Daily Drop (585): RU: Infamous Chisel, Gamaredon, Lazarus Group, Earth Estries, SuperBear, Uyghur: China linked Spyware, Gabon's Internet online, FCC: US IoT, Iran: blames Israel of sabatoge
09-01-23
Friday, Sep 01, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Cyber Warfare in Sino-Indian Context: Lessons from Russia-Ukraine Conflict
Analyst Comments: India must exercise caution when extrapolating lessons from the Russia-Ukraine scenario. The dynamics of the Russia-Ukraine conflict, influenced by various external and internal factors, will differ considerably from potential Sino-Indian confrontations. China's sophisticated CW capabilities, when combined with its EW and SW assets, present a formidable challenge to India's defense mechanisms. It's imperative for India to bolster its cyber defenses, develop offensive capabilities, and seek international partnerships to effectively counter the multifaceted cyber threats emanating from China. The Russia-Ukraine conflict serves as a reminder of the evolving nature of warfare, emphasizing the need for India to adapt and prepare for multifaceted threats in the cyber realm.
FROM THE MEDIA: The recent Russia-Ukraine conflict and the ongoing Sino-Indian boundary standoff underscore the intertwined roles of cyber warfare (CW) and electronic warfare (EW) in contemporary military confrontations. China, with its Integrated Network Electronic Warfare (INEW), has been at the forefront of harnessing the combined potential of CW and EW. The People’s Liberation Army Strategic Support Force (PLASSF) exemplifies this integration, merging CW, EW, and space warfare (SW) capabilities. The Russia-Ukraine war has ignited debates about the efficacy of CW, with Russia's perceived cyber shortcomings being a focal point. However, these critiques often neglect the external aid Ukraine received, its pre-conflict cyber readiness, and the stark differences between Russia's and China's cyber capabilities. China's cyber strength, both in terms of technology and manpower, significantly outstrips Russia's, and its strategic approach to cyber operations is more cohesive.
READ THE STORY: ORF
Israel Accused of Sabotaging Iran's Missile Program
Analyst Comments: The allegations by Iran highlight the ongoing tensions and covert operations between Iran and Israel. If true, the sabotage could significantly cripple Iran's missile capabilities, given the importance of the connectors in missile functionality. The situation underscores the lengths to which nations might go in the realm of cyber warfare and covert operations to neutralize perceived threats. The lack of comment from Israeli and U.S. agencies adds a layer of mystery to the situation, and it remains to be seen how this will impact the already strained relations between the involved countries.
FROM THE MEDIA: Iran has accused Israel of attempting to sabotage its ballistic missile program by supplying defective foreign components that could cause the missiles to explode before they are launched. This claim comes amidst a longstanding effort by both Israel and the U.S. to target Iran's missile capabilities. The allegedly faulty components, described as low-cost "connectors," were reportedly supplied by Israeli Mossad agents. These connectors are crucial for attaching electronic components of a missile or drone, such as its guidance computer, and for transmitting both electricity and signals. State TV footage showcased these parts, some of which appeared to be affected by explosives.
READ THE STORY: VOA
The Chinese Threat to US IoT Infrastructure
Analyst Comments: The significant security risks associated with the integration of Chinese-made cellular radio modules in IoT devices within the US. Given the potential for these modules to be remotely controlled or exploited by foreign actors, there's an urgent need for the US to secure its IoT infrastructure. The FCC's proactive approach in addressing these concerns is commendable, but the challenge lies in managing the vast number of devices already deployed. The situation emphasizes the importance of national security in the age of interconnected devices and the need for stringent measures to safeguard critical infrastructures.
FROM THE MEDIA: The US has implemented bans on Chinese-manufactured telecommunications and video surveillance equipment to safeguard its network infrastructure and monitoring systems. These bans, rooted in acts like the US Secure and Trusted Communications Networks Act of 2019 and the Secure Equipment Act of 2021, have led to the "rip and replace" of telecom and networking equipment, with the US government providing subsidies to cover the costs. Now, the Federal Communications Commission (FCC) is focusing on the Internet of Things (IoT), a network that could affect millions of devices in the US, ranging from public utilities to smart city communication networks.
READ THE STORY: Forbes
SapphireStealer's Evolution: A Growing Cyber Threat
Analyst Comments: The rapid evolution and adaptation of open-source malware like SapphireStealer underscore the dynamic nature of cyber threats. With the barrier to entry in cybercrime becoming increasingly low due to the availability of such open-source tools, organizations must prioritize continuous monitoring and updating of their cybersecurity measures.
FROM THE MEDIA: The open-source malware, SapphireStealer, is undergoing active modifications, making it an increasingly potent tool for data theft. Researchers from Cisco Talos have identified multiple variants of this malware, which are being utilized by several threat actors to primarily steal sensitive data, such as corporate credentials. These stolen credentials are then resold to other malicious entities for further illicit activities, including espionage or ransomware attacks. Since its public release in December 2022, hackers have been refining the SapphireStealer's original code, leading to the creation of numerous variants. These modifications aim to enhance data exfiltration processes, notify hackers of new infections, and in some cases, have inadvertently exposed the hackers themselves.
READ THE STORY: The Record
Malware, Alliances, Targets and Responses… Oh my
Analyst Comments: The release of the U.S.'s NIS and the revelation of the Infamous Chisel malware underscore the escalating importance of cyber warfare in global geopolitics. The U.S.'s strategy emphasizes collaboration, indicating a shift towards collective defense against shared threats, especially in cyberspace. However, this approach has ruffled feathers in Beijing, signaling potential tensions ahead. The targeted cyberattacks on Ukraine's military infrastructure by Russian-backed entities further highlight the increasing use of cyber tools in geopolitical confrontations. As nations continue to leverage cyber capabilities for strategic advantage, global alliances and partnerships will play a crucial role in determining the balance of power in the digital realm.
FROM THE MEDIA: Cybersecurity agencies from the Five Eyes alliance have unveiled details of a malware strain, "Infamous Chisel," targeting Android devices within the Ukrainian military. This malware is linked to the Russian state-sponsored group, Sandworm, which is associated with Russia's Main Intelligence Directorate (GRU). The malware is designed to infiltrate devices, scan files, monitor traffic, and periodically extract sensitive data. The Security Service of Ukraine (SBU) had previously identified some aspects of this malware, emphasizing the unsuccessful attempts by adversaries to breach Ukrainian military networks. Additionally, the National Cybersecurity Coordination Center of Ukraine (NCSCC) has spotlighted phishing attempts by another Kremlin-backed group, Gamaredon, aiming to siphon off classified information.
READ THE STORY: THN // VOA // The Record
China's Huawei and India's Manufacturing Surge
Analyst Comments: The tech advancements in China and India underscore the shifting dynamics in the global tech industry. China's potential breakthrough with a domestically produced 5G radio for Huawei could be a game-changer, reducing its reliance on foreign tech and potentially bypassing US sanctions. Meanwhile, India's strategy to attract global tech manufacturers aligns with its broader "Make In India" initiative. The interest shown by major tech companies suggests a growing confidence in India's manufacturing capabilities. Both countries' achievements highlight their ambitions to be self-reliant and dominant players in the tech world.
FROM THE MEDIA: Both India and China are celebrating significant advancements in their tech industries, emphasizing their growing independence and prowess in the global tech market. China is reveling in the launch of Huawei's Mate 60 Pro, a premium smartphone that was discreetly introduced without the typical pre-release fanfare. Notably, Huawei has faced challenges in releasing high-end devices in recent years due to US sanctions. The phone's spec sheet highlights its impressive features, but intriguingly omits details about its processor and its connectivity to wireless telecommunications networks. Speculations suggest the phone might be equipped with a domestically produced 5G radio, which would be a significant achievement for China. The phone, priced at around $960, was quickly sold out after its release.
READ THE STORY: The Register
SuperBear Trojan Targets South Korean Activists
Analyst Comments: The emergence of the SuperBear Trojan underscores the evolving nature of cyber threats, especially those with potential nation-state backing. The targeting of activists and civil society groups in South Korea is particularly concerning, as it indicates a strategic focus on individuals and organizations that may be seen as threats or of interest to adversarial governments. The potential involvement of North Korean actors, given their history of cyber-espionage and cyber-attacks, further emphasizes the need for robust cybersecurity measures and awareness, especially for high-risk individuals and groups.
FROM THE MEDIA: A new phishing campaign targeting civil society groups in South Korea has unveiled a previously unknown remote access trojan (RAT) named SuperBear. The attack, which occurred in late August 2023, focused on a specific activist who received a malicious LNK file from an email address impersonating a member of their organization. This LNK file, when executed, initiates a chain of events that ultimately leads to the deployment of the SuperBear RAT. This malware communicates with a remote server to exfiltrate data and execute additional commands. Preliminary analysis by Interlabs suggests potential links to the North Korean nation-state actor, Kimsuky, based on similarities in the attack vector and specific PowerShell commands used.
READ THE STORY: THN
Intel's Graph Analytics Revolution
Analyst Comments: Intel's venture into specialized graph analytics processing signifies a pivotal shift in addressing complex data interconnections, especially relevant in today's interconnected digital ecosystems. The potential applications in infrastructure monitoring and cybersecurity could be transformative, offering unprecedented speed and efficiency in data processing. However, the developmental challenges underscore the intricate nature of pioneering new semiconductor technologies. The chip's commercial success will hinge not only on its technical prowess but also on Intel's ability to secure necessary funding and navigate the complexities of large-scale production and integration.
FROM THE MEDIA: At the recent Hot Chips conference, Intel introduced a groundbreaking 528-thread processor with 1TB/s silicon photonics interconnects, specifically tailored for graph analytics. This chip, diverging from the conventional x86 architecture, was custom-designed under a RISC architecture for DARPA's Hierarchical Identity Verify Exploit (HIVE) initiative. The primary goal of this initiative is to accelerate the processing of streaming data in graph analytics by up to 100 times compared to traditional architectures, all while being more power-efficient. Intel's innovative approach involves a mesh-to-mesh photonic fabric, leveraging silicon photonic interconnects to seamlessly connect a vast number of chips. Despite its potential, the development journey wasn't without challenges, particularly in achieving the targeted bandwidth and ensuring the optimal functioning of the optics.
READ THE STORY: The Register
China-Linked Cyber Espionage Targets Uyghur Users
Analyst Comments: The discovery of these malicious apps underscores the escalating cyber threat landscape, especially with nation-state actors involved. The fact that these apps were available on official platforms like Google Play raises concerns about the vetting processes of such platforms. The targeting of the Uyghur ethnic group adds a layer of political complexity, suggesting that these cyberattacks might have deeper geopolitical motivations. Users are advised to be cautious when downloading apps and to ensure they are sourced from trusted developers.
FROM THE MEDIA: Suspected hackers with ties to China are launching cyber espionage campaigns targeting Android users. These hackers are embedding 'BadBazaar' malware in counterfeit versions of popular messaging apps, Signal and Telegram. Distributed through official app stores, including Google Play and Samsung Galaxy store, these malicious apps, named Signal Plus Messenger and FlyGram, are designed to pilfer user data, such as device details, installed apps, contact lists, and call records. Furthermore, the hackers can gain comprehensive access to Telegram backups if users activate a specific feature embedded by the attackers. ESET's research indicates that some victims are members of China's Uyghur ethnic group, and they were enticed to install the harmful FlyGram app via a Uyghur Telegram group. The campaigns have been active since at least July 2020 for Signal Plus Messenger and July 2022 for FlyGram.
READ THE STORY: The Record // GBhackers
DPRK Cyber Threats: A Deep Dive into Malicious Python Packages
Analyst Comments: The Lazarus Group's involvement in the VMConnect campaign underscores the increasing sophistication and persistence of state-sponsored cyber threats. The group's strategy of mimicking legitimate software packages highlights the challenges organizations face in distinguishing between genuine and malicious tools. The use of typosquatting further complicates the issue, as even minor typographical errors can lead to significant security breaches. As software supply-chain attacks become more prevalent, organizations must prioritize cybersecurity training and invest in tools that can detect and prevent such threats.
FROM THE MEDIA: North Korean threat actors, specifically the Lazarus Group, have been identified as the culprits behind a malicious campaign targeting MacOS, Linux, and Windows systems. This revelation comes from cybersecurity researchers at ReversingLabs, who have been monitoring the VMConnect campaign. VMConnect consists of malicious Python packages on the PyPI software repository. The recent discovery includes three new packages: tableditor, request-plus, and requestspro. These packages are believed to be part of the VMConnect family, which has been linked to Labyrinth Chollima, a subgroup of the Lazarus Group. The campaign's tactics involve disguising malicious payloads to appear trustworthy, using techniques like typosquatting to mislead developers. The ongoing VMConnect campaign serves as a stark reminder of the need for organizations to bolster their defenses against software supply-chain attacks.
READ THE STORY: CyberNews // THN
Cyber Espionage in the Ukrainian Front
Analyst Comments: Gamaredon's increased activity underscores the multifaceted nature of the conflict between Ukraine and Russia, extending beyond the physical battlefield into the digital realm. The group's alignment with critical military events and its evolving tactics indicates a strategic approach to cyber warfare, leveraging timely attacks to maximize impact. The Ukrainian government's consideration to restrict services like Telegram and Telegraph to detect such threat actors further highlights the severity of the cyber threat. As the geopolitical situation remains tense, it's evident that cyber warfare will continue to be a significant component of the broader conflict. The international community, especially Western allies, should remain vigilant and bolster their cyber defenses in anticipation of potential spillover effects.
FROM THE MEDIA: The Moscow-backed hacking group, Gamaredon, has intensified its cyberattacking on Ukrainian military and government agencies, coinciding with Ukraine's counteroffensive against Russian forces. This group, operating under directives from Russia’s Federal Security Service (FSB) from the Crimean peninsula, primarily focuses on espionage and data theft. The Ukrainian National Coordination Center for Cybersecurity (NCCC) reported that Gamaredon has been particularly active against Ukrainian military organizations. The group has been known to use legitimate documents from compromised entities in its phishing campaigns, making their attacks more deceptive. Their malware toolkit is ever evolving, with Pterodo being one of their most potent tools designed for espionage and data exfiltration.
READ THE STORY: The Record
Earth Estries' Global Espionage Campaign
Analyst Comments: The Earth Estries' campaign underscores the increasing sophistication of cyber threats. The group's ability to mimic legitimate software packages and use advanced techniques, such as PowerShell downgrade attacks, highlights the challenges organizations face in cybersecurity. The use of public services for malicious activities further complicates the defense mechanisms.
FROM THE MEDIA: A new cyber espionage campaign has been launched by a hacking group named Earth Estries, targeting government and technology sectors in countries including the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. Trend Micro researchers have highlighted the group's sophisticated cyber espionage tactics and illicit activities. Earth Estries, active since 2020, has shown tactical similarities with another nation-state group, FamousSparrow, which was exposed in 2021. The latter exploited ProxyLogon vulnerabilities in Microsoft Exchange Server. Earth Estries uses a range of backdoors and hacking tools, such as PlugX, Zingdoor, TrillClient, and HemiGate, to enhance data collection. The group also employs DLL side-loading and abuses public services like Github, Gmail, AnonFiles, and File.io for command exchange and data theft. The majority of their command-and-control servers are located in countries like the U.S., India, Australia, Canada, China, Japan, Finland, South Africa, and the U.K.
READ THE STORY: THN // Security Boulevard
Gabon's Internet Restored Post-Coup
Analyst Comments: The restoration of internet access in Gabon post-coup highlights the intricate relationship between political power struggles and control over digital communication channels. While shutting down the internet is a common tactic used by governments to suppress opposition and control narratives, its restoration by the coup leaders in Gabon suggests a strategic move to gain public support or project a sense of normalcy. The international community will likely monitor the situation closely, given the increasing frequency of coups in Africa and the implications for regional stability.
FROM THE MEDIA: In the wake of an army-led coup against the government, internet access has been reinstated for Gabon's 2.3 million inhabitants. Prior to the recent elections, the administration of President Ali Bongo Ondimba had disabled internet access and restricted several foreign news agencies from reporting on the outcomes. Following the controversial announcement of Bongo's election victory, a coup was initiated, leading to the detention of Bongo and his family, the nullification of the election results, and the suspension of the government. The coup was orchestrated by a faction of army officers known as the "Committee for the Transition and Restoration of Institutions," with Gen. Brice Oligui Nguema, a relative of Bongo, at the forefront. Shortly after the coup's announcement, internet access was restored, marking a deviation from the typical strategy of coup orchestrators to limit internet access to hinder the incumbent power. This event marks Gabon as the seventh African nation to experience a government overthrow via a coup since 2020.
READ THE STORY: The Record
Items of interest
US Military Transfer to Taiwan: China Expresses Discontent
Analyst Comments: China's reaction to the US military transfer to Taiwan is consistent with its historical stance on the matter. Beijing has always maintained the "One China" policy, asserting its sovereignty over Taiwan and opposing any international moves that might bolster Taiwan's defense or its claims to statehood. The US, on the other hand, has been walking a diplomatic tightrope, supporting Taiwan's defense needs while not officially recognizing it as a separate country. This recent military transfer is likely to strain the already tense US-China relations further. It also underscores the delicate balance of power in the Asia-Pacific region, where both superpowers have significant strategic interests.
FROM THE MEDIA: In the latest development in the complex US-China-Taiwan relations, China has publicly expressed its strong disapproval of the US military transfer to Taiwan. Beijing, which views Taiwan as a breakaway province and not a separate sovereign state, has always been sensitive to any international actions that seem to support Taiwan's independence or strengthen its defense capabilities. The US, while not having formal diplomatic relations with Taiwan, has been a significant supplier of defense equipment to the island nation, often leading to tensions with mainland China.
READ THE STORY: The Hill
How does the China-US chip war affect India? (Video)
FROM THE MEDIA: In an escalating trade war with the West, particularly the U.S., China brought in export curbs on two metals used in the manufacture of semiconductors and solar panels – germanium, gallium.
Chip Imports From China Up 53% In 3 Years; Is India Too Dependent On China? (Video)
FROM THE MEDIA: According to data submitted by Minister of State for Electronics and Information Technology Rajeev Chandrasekhar in Rajya Sabha. India’s semiconductor chip imports increased by 92% over the last three financial years.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.