researchers stated that the APT, dubbed Aoqin Dragon, has been active since at least 2013. According to the report, the APT is "a small Chinese-speaking team with potential association to [an APT called] UNC94." According to researchers, one of Aoqin Dragon's methods and approaches is to use pornographic-themed infected documents as bait to attract victims to download them. 

“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote. The fact that Aoqin Dragon has developed, allowed them to stay under the radar for so long. For example, the APT's technique of infecting target computers has progressed. Aoqin Dragon depended on exploiting old vulnerabilities – especially, CVE-2012-0158 and CVE-2010-3333 – that their targets may not have yet fixed in their early years of operation. 

Aoqin Dragon later developed executable files with desktop icons that resembled Windows folders or antivirus software. These programmes were malicious droppers that planted backdoors and then connected to the attackers' command-and-control (C2) servers. Since 2018, the group has used a fraudulent detachable device as an infection vector. 

When a user clicks to view what appears to be a removable device folder, they really start a chain reaction that downloads a backdoor and establishes a C2 connection on their PC. Furthermore, the malware replicates itself to any genuine removable devices attached to the host system in order to move beyond the host and, presumably, onto the target's larger network. Other methods have been used by the group to remain undetected. 

They've exploited DNS tunnelling to get around firewalls by altering the internet's domain name system. Mongall, a backdoor exploit, encrypts communication data between the host and the C2 server. According to the experts, the APT gradually began to use the fake removable disc approach over time. This was done to "improve the malware's resistance to detection and removal by security tools." 

National-State Ties 

Targets have tended to fall into a few categories: government, education, and telecommunications, all in and around Southeast Asia. Researchers assert that “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.” 

A debug log discovered by researchers that contain simplified Chinese characters provides more proof of Chinese influence. Most importantly, the researchers uncovered an overlapping attack on the website of Myanmar's president in 2014. In another case, investigators were able to track the hackers' command-and-control and mail servers all the way back to Beijing. 

With that circumstance, Aoqin Dragon's two primary backdoors have overlapping C2 infrastructure, and the majority of the C2 servers may be ascribed to Chinese-speaking users. Still, "correctly identifying and monitoring State and State-Sponsored threat actors can be challenging," said Mike Parkin, senior technical engineer at Vulcan Cyber. 

“SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure when you’re identifying a new threat actor.”

Chinese Hackers are Targeting Russian Aerospace Industry


Space Pirates, a Chinese cyberespionage group is targeting businesses in the Russian aerospace industry with phishing emails to deploy a novel strain of malware. 

The APT group started operating in 2017, and researchers believe it is associated with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Russian security researchers at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field. 

Malicious actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were spotted to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation. 

The researchers first uncovered signs of Space Pirates' activity last summer during incident response and quickly confirmed that the malicious actors employed the same malware and infrastructure against at least four more domestic organizations since 2019. 

According to researchers, at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months; 1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains. 

In the second assault, the Chinese attackers stayed in the network of the compromised firms for over a year, exfiltrating confidential information and deploying their malware to 12 corporate network nodes in three distinct regions. 

The Space Pirates’ unique toolkit contains a wide range of malware, including unique loaders and multiple previously undetected backdoors tracked as MyKLoadClient, BH_A006, and Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic. 

The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common phenomenon for hackers in the region. 

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and uses modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor,” researchers explained. 

“A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”

On Microsoft Exchange Servers, a New IceApple Exploit Toolkit was Launched


Security analysts discovered a new post-exploitation framework that could enable Microsoft Exchange servers to be compromised. This framework, known as IceApple, was created by threat actors who wanted to preserve a low profile while launching long-term attacks to assist reconnaissance and data exfiltration. 

"As of May 2022, IceApple is under active development, with 18 modules seen in operation across several enterprise contexts," CrowdStrike reported. The complex virus was identified in various victim networks and in geographically separate areas, which were detected in late 2021. Victims come from a variety of fields, including technology, academia, and government.

IceApple is unique for being an in-memory framework, implying a threat actor's desire to keep a low forensic footprint and avoid detection, which bears all the signs of a long-term algorithmic mission by creating files that appear to come from Microsoft's IIS web server. While most of the malware has been found on Microsoft Exchange servers, IceApple can function under any Internet Information Services (IIS) web app, making it a dangerous threat.

IceApple activity, as per CrowdStrike researchers, could be linked to nation-state attacks. Although IceApple has not been linked to any single threat actor, many believe it was developed by China. 

The actual number of victims of the attack has not been determined by CrowdStrike, but they do not rule out the possibility that the threat will expand in the following weeks. In this regard, the experts suggested updating any apps used by public and commercial businesses to strengthen the system's protection against this framework. 

The malware can locate and erase files and directories, write data, collect credentials, search Active Directory, and transfer sensitive data due to the framework's various components. These components' build timestamps date back to May 2021.

Chinese Hackers Targeted Indian State Power Grid


Chinese state-sponsored malicious actors launched “probing cyberattacks” on Indian electricity distribution centers near Ladakh thrice since December 2021. On Wednesday a report by private intelligence firm Recorded Future confirmed the attack. 

The hackers targeted seven Indian state centers responsible for carrying out electrical dispatch and grid control near a border area contested by the two nuclear neighbors, the report added. This attack came to light while the military standoff between the two countries in the region had already deteriorated the relationship. However, the government sources affirmed that the attacks were not successful. 

''In recent months, we observed likely network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states. Notably, this targeting has been geographically concentrated, with the identified SLDCs located in North India, in proximity to the disputed India-China border in Ladakh," the group said. 

The hackers employed the trojan ShadowPad, which the experts claimed has been developed by contractors for China's Ministry of State Security, thereby concluding  that it was a state-sponsored hacking effort. 

"In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group," Recorded Future said.

Financier Diakonov Called Russia the Future Cryptocurrency Center of the World


Mr. Diakonov predicted the future of cryptocurrency and called it a possible alternative to traditional money. "Time will tell how it will be built into the system of international payments and trade," he said.
The financier also stated that Russia can become a cryptocurrency world center since it has the necessary knowledge, capabilities and technologies to create this product. However, it is difficult to guess when this scenario will come to life,since the concepts of cryptocurrencies proposed by the Ministry of Finance and the Central Bank do not reflect the current situation. 

"If the task is to transfer part of the international settlements into the "new currency," in case this instrument will acquire the scale, then sanctions measures from the West may affect it as well. And we may see the next prohibitive measures of an international nature," he explained. 

According to Mr. Diakonov, China, as Russia's largest business partner, is not yet ready to switch to cryptocurrency trading. However, he suggested that the country would start using the digital yuan. "Here we see great prospects for creating new synthetic products that will become a growth point for the economy," he concluded. 

Earlier, the founder and CEO of the world's largest cryptocurrency exchange Binance, Changpeng Zhao, said that next year there will be more transparency in the regulation of crypto-assets, and this is a positive signal for the market. In addition, there will be new options for their use. But the crypto market moves cyclically, and an upturn is followed by a downturn. Whether it happens next year or later is hard to predict. Asset volatility will continue regardless of who comes to the market. "Our personal goal for next year is to get as many licenses around the world as we can; we expect to get 10 to 20 more licenses next year." 

In addition, there will be new ways to use them. But the crypto market moves cyclically, and a period of recovery is followed by a recession – it will happen next year or later, it is difficult to predict. Asset volatility will continue regardless of who comes to the market. "Our personal goal for next year is to get as many licenses around the world as possible. We expect to get another 10-20 licenses next year." 

Earlier, the Ministry of Finance submitted to the government a bill on the legalization of cryptocurrencies. According to the document, Russians will have the right to legally invest up to 600 thousand rubles ($7,600) in cryptocurrency annually. However, this will require special testing.

A U.S. Group Hacked Top Research Institutes in India, Russia and China


According to a new report from a Beijing-based cybersecurity firm, hackers associated with the United States National Security Agency (NSA) were discovered to have inserted "covert backdoors" that could have given them access to sensitive information in dozens of countries, including India, Russia, China, and Japan. According to the report, it is getting traction in China's media after the country was accused with cyber hacking by the US. 

China's cyber-attacks target sensitive data stored by US institutions. It has become a thorn on the side of bilateral relations between the US and China. On the other side, Indian organisations believe that China hacks into sensitive data from government agencies and institutions. 

The National Security Agency (NSA) is a United States Department of Defense national-level intelligence agency that reports to the Director of National Intelligence (DNI). The NSA is in charge of worldwide information and data monitoring, gathering, and processing for foreign and domestic intelligence and counterintelligence purposes, specialised in a field known as signals intelligence (SIGINT). The NSA is also in charge of protecting the United States' communication networks and information systems. 

Among the allegedly hijacked websites named in the report were those associated with one of India's leading microbial research labs, the Institute of Microbial Technology (IMTech) under the Council of Scientific and Industrial Research, as well as the Indian Academy of Sciences in Bengaluru. Websites associated with the Banaras Hindu University were also reported to have been hacked.

Pangu Lab, a Beijing-based cybersecurity firm, published a technical study outlining how it discovered the backdoors and linked them to "unique IDs in the operating manuals of the NSA" discovered in the 2013 leak of NSA documents by insiders. 

According to the Chinese firm, in 2013, CIA analyst Edward Snowden leaked very relevant NSA files. Because they reveal the NSA's unique IDs. The company discovered a key that unlocks a backdoor Bvp47. It is a hacking tool created in partnership with the National Security Agency by The Equation Group. It also led to the detection of a number of similar cyberattacks that used the same unique IDs as the NSA platform. 

According to the report, which outlined how the backdoor operated, this was a backdoor communication technology that has never been seen before, indicating an organisation with considerable technological capabilities behind it. “As an advanced attack tool, Bvp47 has allowed the world to see its complexity,” it said. “What is shocking is that after analysis, it has been realised that it may have existed for more than 10 years.”

ShadowPad Malware Attacks have been Linked to Chinese Ministry and PLA


ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat organizations in recent years, has been revealed by cybersecurity researchers, who have also linked it to the country's civilian and military intelligence services. Since at least 2017, the Chinese government-sponsored BRONZE ATLAS threat organization has been using the ShadowPad sophisticated modular remote access trojan (RAT). 

Since 2019, a rising number of other Chinese threat groups have used it in attacks against firms in a variety of industrial verticals throughout the world. Analysis of ShadowPad samples by Secureworks Counter Threat Unit (CTU) found clusters of activity associated with threat groups affiliated with the Chinese Ministry of State Security (MSS), civilian intelligence agency, and the People's Liberation Army (PLA). 

ShadowPad rose to prominence in 2017 because it was used in software supply chain attacks involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments released in 2020 provide more details on ShadowPad's relationship to BRONZE ATLAS. 

According to the Microsoft complaint, BRONZE ATLAS (also known as Barium) used ShadowPad to steal intellectual property and personally identifiable information in 2017. The malware was only utilised by BRONZE ATLAS at the time. According to the DOJ indictments, Chinese nationals working for the Chengdu 404 network security firm used ShadowPad in a global campaign ascribed to BRONZE ATLAS. 

Traditionally, malware payloads are sent to a host either encrypted within a DLL loader or embedded within a separate file alongside a DLL loader, which subsequently decrypts and executes the embedded ShadowPad payload in memory using a specific decryption technique tailored to the malware version. These DLL loaders run malware after being sideloaded by a genuine executable vulnerable to DLL search order hijacking, a technique that allows malware to run by hijacking the mechanism used to look for required DLLs to load into a programme. 

Secureworks discovered that certain infection chains include a third file containing the encrypted ShadowPad payload, which works by executing the genuine binary (e.g., BDReinit.exe or Oleview.exe) to sideload the DLL, which then loads and decrypts the third file. 

The incursions in one ShadowPad incident paved the door for conducting hands-on-keyboard attacks, which are attacks in which human hackers manually log into an infected system to execute commands rather than using automated scripts.

Chinese APT Actor Tracked as 'Antlion' Targeting Companies in Taiwan


It has been almost 18 months since the Chinese state-backed advanced persistent threat (APT) actor tracked as ‘Antlion’ has been attacking financial institutions and manufacturing companies in Taiwan state in a persistent campaign. The researchers at Symantec noted that the threat actors deployed a new custom backdoor named 'xPack' on compromised networks, which gave malicious actors wide access into the victim’s system.

The backdoor was designed to run WMI commands remotely, while it has also been seen that the attackers leveraged EternalBlue exploits in the backdoor. The attackers also interact with SMB shares, and it is also possible that the actors used mounted shares over SMB to transfer data to the command and control (C2) server. 

Furthermore, the attackers have successfully browsed the web through the backdoor, likely using it as a proxy to mask their IP address. Researchers believe that the malware was used in a campaign against Taiwan and had allowed the adversaries to run stealthy cyber-espionage operations. 

While dissecting such an attack, it could be seen that the malicious actors spent 175 days on the compromised network. However, the Symantec cyberthreat unit is studying two other incidents of such kind to determine how the adversary went undetected on the network for as long as 250 days. 

The researcher said that the new custom malware helped threat actors achieve this level of furtiveness; Symantec researchers have also deducted the following custom tools that help xPack in this operation. 

• EHAGBPSL – Custom C++ loader 
• CheckID – Custom C++ loader based on a similar tool used by the BlackHole RAT 
• JpgRun – Custom C++ loader 
• NetSessionEnum – Custom SMB session enumeration tool 
• Kerberos golden ticket tool based on the Mimikatz credentials stealer 
• ENCODE MMC – Custom bind/reverse file transfer tool 

"There is also evidence that the attackers likely automated the data collection process via batch scripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not actually observed being exfiltrated from the network," explains Symantec.