Hackers employ a more subtle and insidious method: targeting family members through carefully crafted emails. These messages don’t contain malicious attachments or overt phishing attempts. Instead, they include harmless tracking links that, when clicked, reveal a treasure trove of information about the recipient.
Imagine a journalist covering sensitive political topics. Her elderly mother receives an email seemingly from a distant relative, sharing family photos. Innocent enough, right? But that seemingly harmless click reveals the journalist’s location, her device details, and even her browsing habits. Armed with this reconnaissance, the hackers can then launch more direct attacks on her devices, infiltrating her digital life.
While this kind of targeting isn’t entirely unheard of, it remains relatively rare. The Chinese government’s efforts to control speech abroad increasingly rely on manipulating family relationships in creative ways.
For instance, last year, the U.S. Department of Justice indicted over 40 individuals allegedly involved in a scheme by the Chinese Ministry of Public Security. This scheme used thousands of fictitious social media personas to attack and harass Chinese nationals living in the United States who had criticized the Chinese government.
Why target family members? Because they are the soft underbelly of security. They are less likely to be tech-savvy, less cautious about clicking links, and more trusting of familiar faces. Moreover, family members often share devices, networks, and even passwords. By compromising one family member, the hackers gain a foothold in the entire network.
Consider a diplomat stationed abroad. His teenage daughter receives an email claiming to be from her school. She clicks the link, unknowingly granting access to her father’s encrypted communications. Suddenly, the diplomat’s confidential negotiations are exposed. The hackers have bypassed firewalls, encryption, and secure channels—all through a teenager’s curiosity.
This tactic isn’t limited to diplomats and journalists. It extends to academics, foreign policy experts, and even democracy activists. The hackers cast a wide net, ensnaring anyone connected to their primary targets. And it’s not just about surveillance; it’s about control and coercion.
Imagine a human rights activist whose elderly parents receive threatening emails. The message is clear: “Stop your activism, or your family suffers.” Suddenly, the stakes are higher. The activist’s fight for justice becomes a delicate balancing act between principles and protecting loved ones.
The leak is likely from a frustrated employee of Chinese cybersecurity company I-soon (Anxun in China), which tells a denting story of China's cyberespionage operations. It provides us with a backstage glimpse of China's hacking ecosystem.
Since 2010, China has leveled up its cyberespionage and cybertheft game to such extremes that FBI Chief Christopher Wray said that China's state-sponsored hackers outnumber U.S. cyber intelligence personnel 50-to-1.
I-Soon works for Chinese government agencies and private players. It has ties to China's major government contractors such as the Ministry of Public Security (police) and the Ministry of State Security (intelligence). I-Soon is a shadowy figure that plans campaigns crossing borders. Its weapons include zero-day exploits, sophisticated tools, and a diverse team of skilled hackers.
The leaked documents disclose I-Soon's wide range of surveillance. Their spying targets include both Chinese citizens and foreigners. The main targets are:
1. Foreign Networks: I-Soon's reach goes beyond Chinese borders. They hack foreign networks, steal sensitive info, and leave no digital stone untouched. Whether military intelligence, personal data, or corporate secrets, I-soon is involved in everything.
2. Political Dissidents: Regions like Hong Kong and Xinjiang are constantly under I-Soon's surveillance radar. The aim is to keep an eye on any form of dissent and opposition and inform the Chinese government.
I-Soon has vast databases of hacked info. These databases have stolen credentials, surveillance footage, and hacked emails. But where does it end? The hacked data is sold on the dark web. Chinese police are always on the lookout for this information, they buy these digital assets to improve their surveillance operations.
Cyberespionage is a war fought on an unseen battlefield. Contrary to traditional conflicts, there are no casualties or damage that can be seen in the open. However, cyber espionage destroys firewalls, lines of code are disrupted, and digital footprints disappear. A lot is at stake, economic dominance, national security, and ideological superiority.
I-Soon's operations highlight the murky relationship between state-sponsored cyber operations and private contractors. While the Chinese government shows it has no involvement, contractors like I-soon do their dirty work. The blurred lines between private and public actors create an environment where accountability doesn't exist.
The leak serves as a reminder to individuals, corporations, and nations to strengthen their digital defenses. Cybersecurity is a basic need for digital survival, it's not a luxury. Threat intelligence, encryption, and partnership across borders can be the defense against unknown cyber terror.
The leak is only a glimpse into the dark world of cyberespionage, what we see is just the tip of the iceberg- the iceberg is hiding much more. I-Soon's leak is a wake-up call.
In the world of cybersecurity, it is not uncommon for attackers to use multiple tactics to evade detection and carry out their malicious activities. The SYS01 campaign is a prime example of this. This campaign is known for using multiple attack evasion tactics to stay under the radar and avoid detection. In this blog post, we will explore the various tactics used by the SYS01 campaign and how they contribute to the campaign's success.
Firstly, let's understand what the SYS01 campaign is. The SYS01 campaign is a cyber espionage campaign that has been active since at least 2013. The campaign primarily targets government and military organizations in Southeast Asia, specifically in the Philippines, Taiwan, and Vietnam. The attackers behind the campaign are believed to be a Chinese state-sponsored group known as APT10.
One of the primary attack evasion tactics used by the SYS01 campaign is the use of multiple malware families. Rather than relying on a single malware family to carry out their attacks, the attackers use a variety of different malware families. This makes it much more difficult for defenders to detect and block the attacks, as they need to be aware of and able to detect multiple different types of malware.
Another tactic used by the SYS01 campaign is the use of file-less malware. Fileless malware is a type of malware that does not rely on files or executables to carry out its activities. Instead, it operates entirely in memory, making it much more difficult to detect and remove. The attackers behind the SYS01 campaign use file-less malware to avoid leaving a trail of evidence on the victim's system.
The SYS01 campaign also uses steganography to conceal its activities. Steganography is the practice of hiding information within another file, such as an image or document. The attackers use steganography to hide their malware within benign files, making it more difficult for defenders to detect the malware.
In addition to these tactics, the SYS01 campaign also uses advanced obfuscation techniques to make their malware more difficult to analyze. For example, the attackers may use code obfuscation techniques to make it more difficult for analysts to understand the code and how it works. They may also use encryption to protect the malware from the analysis.
Another evasion tactic used by the SYS01 campaign is the use of spear-phishing attacks. Spear-phishing is a targeted phishing attack that is designed to trick a specific individual into providing sensitive information or installing malware. The attackers behind the SYS01 campaign use spear-phishing attacks to target specific individuals within their target organizations, making it more difficult for defenders to detect the attacks.
Finally, the attackers behind the SYS01 campaign use command-and-control (C2) servers that are difficult to detect and block. C2 servers are used by attackers to communicate with their malware and control it remotely. The SYS01 campaign uses C2 servers that are located in countries that have lax cybersecurity laws and regulations, making it more difficult for defenders to block the traffic to these servers.
In conclusion, the SYS01 campaign is a prime example of how attackers use multiple tactics to evade detection and carry out their malicious activities. The campaign uses multiple malware families, fileless malware, steganography, obfuscation techniques, spear-phishing attacks, and difficult-to-detect C2 servers to avoid detection and stay under the radar. Defenders need to be aware of these tactics and have the tools and knowledge to detect and block them to protect their organizations from these types of attacks.
Reportedly, the hackers targeted U.S. nuclear facilities, considered one of the most strictly regulated facilities in the U.S. Despite these protections, hackers are however driven to them due to the potential for espionage and other criminal activities.
A Chinese spy balloon over Montana, which is a site of multiple nuclear missile silos, is the most recent alleged spying threat. President Biden has been advised by military advisors to not shoot the balloon down. NBC News was the first to report on the incident.
Brig. Gen. Patrick Ryder, a Pentagon spokesperson says “the U.S. government acted immediately to prevent against the collection of sensitive information, once it spotted the balloon.”
According to Ryder, the U.S. government has seen a similar pattern of behavior for "several years." Similar balloons had previously been spotted over Hawaii and Guam, which are home to U.S. military facilities, says a U.S. intelligence official.
On Thursday, Leaders from two House committees requested the Energy Department to provide them with documents pertaining to cyberattacks by alleged Russian threat actors targeting U.S. national nuclear laboratories.
According to a Reuters article from last month, James Pearson and Chris Bing, Russian hackers known as Cold River targeted nuclear scientists at Brookhaven, Argonne, and Lawrence Livermore laboratories last summer.
“Although it is unclear whether the attempted intrusions were successful, it is alarming that a hostile foreign adversary targeted government labs working on scientific research critical to the national security and competitiveness of the United States,” Reps. James Comer (R-Ky.), chair of the Oversight and Accountability panel, and Frank D. Lucas (R-Okla.), chair of the Science, Space, and Technology Committee, wrote in a letter seeking communications between agencies, labs, and contractors[…] "Hackers who got into the U.S. nuclear command and control system could, theoretically, “trigger a false alarm, making us think that Russian nuclear weapons were on their way”
The report indicated the president to take a decision on whether to launch a strike in counter, says former White House cybersecurity adviser Richard Clarke in a video for the nonprofit Nuclear Threat Initiative last year.
The Biden administration has been attempting to impose minimal security requirements on other industries, but the nuclear industry is already among the most regulated, along with the financial services sector and defense contractors. In a recent interview, a White House representative who requested anonymity to speak more openly about the subject said that the NRC “has really strict rules.”
The NRC initially installed cybersecurity protocols in place in the early 2000s. Under the existing regulations, nuclear power plant operators were required to submit security plans to the agency for approval. This summer, more cybersecurity guidelines for fuel cycle facilities are anticipated from the NRC. Less regulation impacts the security of American nuclear weapons than the NSA's ability to safeguard them.
According to a 2019 study by the agency's inspector general, the NRC is required to change its approaches to cybersecurity inspections at nuclear plants in order to emphasize more on monitoring performance. The report also stated that “the inspection program faces future staffing challenges because demographic and resource constraints work against optimal staffing.”
The NNSA “and its contractors have not fully implemented six foundational cybersecurity risk practices in its traditional IT environment,” according to a report from the Government Accountability Office from last year. The nuclear weapons IT environments and NNSA's operational technology environments "have not fully implemented these practices,” it stated.
In the year 2022, we witnessed a number of state-sponsored cyber activities originating from different countries wherein the tactics employed by the threat actors varied. Apparently, this will continue into 2023, since government uses its cyber capabilities as a means of achieving its economic and political objectives.
It can be anticipated that more conflict-related cyber activities will eventually increase since there is no immediate prospect of an end to the conflict in Ukraine. These activities will be aimed at degrading Ukraine's vital infrastructure and government services and gathering foreign intelligence, useful to the Russian government, from entities involved in the war effort.
Additionally, organizations linked to the Russian intelligence services will keep focusing their disinformation campaigns, intelligence gathering, and potentially low-intensity disruptive attacks on their geographical neighbors.
Although Russia too will keep working toward its longer-term, more comprehensive intelligence goals. The traditional targets of espionage will still be a priority. For instance, in August 2022, Russian intelligence services used spear phishing emails to target employees of the US's Argonne and Brookhaven national laboratories, which conduct cutting-edge energy research.
It is further expected that new information regarding the large-scale covert intelligence gathering by Russian state-sponsored threat actors, enabled by their use of cloud environments, internet backbone technology, or pervasive identity management systems, will come to light.
It has also been anticipated that the economic and political objectives will continue to drive the operation of China’s intelligence-gathering activities.
The newly re-elected president Xi Jinping and his Chinese Communist Party will continue to employ its intelligence infrastructure to assist in achieving more general economic and social goals. It will also continue to target international NGOs in order to look over dissident organizations and individuals opposing the Chinese government in any way.
China-based threat actors will also be targeting high-tech company giants that operate in or supply industries like energy, manufacturing, housing, and natural resources as it looks forward to upgrading the industries internally.
The way in which the Iranian intelligence services outsource operations to security firms in Iran has resulted in the muddled difference between state-sponsored activity and cybercrime.
We have witnessed a recent incident regarding the same with the IRGC-affiliated COBALT MIRAGE threat group, which performs cyber espionage but also financially supports ransomware attacks. Because cybercrime is inherently opportunistic, it has affected and will continue to affect enterprises of all types and sizes around the world.
Moreover, low-intensity conflicts between Iran and its adversaries in the area, mainly Israel, will persist. Operations carried out under the guise of hacktivism and cybercrime will be designed to interfere with crucial infrastructure, disclose private data, and reveal agents of foreign intelligence.
The recent global cyber activities indicate that opportunistic cybercrime threats will continue to pose a challenge to organizational operations.
Organizations are also working on defending themselves from these activities by prioritizing security measures, since incidents as such generally occur due to a failure or lack of security controls.
We have listed below some of the security measures organizations may follow in order to combat opportunistic cybercrime against nations, states, and cybercrime groups :