Daily Drop (597): Rust-Written Ransomware , China: Space, Sanctions: Conti & TrickBot, Scattered Spider, China's Military Reshuffle, China: iPhones, Huawei's Mate 60 Pro: 7NM Chip, Meduza: NSO
09-14-23
Thursday, Sep 14, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Rapid Satellite Deployment Enhances China's Military Reach in the Pacific
Analyst Comments: The rapid pace of China's space advancements poses a strategic challenge for the US and its allies in the Pacific region. While the US commercial space sector, led by companies like SpaceX, remains globally dominant, reliance on such entities raises concerns about the fulfillment of defense contracts and the broader implications for national security. The US's countermeasures, such as the Silent Barker mission to monitor Chinese and Russian space weapons, indicate a growing urgency to address potential threats. However, the US's cautious approach to weaponizing space, focusing instead on cyber capabilities, suggests a strategic preference to avoid long-term space debris challenges.
FROM THE MEDIA: China's advancements in space technology are rapidly bolstering its military capabilities, enabling a broader power projection into the Pacific and intensifying threats to Taiwan. Maj. Gen. Greg Gagnon, deputy chief of space operations for intelligence, emphasized at the Air & Space Forces Association’s annual conference that China's on-orbit capabilities have seen significant growth. This development allows the People's Liberation Army (PLA) to observe with enhanced precision at any time and under any weather conditions. In just the past year, China launched 200 satellites, with a majority dedicated to monitoring both its own and adversary forces. This surge in space capabilities has transitioned China from a regional defensive player to a global power, evident in its increasing intimidation tactics in the western Pacific and military operations around Taiwan.
READ THE STORY: Defense One
Cyberattacks Reshaping the Landscape of International Conflict
Analyst Comments: Russia's consistent cyber onslaught on Ukraine underscores the nation's strategic use of digital warfare to further its geopolitical aims. Ukraine, often described as a training ground for Russian cyber tactics, has had to rapidly evolve its cybersecurity defenses in response. China's rise as a cyber power poses significant challenges, especially for the US. The increase in Chinese cyberattacks, coupled with the US's assessment of China as a persistent cyber-espionage threat, indicates a brewing digital cold war between the two superpowers. North Korea's cyber heists, primarily targeting cryptocurrencies, reveal the nation's reliance on digital theft to fund its military ambitions, bypassing international sanctions. The broader impact of these cyber warfare tactics is profound. They not only influence international relations but also have cascading effects on global economies, infrastructures, and civilian lives.
FROM THE MEDIA: The digital realm has become the new frontline in international conflict, with cyberattacks emerging as a primary tool for nation-states to exert influence, gather intelligence, and disrupt adversaries. Beginning with Estonia's cyberattack in 2007, the world has seen a surge in cyber warfare incidents. Major players in this arena include nation-state-backed cybercriminal groups and organizations from Russia, North Korea, China, and some Middle Eastern countries.
READ THE STORY: THN
US and UK Authorities Target Key Players in Major Cybercrime Operations
Analyst Comments: The Conti and TrickBot cybercrime gangs have been linked to aiding Russian cyberespionage efforts, particularly targeting critical infrastructure in the U.S. The U.S. Treasury Department has accused the sanctioned individuals of assisting Russian intelligence services in achieving their objectives. The UK’s National Crime Agency (NCA) has reported that these cybercrime gangs have extorted a staggering $180 million globally, with £27 million ($33.7m) coming from 149 UK victims. Their targets have included hospitals, schools, local authorities, and businesses. The imposed sanctions prohibit US and UK entities from conducting transactions with the sanctioned individuals. Any foreign financial institutions that facilitate transactions with these individuals could face regulatory actions from both the US and UK governments. The sanctions also mandate the blocking and reporting of any property owned by or of interest to these individuals. Ransom negotiation firms and victims could face regulatory repercussions if they facilitate or pay ransoms to these gangs.
FROM THE MEDIA: The United States and the United Kingdom have imposed sanctions on eleven individuals associated with the Conti ransomware and TrickBot cybercrime gangs. These sanctions were initiated by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the UK’s Foreign Office, targeting those who materially supported the cybercrime groups in roles such as administrators, managers, and software developers. The U.S. Department of Justice is set to unseal indictments against nine of these individuals, seven of whom are among the sanctioned. These actions are part of a broader effort to combat cyber threats to U.S. businesses and government entities.
READ THE STORY: CPO
The PLA Rocket Force's Leadership Changes and the Broader Implications for China's Military Strategy
Analyst Comments: The reshuffle in the Rocket Force's leadership is seen by some as a sign of an anti-corruption campaign within the force. Critics argue that despite Xi's decade-long tenure, military malfeasance remains a significant issue. Speculations around the reasons for the changes range from alleged leaks of military secrets by family members of the previous leadership to the mysterious deaths of former Rocket Force commanders. Another theory suggests potential repercussions from a suspected Chinese reconnaissance balloon incident over the U.S., which could have strained Sino-US relations. However, the appointment of officers from different military branches to lead the Rocket Force isn't unprecedented in China's military history. The recent changes could be part of Xi's broader strategy to enhance joint operations across the PLA's various branches. Despite the ongoing purges, evidence suggests that the Rocket Force's combat effectiveness remains robust. The changes are likely more indicative of internal restructuring within the PLA rather than any perceived weakening of Xi's control over the military.
FROM THE MEDIA: Recent changes in the leadership of the People's Liberation Army's (PLA) Rocket Force, which controls China's nuclear and conventional missiles, have sparked widespread speculation. The reshuffle was confirmed during the 96th founding anniversary of the PLA, indicating another significant purge since President Xi Jinping assumed power in 2012. Prior speculations suggested that the former PLA Rocket Force chief, General Li Yuchao, and other senior officials were under investigation. The new leadership comprises Wang Houbin, formerly with the PLA Navy, and Xu Xisheng, with a background in the PLA Air Force. These changes have raised questions about the combat readiness of China's strategic missile forces and its nuclear deterrent.
READ THE STORY: CNA
Beijing Condemns EU's Investigation into China's EV Industry
Analyst Comments: The EU's decision to investigate China's EV industry underscores the growing concerns within the bloc about China's increasing dominance in key sectors. By labeling the probe as a "protectionist act," China is signaling its displeasure and potentially setting the stage for retaliatory measures. The EU's actions reflect a broader global trend where nations are becoming wary of over-reliance on Chinese industries, especially in sectors deemed critical for future growth and sustainability. The reference to the solar panel market serves as a historical precedent, reminding the EU of the consequences of underestimating Chinese industrial capabilities. The strong reactions from both sides indicate that this issue could become a significant flashpoint in EU-China relations, with potential ramifications for trade and diplomatic ties.
FROM THE MEDIA: The European Union's recent anti-subsidies investigation into China's electric vehicle (EV) industry has drawn sharp criticism from Beijing, labeling it a "naked protectionist act." China's commerce ministry has warned that this move will negatively impact China-EU relations. This investigation comes after the European Commission president, Ursula von der Leyen, announced the probe, marking a significant escalation in the EU's efforts to distance itself from China. Although Chinese EVs currently hold a minor share in the EU market, their rapid growth has raised concerns, especially given past experiences where Chinese producers dominated the EU's solar panel market. China views its EV industry as a beacon of hope in its post-pandemic economic recovery, emphasizing its transition to advanced technology industries and green initiatives. The EU's actions have been perceived as a threat to this vision, leading to heightened tensions between the two economic giants.
READ THE STORY: FT
The Emergence of 3AM Ransomware: A New Threat in the Cyber Landscape
Analyst Comments: The 3AM ransomware was discovered after it was deployed in a single incident. The Symantec Threat Hunter Team, a part of Broadcom, shared insights about this new ransomware family with The Hacker News. The ransomware attempts to disrupt multiple services on the compromised computer before starting its encryption routine. Once the encryption process is completed, it tries to eliminate Volume Shadow (VSS) copies to prevent data recovery. The ransomware's name, 3AM, is derived from its mention in the ransom note. Additionally, it appends the .threeamtime extension to encrypted files. Currently, there's no clarity on whether the malware's creators have ties with any known cybercrime groups. In the specific attack observed by Symantec, the attacker managed to deploy the ransomware on three machines within the target organization's network. However, it was successfully blocked on two of these machines.
FROM THE MEDIA: A new ransomware family named 3AM has been detected in a cyber incident where an unidentified affiliate attempted to deploy the strain after an unsuccessful effort to deliver LockBit. The 3AM ransomware is written in the Rust programming language and is believed to be a completely new malware family. This ransomware tries to halt multiple services on the infected computer before initiating its encryption process. After encryption, it seeks to delete Volume Shadow (VSS) copies. The ransomware derives its name from its reference in the ransom note and appends encrypted files with the extension .threeamtime. The exact origins of this ransomware remain uncertain, but its use by a LockBit affiliate suggests it might gain traction among cyber attackers in the future.
READ THE STORY: THN
The Netherlands' Innovative Approach to Cybercrime and the Legacy of the Hansa Operation
Analyst Comments: The Hansa operation stands as a testament to the effectiveness of blending traditional policing with cyber expertise. The NHTCU's approach, which involves selecting individuals willing to learn from diverse backgrounds, has proven successful in tackling cybercrime. Van Amelsfort's position, straddling both the technical and tactical worlds, exemplifies the unit's integrated approach. The unit's Cyber Offender Prevention Squad (COPS) initiative, which aims to redirect young potential offenders towards more constructive paths, further underscores their innovative strategies. The program warns users about potential illegal online activities, such as searching for ways to launch DDoS attacks. The NHTCU's emphasis on international collaboration, and recognizing the borderless nature of cybercrime, is another crucial aspect of their strategy.
FROM THE MEDIA: The Netherlands' National High Tech Crimes Unit (NHTCU) has set a precedent in the realm of cybercrime investigations by merging traditional policing methods with advanced cyber expertise. In 2017, the unit made headlines by not just shutting down Hansa, a prominent dark web market, but also covertly operating it for nearly a month. This operation showcased the power of combining old-school policing with modern cyber skills. Matthijs van Amelsfort, head of the NHTCU, in an interview with the Click Here podcast, shed light on the unit's unique structure, its "game-changing" ethos, and its proactive approach to cybercrime prevention.
READ THE STORY: The Record
China's Foreign Ministry Responds to Reports of iPhone Restrictions in Government Agencies
Analyst Comments: The clarification from China's Foreign Ministry is significant, especially considering the impact of the initial Wall Street Journal report on Apple's market capitalization. The statement not only addresses the specific issue of iPhone usage in government agencies but also touches upon broader themes of cyber and information security, fair trade, and international cooperation. The emphasis on treating foreign companies with openness and fairness can be seen as a strategic move by China, especially in the context of the ongoing tech and trade tensions with the US. The situation underscores the intricate interplay of technology, trade, and geopolitics in today's global landscape.
FROM THE MEDIA: China's Foreign Ministry has refuted claims suggesting that the government has imposed restrictions on the use of Apple's iPhone. In a recent press conference, Ministry spokesperson Mao Ning clarified that China has not issued any law, regulation, or policy document that prohibits the use of foreign-branded cellphones, including iPhones. This statement comes in response to a Wall Street Journal report that claimed that China had directed officials at central government agencies to refrain from using iPhones and other foreign-branded devices for work purposes. Mao Ning further emphasized China's commitment to cyber and information security, stating that both Chinese and foreign companies are treated equally under the law. The spokesperson also highlighted China's dedication to creating a market-oriented, law-based, and internationalized business environment. The comments can be interpreted as a subtle reference to the ongoing tensions between China and the US, especially considering the sanctions imposed on Chinese vendors like Huawei and ZTE by the US and other nations.
READ THE STORY: The Register
The Pegasus Threat: Exiled Russian Journalist Targeted
Analyst Comments: The Pegasus infection on Timchenko's device underscores the escalating threats journalists face, especially those critical of authoritarian regimes. The fact that such a high-profile journalist was targeted, even while in exile, highlights the lengths to which entities will go to suppress dissenting voices. The use of sophisticated spyware like Pegasus, which can infiltrate devices without user interaction, presents a significant challenge for cybersecurity. The incident serves as a stark reminder of the vulnerabilities even well-informed individuals face and emphasizes the need for robust digital protection measures. The broader implications of this attack, especially considering the geopolitical tensions surrounding Russia, cannot be ignored.
FROM THE MEDIA: Galina Timchenko, a prominent Russian journalist and owner of the independent media outlet Meduza, became the first documented Russian citizen to be targeted by the Pegasus spyware. The Israeli company NSO Group's infamous software was discovered on Timchenko's iPhone while she was attending a private conference in Berlin. This attack occurred shortly after the Russian government banned Meduza for its critical stance on Putin's regime and the ongoing conflict in Ukraine. Although Pegasus is exclusively sold to government agencies, the exact perpetrator behind this attack remains unidentified. However, potential suspects include countries with ties to Russia or nations where Meduza operates or where the infection took place.
READ THE STORY: The Record
The Battle of Semiconductors: China's Push for Technological Independence Amidst US Restrictions
Analyst Comments: The unveiling of Huawei's Mate 60 Pro and its domestically-produced 7nm chip is a significant development in the tech world, particularly against the backdrop of US-China tensions over technology and trade. While the device showcases China's advancements and potential to innovate despite US restrictions, it also raises questions about China's capacity to produce these chips on a large scale. The synchronized social media campaign celebrating Huawei's achievement indicates China's strategic use of propaganda to shape narratives and project its technological prowess.
FROM THE MEDIA: In the midst of ongoing US sanctions, Huawei, the Chinese telecommunications giant, has unveiled its latest smartphone, the Mate 60 Pro. This device boasts an advanced 7 nanometer (nm) Kirin 9000s chip, which is entirely produced in China, enabling the phone to operate with 5G capabilities. The chip's production by the partly state-owned Semiconductor Manufacturing International Corporation (SMIC) suggests China's progress in building a domestic chip ecosystem. However, the US is investigating the smartphone for potential violations of export controls imposed on Huawei and SMIC due to national security concerns. The Mate 60 Pro's release has caused a stir in Chinese social and state media, with many celebrating Huawei's supposed triumph over US sanctions. However, there are doubts about China's ability to mass-produce these advanced semiconductors. Douglas Fuller, an associate professor at Copenhagen Business School, highlighted the difference between producing a functional chip and mass-producing it efficiently and profitably. He questioned the commercial viability of the 7nm chip, noting the absence of evidence that SMIC can produce these chips in high volume and at profitable yields.
READ THE STORY: VOA
MGM Resorts and Caesars Entertainment Targeted by "Scattered Spider" Gang
Analyst Comments: The flaw has been patched in multiple versions of Firefox and Thunderbird. Google has also confirmed the existence of an exploit for CVE-2023-4863 in the wild. Last week, Apple updated its software to address two actively exploited vulnerabilities, which were reportedly used in a zero-click iMessage exploit chain named BLASTPASS to deploy the Pegasus spyware on fully patched iPhones running iOS 16.6. The exact details of the exploitation of these vulnerabilities remain undisclosed, but it's believed that they are being used to target high-risk individuals, including activists, dissidents, and journalists.
FROM THE MEDIA: Mozilla has released security updates to address a critical zero-day vulnerability in its Firefox and Thunderbird applications. This vulnerability, which has been actively exploited in the wild, was fixed by Google in its Chrome browser just a day prior. The vulnerability, identified as CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format. If exploited, it can lead to arbitrary code execution when a maliciously crafted image is processed. Mozilla's advisory warns that opening such a malicious WebP image could lead to a heap buffer overflow. The National Vulnerability Database (NVD) further describes the flaw as allowing a remote attacker to perform an out-of-bounds memory write via a specially crafted HTML page. Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto's Munk School reported this security issue.
READ THE STORY: Engadget // FT
APT36 Targets Indian Government Servers with Customized Malware
Analyst Comments: The activities of APT36 highlight the evolving nature of cyber threats and the increasing sophistication of threat actors. The group's ability to target both Linux and Windows systems, combined with their use of custom-built tools, indicates a high level of technical expertise. The fact that they have been active for nearly a decade underscores the persistent nature of such threats. Organizations, especially those in sensitive sectors like government and defense, need to be vigilant and proactive in their cybersecurity measures. Regular monitoring, employee training, and the deployment of advanced security solutions are crucial to detect and mitigate such threats.
FROM THE MEDIA: APT36, an Advanced Persistent Threat (APT) group with strong ties to Pakistan, has been identified as the entity behind a series of cyber attacks targeting Indian government servers. This group, known for its espionage activities in South Asia, has been active since 2013 and is notorious for targeting sectors like government, defense, and education in India. Their modus operandi includes credential harvesting, malware distribution, and the use of custom-built remote administration tools specifically designed for Windows. They also employ lightweight Python-compiled espionage tools targeting both Windows and Linux systems. One of their notable malware, dubbed 'ElizaRAT', is delivered as .NET binaries via password-protected Google Drive archives. This malware deploys as a Control Panel applet, initiating a series of malicious operations. APT36 has also been observed using Linux desktop entry files in some of their attacks, marking a unique approach in their arsenal.
READ THE STORY: CyberSecurityNews
US-Canada Water Commission Targeted in Ransomware Attack
Analyst Comments: The cyberattack on the IJC underscores the escalating cybersecurity vulnerabilities faced by critical infrastructure sectors, particularly water management systems. With the NoEscape ransomware gang's increasing audacity, it's evident that such entities are lucrative targets for cybercriminals. The incident also highlights the broader geopolitical implications, as state and federal agencies scramble to bolster their defenses. The proactive move by the Cybersecurity and Infrastructure Security Agency (CISA) to offer free vulnerability scanning to water systems is a step in the right direction. However, the frequency and sophistication of these attacks suggest that a more comprehensive, multi-faceted approach to cybersecurity is urgently needed.
FROM THE MEDIA: The International Joint Commission (IJC), responsible for overseeing water systems along the US-Canada border, has confirmed a cyberattack on its systems. The NoEscape ransomware gang has taken credit for the attack, claiming to have stolen 80 GB of data, including contracts, geological files, and conflict of interest forms. The gang has given the IJC a 10-day window to meet their undisclosed ransom demand. The IJC, established under the 1909 Boundary Waters Treaty, plays a pivotal role in projects affecting water levels and flows across the US-Canada border. While the IJC has acknowledged the cybersecurity incident, it has not provided details on its engagement with law enforcement or any operational challenges faced as a result of the attack. NoEscape's cybercriminal activities have been on the rise since its emergence in May. The group has claimed responsibility for cyberattacks on various global entities, including Germany’s Bar Association, Hawaiʻi Community College, and companies in Australia, Belgium, the US, and the Netherlands.
READ THE STORY: The Record
Items of interest
Pyongyang's Alignment with Beijing and Moscow Amplifies Global Nuclear Concerns
Analyst Comments: Despite the economic challenges, North Korea continues to prioritize its military, allocating an estimated 20%-30% of its GDP to defense. The nation is rapidly advancing its weapons development, with some reports suggesting it now possesses over 100 nuclear warheads. This arsenal poses a direct threat to South Korea and the US forces stationed there. The Biden administration's approach, which has largely been to impose more sanctions, appears ineffective in curbing North Korea's nuclear ambitions. The recent military parade in Pyongyang, attended by Russia's Defense Minister and a member of China's Communist Party, underscores North Korea's strategy: to break free from isolation by forging stronger alliances. Kim Jong Un's vision of transitioning from a US-dominated unipolar world to a multipolar one is gaining momentum. The increasing nuclear capabilities of states opposed to the US and its allies present a pressing concern. The potential for a nuclear conflict in this context is more tangible than it has been in decades, making it a paramount geopolitical challenge for global policymakers.
FROM THE MEDIA: North Korea is capitalizing on the global divide over Ukraine and China, leveraging the formation of an emerging anti-US bloc to strengthen its ties with Beijing and Moscow. The recent meeting between North Korean leader Kim Jong Un and Russian President Vladimir Putin, symbolized by Kim's luxury armored train journey, is being termed a summit of the "anti-West." This renewed camaraderie is reminiscent of Cold War dynamics, but with a significant twist: China, while not overtly present, is a dominant force in this evolving geopolitical triangle. The meeting between the leaders of North Korea and Russia, while short on specifics, signifies the beginning of a deeper cooperation against a shared adversary: the US. The US's strategic alliance-building in the Asia-Pacific, exemplified by the trilateral US-Japan-South Korea Summit in August, has been perceived by North Korea as a threat, signaling an increased American military presence in the region. Russia sees this as an opportunity to support North Korea, offering essential resources like food and energy to help the nation circumvent the crippling sanctions, especially post-pandemic.
READ THE STORY: Bloomberg
Inside North Korea (Video)
FROM THE MEDIA: This is the story of the twists and turns, the great game, that drives the race to end 70 years of hostilities, and a historic summit with North Korea and a US president.
Russia and North Korea meet to discuss weapons and nuclear tech (Video)
FROM THE MEDIA: A meeting of two isolated leaders, usually too afraid of leaving home. North Korea's Kim Jong-Un left his country by armored train for the first time in four years to meet President Putin in Eastern Siberia.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.