Daily Drop (528): DoJ's Cyber Unit, Zambia's Debt Relief, Micron: Applied Materials Invest, US Funds Ford's Battery Plants, Camaro Dragon Hackers Strike, Intelsat-SES Merger, Chinese Gunpowder: RU
06-23-23
Friday, Jun 23, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
US cyber ambassador says China knows how to steal its way to the dominance of cloud and AI
Analyst Comments: The remarks by Nathaniel C. Fick shed light on the concerns regarding China's IP theft and strategic approach to technology dominance. The call for a coalition of nations to counter China's tactics reflects the need for collective action to protect innovation and address the challenges posed by state-sponsored IP theft. The focus on AI regulation and the risks associated with disinformation and lethal applications of AI highlights the importance of responsible and ethical use of emerging technologies.
FROM THE MEDIA: According to Nathaniel C. Fick, the US ambassador-at-large for cyberspace and digital policy, China has a playbook to use intellectual property (IP) theft to seize leadership in strategic technology areas like cloud computing. Fick argues that democratic nations need to band together to prevent China from dominating these fields through IP theft and government subsidies. He warns that China's actions in the telecoms industry serve as a playbook that it will apply to other core strategic technology areas. Fick advocates for a coalition of like-minded nations to collaborate on technology and use their free markets to spur innovation as a response to China's tactics.
READ THE STORY: The Register
China was the ghost at the US-India feast
Analyst Comments: The visit of Prime Minister Modi to the US reflects the Biden administration's strategy of strengthening ties with India to counter China's influence. The shared concerns over China's rise and its challenge to the rules-based international order have positioned India as a promising partner for the US. Despite criticisms regarding democratic backsliding in India, the focus on countering China has taken priority. The strategic alignment between the US and India in the Indo-Pacific region is aimed at safeguarding their economic and security interests, especially in light of China's assertiveness.
FROM THE MEDIA: Indian Prime Minister Narendra Modi's recent state visit to the United States highlighted the complex relationship between the two countries, driven primarily by their shared concerns over China's rise. Despite criticism of Modi's government's erosion of democratic freedoms, President Joe Biden and Congress hosted him to demonstrate the importance of India in preserving the Western-led international order. The visit comes amid increasing US-China tensions, with Biden emphasizing the mutual respect and shared values between the US and India as democracies. The strategic weight of India is seen as valuable to counter the challenges posed by China.
READ THE STORY: CNN
Almost 770,000 Calpers members hit by cyber attack
Analyst Comments: The cyberattack on Calpers, affecting a significant number of its members, underscores the persistent challenges posed by cyber threats. The exploitation of a zero-day vulnerability in the MOVEit file transfer service demonstrates the sophistication of the attackers and their ability to target critical infrastructure. The incident raises concerns about the security practices and vulnerabilities of third-party providers, emphasizing the need for organizations to carefully vet and monitor their partners' cybersecurity protocols. Calpers' prompt response and implementation of enhanced security measures demonstrate a commitment to protecting its members' financial interests. However, the breach highlights the urgent need for organizations to bolster their cybersecurity defenses, including regular vulnerability assessments, patch management, and employee training to mitigate the risk of similar incidents in the future.
FROM THE MEDIA: The California Public Employees' Retirement System (Calpers), the largest public pension plan in the US, has announced that around 770,000 of its members were impacted by the recent MOVEit cyberattack. The breach occurred through a zero-day vulnerability in the MOVEit file transfer service, which was exploited by an unauthorized third party. Personal information, including dates of birth and social security numbers, was downloaded during the incident. Calpers has taken swift action to protect its members' financial interests and has implemented additional security measures.
READ THE STORY: FT
Chinese Firm Sent Large Shipments of Gunpowder to Russian Munitions Factory
Analyst Comments: The shipments, if deemed as lethal assistance, have implications for the ongoing conflict. The article also highlights the challenges of monitoring and regulating international trade, particularly in the context of geopolitical conflicts. The involvement of state-owned companies and the potential consequences for China's relationship with the United States and other countries add to the complexity of the situation. Further investigation and diplomatic efforts may be necessary to address these concerns and ensure compliance with international norms.
FROM THE MEDIA: Previously unreported shipments of smokeless powder from a state-owned Chinese company, Poly Technologies, to a Russian ammunition factory, Barnaul Cartridge Plant, raise questions about China's role in supporting Russia's war against Ukraine. The shipments, totaling nearly $2 million, are viewed by experts as constituting lethal assistance, although there is no direct link to the Ukrainian battlefield. While the United States has expressed concerns about China potentially providing lethal aid to Russia, Chinese officials have denied such allegations.
READ THE STORY: NYT
New Cryptocurrency Mining Campaign Targets Linux Systems and IoT Devices
Analyst Comments: The targeting of internet-facing Linux systems and IoT devices for cryptocurrency mining reflects the ongoing trend of threat actors exploiting vulnerable infrastructure for financial gain. The campaign's focus on misconfigured Linux hosts and trojanized OpenSSH highlights the importance of properly securing and configuring internet-facing systems. It also emphasizes the need for strong SSH credentials and continuous monitoring to detect any unauthorized access. The use of backdoors, rootkits, and IRC bots demonstrates the sophistication of the attack and the attackers' intent to maintain persistence and evade detection. This campaign serves as a reminder of the evolving tactics employed by threat actors to exploit vulnerabilities in IoT devices and Linux systems. Organizations should regularly update their software and firmware, implement robust access controls, and employ security solutions capable of detecting and mitigating such attacks.
FROM THE MEDIA: A new campaign has emerged targeting internet-facing Linux systems and Internet of Things (IoT) devices for illicit cryptocurrency mining. The attack involves the use of a backdoor that deploys various tools and components, including rootkits and an IRC bot, to steal device resources for mining operations. The threat actors exploit misconfigured Linux hosts through brute-force attacks, disable shell history, and fetch a trojanized version of OpenSSH to install the backdoor. The backdoor allows the attackers to distribute additional payloads, conduct post-exploitation activities, and hijack SSH credentials. The campaign also aims to eliminate competing crypto mining processes already running on the infected system. The attacks leverage a Southeast Asian financial institution's subdomain for command-and-control communication to mask the malicious traffic.
READ THE STORY: THN
CISA orders govt agencies to patch bugs exploited by Russian hackers
Analyst Comments: The addition of these security flaws to the KEV list underscores the ongoing cyber threats faced by government organizations. The targeted exploitation of vulnerabilities in Roundcube email servers highlights the strategic use of cyber espionage to gather intelligence in support of military operations. The directive for U.S. federal agencies to patch their systems by a specific deadline demonstrates the urgency and importance of addressing known vulnerabilities to enhance cybersecurity defenses. Private companies worldwide are also advised to prioritize addressing these vulnerabilities to mitigate the risk of exploitation.
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six new security flaws, including three exploited by the Russian APT28 group, to its known exploited vulnerabilities (KEV) list. The APT28 group, also known as BlueDelta or Fancy Bear, targeted Roundcube email servers belonging to Ukrainian government organizations. The group exploited vulnerabilities in the Roundcube Webmail software to gain unauthorized access to unpatched servers and exfiltrate military intelligence, supporting Russia's invasion of Ukraine. The KEV catalog now contains over 950 entries, and U.S. federal agencies have been ordered to patch their systems by July 13 to secure against these vulnerabilities.
READ THE STORY: Bleeping Computer
Russia Challenges US Govt on Halting New Embassy Construction
Analyst Comments: The dispute between Russia and Australia over the embassy construction reflects the increasingly strained relationship between the two countries. Australia's concerns over security risks associated with the proposed location, combined with broader concerns about Russia's global actions, led to the cancellation of Russia's lease on the land. Russia's legal challenge highlights its commitment to defending its rights as a sovereign nation and its perception of Australia's actions as a violation of international law. The outcome of the High Court case will have repercussions for the bilateral relationship, potentially leading to further tensions or retaliation.
FROM THE MEDIA: Russia has launched a High Court challenge against the Australian government's decision to stop it from building a new embassy next to Parliament House. The dispute arose over concerns about intelligence and security risks associated with the location of the proposed embassy. The Australian parliament passed new laws to cancel Russia's lease on the land, prompting Russia to file a case in the High Court challenging the legality of the decision. The case, expected to be heard soon, could have significant implications for the relationship between the two countries, highlighting the growing tensions and differing perspectives on issues such as national security and sovereignty.
READ THE STORY: GVS
Intelsat and SES merger to create $10B satellite giant is off
Analyst Comments: The termination of merger talks between Intelsat and SES is a significant development in the satellite telecommunication industry. It highlights the challenges faced by established operators as they navigate competition from emerging players like Starlink and Project Kuiper. The potential merger could have provided the combined company with the scale and resources to better compete in this evolving market. The cost of satellite broadband remains a major obstacle, involving substantial investments in launching, maintaining, and replacing satellites. Mergers have been seen as an opportunity to achieve economies of scale and share the financial burden. The inability to reach an acceptable agreement indicates the complexities and divergent perspectives that may arise during such negotiations.
FROM THE MEDIA: Satellite telecommunication operators Intelsat and SES have ended discussions regarding a proposed merger between the two companies. The merger aimed to strengthen its position against new competitors like Starlink and Project Kuiper. The breakdown of talks is seen as a setback for both parties, as they face increasing competition and the high costs associated with satellite broadband. SES confirmed the talks in March, but no definitive transaction materialized. Intelsat highlighted its successful business turnaround after a Chapter 11 restructuring. Both companies have faced competition from Starlink and Project Kuiper. Another significant merger in the industry is between Eutelsat and OneWeb.
READ THE STORY: The Register
Camaro Dragon Hackers Strike with USB-Driven Self-Propagating Malware
Analyst Comments: The usage of USB devices as an infection vector by Camaro Dragon underscores the persistent threat of cyber espionage and the evolving tactics of threat actors. Exploiting misconfigured USB drives allows the malware to propagate widely, making it a potent method for targeting multiple countries and organizations. The incident at the European hospital exemplifies how seemingly innocuous actions, such as connecting infected USB drives, can lead to significant security breaches. The Camaro Dragon group's use of self-propagating malware demonstrates their ability to develop sophisticated tools and adapt their tactics to evade detection. The combination of the HopperTick launcher and the WispRider payload allows for the seamless infection of devices and the exfiltration of sensitive data. Their utilization of DLL side-loading and evasion techniques against antivirus solutions showcases their expertise in bypassing security measures.
FROM THE MEDIA: The Chinese cyber espionage group, Camaro Dragon, has been observed using a new strain of self-propagating malware that spreads through compromised USB drives. Check Point researchers discovered evidence of USB malware infections in multiple countries, including Myanmar, South Korea, Great Britain, India, and Russia. The investigation began after an unnamed European hospital suffered a breach when an employee's infected USB drive was connected to a colleague's computer at an Asian conference. The malware, named WispRider, is deployed through a Delphi launcher called HopperTick and infects connected devices. It communicates with a remote server, compromises newly connected USB devices, executes commands, and conducts file operations. The Camaro Dragon group's use of USB devices highlights their adaptability and the role of USB drives in spreading malware.
READ THE STORY: THN // The Register
US to lend $9.2bn for Ford battery plants in clean energy push
Analyst Comments: The provision of the $9.2 billion loan by the US Department of Energy's Loan Programs Office marks a significant milestone in the effort to develop a robust domestic EV battery industry. By supporting the construction of battery factories, the loan contributes to reducing reliance on foreign suppliers, particularly China, and strengthens domestic supply chains. This aligns with the Biden administration's goal of promoting clean energy and revitalizing American manufacturing. The loan will enable Ford and SK On to expand their EV battery production capabilities and meet the growing demand for electric vehicles. The establishment of the battery plants in Kentucky and Tennessee not only stimulates economic activity in these regions but also contributes to the emergence of the "battery belt" in the southern United States.
FROM THE MEDIA: The US Department of Energy's Loan Programs Office (LPO) is set to provide a record-breaking loan of $9.2 billion for the construction of electric vehicle (EV) battery factories by Ford and South Korea's SK On. The loan, granted under the clean energy investment initiative, aims to bolster domestic supply chains and reduce reliance on China. Ford and SK On are establishing three battery plants in Kentucky and Tennessee to support the expansion of Ford's EV lineup. The loan, the largest in the LPO's history, aligns with President Biden's agenda for clean energy and domestic manufacturing. The combined battery capacity of the plants will generate over 120-gigawatt hours per year, displacing around 455 million gallons of petrol annually.
READ THE STORY: FT
Micron, Applied Materials, make big investments in India
Analyst Comments: Micron's and Applied Materials' investments in India mark significant milestones in the country's efforts to become a leading semiconductor manufacturing destination. The move aligns with India's goals of reducing dependency on foreign chip imports and boosting its own semiconductor industry. These investments will contribute to the growth of India's technology ecosystem, create employment opportunities, and enhance the nation's capabilities in chip design and manufacturing.
FROM THE MEDIA: Micron Technology and Applied Materials have announced significant investments in India, bolstering the country's ambitions to become a major player in the semiconductor industry. Micron plans to build an assembly and test facility featuring 500,000 square feet of cleanroom space, with operations expected to begin in late 2024. Applied Materials will establish an engineering center, collaborating with global and domestic suppliers and research institutions to develop chipmaking technology. The announcements align with India's aim to attract chip manufacturers and position itself as a market of sufficient size and stability amid supply chain disruptions and geopolitical risks. The investments were made on the same day as Indian Prime Minister Narendra Modi's visit to the US, strengthening bilateral ties between the two countries.
READ THE STORY: The Register
Zambia agrees on debt relief with China and other creditors
Analyst Comments: The debt restructuring agreement between Zambia and its creditors, led by China, is a significant development that ends a long impasse following Zambia's default in 2020. The deal provides much-needed relief for Zambia, allowing it to resume access to IMF funding and restructure its private debts. It also signifies a diplomatic achievement for Macron, who showcased the agreement during the global finance and climate summit. The restructuring deal sets a positive precedent for other debt-ridden countries, such as Ghana and Ethiopia, that are seeking to restructure their debts dominated by loans from China. However, it is important to note that the agreement covers only the loans from bilateral lenders, and reaching a comprehensive restructuring of Zambia's external debt will require agreement among private creditors.
FROM THE MEDIA: China and other creditors have reached a deal to restructure Zambia's billions of dollars in loans, resolving the country's 2020 default. The agreement includes bilateral lenders led by China rearranging payments and extending loan maturities. This breakthrough allows Zambia to regain access to IMF funding and restructure its private debts. The deal was announced during the global finance and climate summit in Paris, with Zambian President Hakainde Hichilema, French President Emmanuel Macron, and China's Premier Li Qiang in attendance. The agreement is seen as a diplomatic win for Macron and raises hopes for other debt-burdened countries engaged in similar talks with China.
READ THE STORY: FT
Fortifying National Security: Inside the DoJ’s New Cybersecurity Unit Combatting State-Backed Hackers
Analyst Comments: The creation of a dedicated cybersecurity unit within the DoJ's National Security Division reflects the increasing recognition of the seriousness of cyber threats and the need for robust measures to address them. By focusing on the nation-state and state-backed hackers, the unit demonstrates a targeted approach to combatting cyber threats. While the specific mention of China is absent from the announcement, it is evident that concerns over Chinese cyber activities have played a significant role in the establishment of this unit. The inclusion of Russia and North Korea as ongoing threats emphasizes the global nature of cyber threats. The unit's focus on early-stage cases and comprehensive investigations showcases the DoJ's commitment to disrupting cyber threats and holding threat actors accountable.
FROM THE MEDIA: The U.S. Department of Justice (DoJ) has announced the creation of a specialized unit within its National Security Division to combat cyber threats posed by the nation-state and state-backed hackers. The unit will work in close collaboration with the existing national security team to expedite the prosecution of threat actors. While the announcement did not explicitly mention China, it is important to recognize the ongoing concerns regarding Chinese cyber activities. Additionally, Russian and North Korean cyber actors pose significant threats, albeit with different motives and tactics. Building cases against state-backed cyber threat actors can be challenging, but the new unit aims to invest time and resources in conducting detailed investigations to disrupt cyber threats and bring threat actors to justice. This development highlights the DoJ's proactive approach to cybersecurity and its commitment to protecting national security in the digital age.
READ THE STORY: Read Write
Items of interest
Why is it so rare to hear about Western cyber-attacks?
Analyst Comments: This write-up sheds light on the changing dynamics in the perception of cyber-attacks and hacking activities, with Russia and China increasingly calling out Western nations for their own cyber operations. It highlights the need for a more balanced and transparent view of cyber-attacks, emphasizing that cyber operations are conducted by governments worldwide and are not limited to specific regions. The shift in narrative underscores the importance of greater transparency, evidence-based reporting, and a more nuanced understanding of cyber capabilities and activities across different nations.
FROM THE MEDIA: The recent discovery of a sophisticated surveillance-hacking campaign targeting Kaspersky employees in Russia has led to the Russian government accusing the US of conducting the attack. The article suggests that China and Russia have adopted a more aggressive approach to exposing Western hacking activities, challenging the traditional narrative that portrays these countries as the primary perpetrators of cyber-attacks. The lack of reporting on Western cyber-attacks is attributed to factors such as a bias in the cyber-security industry, conscious decisions to withhold information, stealthier operations, and a lack of evidence provided by Western governments when pointing fingers at other nations.
READ THE STORY: BBC
Inside the Persistent Mind of a Chinese Nation-State Actor (Video)
FROM THE MEDIA: The motivation behind Chinese APT groups has always been deeply rooted in nationalistic pride. Former Chairman Deng XiaoPing once stated, “It doesn't matter if a cat is black or white as long as it catches mice”. These words ring true in the series of targeted attacks launched by the Chinese APT groups throughout the years to gather intellectual property and conduct cyber espionage. But what does it take to build a nation-state actor? Indoctrination in the early years? A hiring system inbuilt into the education system? In this talk, I will explore the tactics, techniques, and procedures utilized by Chinese APT groups to launch cyber-attacks, how hiring and recruitment work at a nation-state level, and use examples from recent incident response engagements we’ve worked on at Secureworks.
Nation-State Moneymule's Hunting Season – APT Attacks Targeting Financial Institutions (Video)
FROM THE MEDIA: In this talk, we will disclose four recent campaigns conducted by the groups. These campaigns targeted banks in South Korea and EMEA, an ATM company, and several Bitcoin exchange service providers. We will introduce the malware, vulnerabilities, IOC, and attack vectors discovered in these attacks.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.