Daily Drop (863): | RU: Undersea Cable | WWH Club | UA: SBU | Crimson Palace | POLADA | Dallas Humber | CosmicBeetle | Shadow Apps | Mustang Panda | PIXHELL | COLDRIVER | IN: Cyber Army | Cadet Blizz.
09-11-24
Wednesday, Sept 11 2024 // (IG): BB // ScraperDaddy // Cloud Email Harvester
Chinese 'Crimson Palace' Cyberespionage Campaign Continues to Target Southeast Asia
Bottom Line Up Front (BLUF): Chinese state-backed hackers, identified as Cluster Alpha, Bravo, and Charlie, have renewed their cyberespionage efforts in Southeast Asia, targeting government and public organizations. Despite disruptions, the campaign, known as Crimson Palace, persists, focusing on exfiltrating sensitive data and regaining access to victim networks using advanced malware tools.
Analyst Comments: China’s cyber operations in Southeast Asia reflect broader geopolitical tensions, particularly disputes over the South China Sea. The ability of these groups to quickly adapt and maintain persistence, even after their tools are detected and blocked, shows the sophistication of Chinese cyber espionage capabilities. The focus on critical government infrastructure suggests a long-term strategic aim to collect intelligence that could influence regional power dynamics, especially given the growing diplomatic friction in the area.
FROM THE MEDIA: Sophos researchers have reported renewed activity from Chinese state-backed hackers in Southeast Asia, part of the ongoing Crimson Palace cyberespionage campaign. The campaign, driven by three hacker groups dubbed Cluster Alpha, Bravo, and Charlie, targets government and public organizations. The attackers have been persistent, using advanced malware like "Tattletale" to infiltrate systems and steal critical data. Despite disruptions, they continue to evolve their tactics, switching to open-source tools to evade detection and maintain long-term access. The espionage efforts, particularly targeting Southeast Asian governments, coincide with escalating regional disputes involving China.
READ THE STORY: The Record
India to Train 5,000 Cyber Commandos to Combat Rising Cybercrime
Bottom Line Up Front (BLUF): India's Ministry of Home Affairs has announced a plan to train 5,000 "Cyber Commandos" over the next five years to bolster the country's cyber defense capabilities. This initiative, led by Minister Amit Shah, is part of a broader strategy that includes the creation of a Cyber Fraud Mitigation Centre and a national registry of suspected cybercriminals. The measures are designed to address the growing threat of cybercrime, particularly as India leads the world in digital payments.
Analyst Comments: India’s move to establish a dedicated corps of cyber commandos reflects the nation's increasing reliance on digital infrastructure and the corresponding need for robust cybersecurity. The initiative comes at a time when cybercrime, particularly related to digital payments and online financial fraud, has surged in India. As cybercriminals often operate without regard to national borders, the creation of a centralized cybercrime coordination platform and a nationwide suspect registry is critical for an effective response. India's role as a global leader in digital payments makes it a key target for cyber threats, necessitating this comprehensive approach.
FROM THE MEDIA: India will train 5,000 specialized "Cyber Commandos" over the next five years to address rising cybercrime, as announced by the Ministry of Home Affairs. This initiative is part of a broader cybersecurity strategy that includes a Cyber Fraud Mitigation Centre and the Samanvay platform, which will facilitate data sharing and coordination across law enforcement agencies. Minister Amit Shah emphasized the importance of securing India's digital transactions, as the country now leads the world in digital payments. These efforts will be coordinated through the Indian Cyber Crime Coordination Centre (I4C), with public awareness campaigns and partnerships with financial institutions to further combat online threats.
READ THE STORY: The Register
Cyber Attack Disrupts TfL Operations, Impacting Services for Disabled Passengers
Bottom Line Up Front (BLUF): Transport for London (TfL) has been hit by a cyberattack, disrupting internal IT systems and services, including Dial-a-Ride for mobility-impaired passengers. While customer data remains unaffected, TfL has taken measures to mitigate further damage and is working with the National Crime Agency (NCA) and National Cyber Security Centre (NCSC) to assess the situation. The attack highlights the increasing vulnerability of critical infrastructure to cyber threats, though no group has yet claimed responsibility.
Analyst Comments: The cyberattack on TfL underscores the growing threats facing critical national infrastructure, particularly from state-sponsored or financially motivated actors. The disruption to services like Dial-a-Ride demonstrates how such attacks can disproportionately affect vulnerable populations, while the potential for broader system failures could disrupt transportation for millions in London. This incident follows a series of cyberattacks on UK institutions, likely exacerbated by geopolitical tensions linked to the Ukraine conflict. The response from TfL, in coordination with national agencies, reflects a heightened focus on cybersecurity resilience.
FROM THE MEDIA: Transport for London (TfL) has been dealing with a cyberattack that has impacted critical IT systems, including Dial-a-Ride, which serves disabled passengers. The attack, which led to staff working from home and restricted access to key systems, did not compromise customer data, according to initial assessments. TfL is working with the NCA and NCSC to investigate the breach, which could potentially lead to broader disruptions if sensitive information is compromised. The cyberattack reflects ongoing risks to the UK's critical infrastructure, especially given the country's involvement in the Ukraine conflict and the rise of ransomware attacks targeting public services.
READ THE STORY: CPOMAG
Kremlin-Linked COLDRIVER Cyberattacks Target Pro-Democracy NGOs
Bottom Line Up Front (BLUF): The COLDRIVER group, linked to the Kremlin, has been identified as the likely culprit behind a cyberattack targeting pro-democracy NGOs in Russia and Belarus, including the Free Russia Foundation. Citizen Lab's investigation revealed that phishing campaigns compromised sensitive data, posing significant threats to those working for NGOs. The attacks could lead to government repression against activists, as their communications with Western organizations may be weaponized by Russian authorities.
Analyst Comments: This incident highlights Russia's continued use of cyberattacks as a tool of repression, especially targeting groups perceived as hostile to the Kremlin’s authoritarianism. The COLDRIVER group, active since 2019, has targeted a range of actors, from NGOs to critical infrastructure, illustrating the regime's broad approach to silencing opposition. The involvement of phishing attacks mimics prior tactics employed by Russian cyber units, underscoring the hybrid nature of modern warfare, where cybersecurity threats can directly lead to human rights abuses.
FROM THE MEDIA: The Free Russia Foundation confirmed that last month’s hack-and-leak operation, which exposed private files and correspondence, was likely conducted by COLDRIVER, a Kremlin-linked cybercrime group. The attack, detailed in a report by Citizen Lab, utilized spearphishing tactics to steal sensitive information from NGOs working in Russia and Belarus. The phishing emails, disguised as legitimate communication from known contacts, led victims to credential-harvesting sites, allowing attackers access to confidential data. The leaked material could serve as a pretext for further government crackdowns on pro-democracy activists. COLDRIVER, associated with the Russian FSB, has a history of targeting civil society groups and conducting cyber operations against Western interests.
READ THE STORY: The Register
CosmicBeetle Deploys Custom ScRansom Ransomware, Affiliates with RansomHub
Bottom Line Up Front (BLUF): CosmicBeetle, a notorious threat actor, has launched a custom ransomware strain called ScRansom, targeting small and medium-sized businesses across several continents. The group, known for its Spacecolon toolkit, is also partnering with the RansomHub gang, indicating increased ransomware collaboration. ScRansom uses advanced techniques, including partial encryption and a destructive "ERASE" mode, to compromise systems.
Analyst Comments: CosmicBeetle’s evolution from using pre-built ransomware to developing its own shows the increasing sophistication of ransomware groups targeting diverse sectors. Its partnership with RansomHub suggests a growing trend of threat actors leveraging collective expertise to enhance their tools and impact. The use of techniques like partial encryption and the "ERASE" mode shows a shift towards quicker, more destructive attacks, making them harder to recover from. As ransomware becomes more tailored and organized, businesses must bolster defenses against rapidly evolving threats.
FROM THE MEDIA: CosmicBeetle, formerly known for deploying Scarab ransomware, has introduced a new custom strain called ScRansom, targeting businesses across Europe, Asia, Africa, and South America. ESET researchers revealed that the group partners with RansomHub, linking their ransomware deployment. ScRansom features advanced capabilities, including partial file encryption and an "ERASE" mode that permanently overwrites data. The ransomware exploits known vulnerabilities to infiltrate networks and uses tools like Reaper and RealBlindingEDR to evade detection. Despite ScRansom's relatively new presence, CosmicBeetle continues to leverage older tactics, including mimicry of the LockBit gang.
READ THE STORY: THN
Kremlin-Linked COLDRIVER Cyberattacks Target Pro-Democracy NGOs
Bottom Line Up Front (BLUF): The COLDRIVER group, linked to the Kremlin, has been identified as the likely culprit behind a cyberattack targeting pro-democracy NGOs in Russia and Belarus, including the Free Russia Foundation. Citizen Lab's investigation revealed that phishing campaigns compromised sensitive data, posing significant threats to those working for NGOs. The attacks could lead to government repression against activists, as their communications with Western organizations may be weaponized by Russian authorities.
Analyst Comments: This incident highlights Russia's continued use of cyberattacks as a tool of repression, especially targeting groups perceived as hostile to the Kremlin’s authoritarianism. The COLDRIVER group, active since 2019, has targeted a range of actors, from NGOs to critical infrastructure, illustrating the regime's broad approach to silencing opposition. The involvement of phishing attacks mimics prior tactics employed by Russian cyber units, underscoring the hybrid nature of modern warfare, where cybersecurity threats can directly lead to human rights abuses.
FROM THE MEDIA: The Free Russia Foundation confirmed that last month’s hack-and-leak operation, which exposed private files and correspondence, was likely conducted by COLDRIVER, a Kremlin-linked cybercrime group. The attack, detailed in a report by Citizen Lab, utilized spearphishing tactics to steal sensitive information from NGOs working in Russia and Belarus. The phishing emails, disguised as legitimate communication from known contacts, led victims to credential-harvesting sites, allowing attackers access to confidential data. The leaked material could serve as a pretext for further government crackdowns on pro-democracy activists. COLDRIVER, associated with the Russian FSB, has a history of targeting civil society groups and conducting cyber operations against Western interests.
READ THE STORY: The Register
Poland Disrupts Russian-Belarusian Cyber Sabotage Operation Targeting Critical Infrastructure
Bottom Line Up Front (BLUF): Polish security forces dismantled a cyber sabotage group linked to Russia and Belarus, known as Beregini, following an attack on Poland's anti-doping agency. The group, which posed as a Ukrainian hacking collective, had attempted to compromise sensitive Polish institutions, part of a broader surge in cyberattacks targeting Poland due to its support for Ukraine.
Analyst Comments: The disruption of the Beregini operation highlights the persistent threat posed by state-linked cyber groups, especially amid the Ukraine conflict. Poland has become a prime target for Russian and Belarusian cyber operations as it plays a key role in supporting Ukraine. This operation's goal of destabilizing Poland’s political and military systems aligns with Russia’s broader strategy of cyber warfare aimed at undermining NATO’s Eastern flank. With cyberattacks doubling over the past year, Poland’s focus on bolstering cybersecurity measures is essential as digital sabotage becomes an increasingly common tool in geopolitical conflicts.
FROM THE MEDIA: Polish authorities revealed that the Beregini cyber group, linked to Russian and Belarusian intelligence, had been dismantled following an attack on the Polish Anti-Doping Agency (POLADA). The group claimed responsibility for leaking over 50,000 files, citing political motivations tied to the Olympic Games. Poland’s Minister of Digital Affairs, Krzysztof Gawkowski, noted that over 400,000 cyberattacks have targeted the country in 2024 alone, emphasizing the rising threat from pro-Russian groups. Authorities have taken additional steps to secure critical infrastructure against future threats, as Poland continues to face cyber pressure due to its stance on Ukraine.
READ THE STORY: Politico // SCMAG
Shadow Apps: A Growing Threat to SaaS Data Security
Bottom Line Up Front (BLUF): Shadow apps, which are SaaS applications adopted without the security team's knowledge, are becoming a major security risk. These apps, often unapproved and unmonitored, can expose organizations to data breaches, compliance violations, and increased attack surfaces, particularly when integrated with core systems.
Analyst Comments: The rise of shadow apps highlights the complexity of securing modern SaaS environments, where unsanctioned applications often operate in organizational blind spots. These apps, whether standalone or integrated into broader systems, can lead to serious vulnerabilities. Shadow apps bypass regular security protocols, making it essential for businesses to adopt robust SaaS Security Posture Management (SSPM) tools. These tools help detect unauthorized apps and mitigate risks, ensuring security compliance across all SaaS applications.
FROM THE MEDIA: Shadow apps—SaaS tools not sanctioned by IT—pose significant risks to data security and regulatory compliance. Often purchased without the knowledge of security teams, these apps lack governance and can expose sensitive corporate data. Two types of shadow apps are particularly dangerous: standalone apps, which operate in isolation, and integrated apps that connect with existing systems via APIs. Organizations must adopt SaaS Security Posture Management (SSPM) tools to detect and manage these applications, ensuring they do not introduce vulnerabilities or violate compliance standards.
READ THE STORY: THN
White Supremacist Group Leaders Indicted for Using Telegram to Incite Attacks
Bottom Line Up Front (BLUF): Two U.S. leaders of the Terrorgram Collective, a white supremacist group, have been charged with terrorism and hate crimes for using Telegram to promote violence. They allegedly encouraged attacks on minority groups and critical infrastructure, providing instructions for terrorism and assassination targets, with other individuals arrested for related crimes abroad.
Analyst Comments: The indictment of Dallas Humber and Matthew Allison underscores the persistent threat of extremist groups leveraging unmoderated platforms like Telegram to spread violent ideologies. The group’s transnational reach and use of encrypted communication highlight the challenges of regulating digital platforms where harmful content can thrive. This case illustrates the role of social media in amplifying hate-based movements, which have the potential to incite violence both domestically and internationally. Telegram's ongoing scrutiny for facilitating such activities raises broader questions about platform accountability in combating organized crime and extremism.
FROM THE MEDIA: Dallas Humber and Matthew Allison, alleged leaders of the white supremacist group Terrorgram Collective, were arrested after using Telegram to promote their ideology and plan attacks. The group targeted minorities and government officials, sharing detailed guidance on terrorist activities. The DOJ revealed that their network also influenced attacks abroad, including shootings and stabbings. Telegram, already under fire for its lack of content moderation, has faced increased scrutiny since the arrest of its founder Pavel Durov, who is being investigated for facilitating various forms of organized crime on the platform.
READ THE STORY: The Record
New PIXHELL Attack Uses Screen Noise to Steal Data from Air-Gapped Computers
Bottom Line Up Front (BLUF): Researchers have uncovered a novel side-channel attack named PIXHELL, which uses pixel patterns on LCD screens to emit acoustic signals, enabling data exfiltration from air-gapped systems. By manipulating pixel configurations, the attack generates specific sound frequencies that can be captured by nearby devices, bypassing traditional audio hardware.
Analyst Comments: The PIXHELL attack demonstrates the growing sophistication of side-channel exploits targeting air-gapped systems, which are typically considered highly secure. By leveraging seemingly harmless components like LCD screens, attackers can breach isolated environments without physical connectivity. While the method's visibility might limit its practical deployment, it underscores the need for advanced countermeasures in high-security environments. Defending against such attacks requires vigilance, including acoustic jamming and strict physical access controls.
FROM THE MEDIA: The PIXHELL attack, developed by researchers at Ben Gurion University, exploits the acoustic noise generated by pixel patterns on LCD screens to steal sensitive data from air-gapped computers. Unlike previous attacks, PIXHELL doesn't need traditional audio components like speakers. Instead, it manipulates power consumption within the screen, producing high-frequency sound waves. These signals can then be intercepted by nearby devices, enabling covert data transmission. Countermeasures include using acoustic jammers and monitoring for unusual screen patterns or sound emissions.
READ THE STORY: THN
Russian and Kazakhstani Men Indicted in Miami for Running Cybercrime Training Service
Bottom Line Up Front (BLUF): Two men, Alex Khodyrev and Pavel Kublitskii, have been indicted in the U.S. for running WWH Club, a major Russian-language cybercrime marketplace. The platform, described as a hub for cybercriminal activity, offers services like stolen credit card data and personal information training. Both suspects face up to 20 years in prison if convicted.
Analyst Comments: The indictment of WWH Club administrators highlights the U.S. government's increasing focus on dismantling cybercrime infrastructure that facilitates global financial fraud. With over 350,000 users, WWH Club is part of a broader ecosystem that enables both seasoned and inexperienced hackers to engage in illicit activities. The longevity of such platforms, even after administrator arrests, underscores the challenge of tackling decentralized cybercrime networks, which can persist by adapting and continuing under new leadership.
FROM THE MEDIA: Alex Khodyrev and Pavel Kublitskii, key administrators of the WWH Club cybercrime marketplace, were arrested in Miami after two years of residing in the U.S. under asylum claims. WWH Club, which has been operating since 2014, serves as a platform for cybercriminals to exchange stolen data and receive training on fraud tactics. The FBI obtained a server copy of the site in 2020, leading to ongoing investigations. Despite the arrests, the forum continues to operate, with some user accounts deleted to avoid law enforcement scrutiny.
READ THE STORY: CyberScoop
Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments
Bottom Line Up Front (BLUF): The cyber espionage group Mustang Panda, also known as Earth Preta, has advanced its malware arsenal, targeting government entities across the Asia-Pacific region. Utilizing new tools like PUBLOAD and DOWNBAIT, the group executes multi-stage attacks, facilitating data exfiltration and remote access, particularly in Myanmar, the Philippines, and Taiwan.
Analyst Comments: Mustang Panda’s evolving tactics, including the use of multi-stage malware and customized tools like PUBLOAD and PlugX, showcase their growing sophistication. The group’s focus on government targets in politically sensitive regions like Southeast Asia aligns with broader geopolitical espionage efforts likely backed by state actors. The use of spear-phishing to deploy these advanced tools highlights the continued reliance on social engineering in cyber espionage campaigns. The ability to refine malware and integrate cloud services for data exfiltration demonstrates their adaptability in evading detection and exploiting vulnerabilities in government networks.
FROM THE MEDIA: Mustang Panda has upgraded its malware capabilities, with Trend Micro tracking new tools like PUBLOAD and FDMTP used in espionage attacks on Asia-Pacific governments. The group targets entities through spear-phishing emails, deploying multi-stage malware like PlugX to steal sensitive files. Recent campaigns have focused on countries like Myanmar, Vietnam, and Taiwan, with Mustang Panda leveraging advanced techniques like remote shell execution and data exfiltration through cloud services. Researchers noted the group’s ability to propagate malware via removable drives and manipulate Microsoft services for further infiltration.
READ THE STORY: THN
Ukrainian Detained for Allegedly Assisting Russian Attacks via CCTV Surveillance
Bottom Line Up Front (BLUF): Ukrainian security services (SBU) arrested a Kharkiv resident accused of installing surveillance cameras to aid Russian intelligence in targeting critical infrastructure. The suspect allegedly used remote-access CCTV cameras to monitor Ukrainian defense systems and relay information to Russia, contributing to the planning of airstrikes.
Analyst Comments: This incident highlights the tactical use of surveillance technology in modern warfare, where even everyday devices like CCTV cameras can be weaponized for espionage. Russia’s ability to recruit local assets via platforms like Telegram shows the increasing intersection of cyber and physical espionage. Ukraine’s swift action to neutralize such threats underscores the critical need to secure even civilian infrastructure from exploitation in hybrid warfare scenarios.
FROM THE MEDIA: A Ukrainian citizen was arrested in Kyiv after allegedly setting up remote-controlled CCTV cameras to aid Russian military intelligence. The SBU claims the suspect was recruited by Russia’s GRU and used the surveillance equipment to monitor critical infrastructure, particularly targeting defense systems. He reportedly installed the cameras in high-rise apartments to provide real-time footage of Russian airstrikes. The suspect faces life imprisonment for espionage and sabotage activities. Both Russia and Ukraine have increasingly leveraged civilian surveillance systems in their ongoing conflict, turning ordinary security devices into tools for warfare.
READ THE STORY: The Record
U.S. Offers $10 Million for Information on Russian Cadet Blizzard Hackers
Bottom Line Up Front (BLUF): The U.S. government, along with international partners, has identified the Cadet Blizzard hacking group as being linked to Russia's GRU Unit 29155. Active since 2020, the group is responsible for cyberattacks against critical infrastructure across NATO and allied countries. The U.S. Department of Justice has indicted five GRU officers involved in these operations and is offering up to $10 million for information on their whereabouts. The group’s activities have intensified since the invasion of Ukraine, focusing on disrupting aid efforts to the country.
Analyst Comments: The exposure of Cadet Blizzard, tied to the notorious GRU Unit 29155, marks another chapter in Russia's long-running cyber warfare campaign. This unit, previously linked to destabilization efforts in Europe, has broadened its scope to include cyber espionage and sabotage. Its attack on Ukrainian infrastructure using WhisperGate malware exemplifies the hybrid nature of modern conflicts, where digital warfare supports broader geopolitical goals. The $10 million bounty signifies the U.S.’s commitment to countering these persistent threats, which target not only national security but also civilian infrastructure.
FROM THE MEDIA: The Cadet Blizzard hacking group, linked to the Russian GRU’s Unit 29155, has been implicated in global cyber espionage and sabotage efforts, with a particular focus on disrupting aid to Ukraine. In an international operation dubbed Toy Soldier, the U.S. and its allies have issued indictments against five Russian officers for their roles in these operations. Since 2020, Cadet Blizzard has targeted critical sectors such as finance, healthcare, and energy, using tools like WhisperGate malware to wreak havoc on NATO-aligned nations. The U.S. is offering $10 million for information on the hackers' activities and whereabouts.
READ THE STORY: THN
Items of interest
Russia's Naval Activity Raises US Concerns of Undersea Cable Sabotage
Bottom Line Up Front (BLUF): US officials are increasingly alarmed by heightened Russian naval activity near global undersea infrastructure, particularly deep-sea cables, which could be at risk of sabotage. The secretive Russian unit GUGI, specializing in deep-sea operations, is suspected of preparing for potential disruptions to critical communication links, raising fears of destabilization in international networks.
Analyst Comments: Russia's focus on undersea cables, essential for global communications, points to a strategy of asymmetric warfare. These cables carry over 95% of the world’s internet data, making them a prime target for any nation looking to destabilize adversaries without overt military engagement. Historically, both Russia and other powers have used cyber and physical sabotage as strategic tools. If successful, such actions could cause significant disruptions to global economies and military communications, escalating tensions further amid ongoing geopolitical conflicts, especially in light of NATO’s involvement in Ukraine.
FROM THE MEDIA: US intelligence has flagged increased Russian naval presence near deep-sea cables, with the GUGI unit suspected of plotting sabotage. GUGI, known for operating specialized submarines and naval drones, is part of Russia’s broader effort to develop undersea warfare capabilities. Damaging these cables could severely impact internet and communication traffic, vital for governments and businesses alike. Similar concerns arose in 2023 when Nordic broadcasters exposed Russian ships suspected of surveilling cables and wind farms. Amid rising cyberattacks, this issue exacerbates existing fears of potential escalations involving critical infrastructure.
READ THE STORY: The Register
The Mystery of the Vanishing Undersea Cable (Video)
FROM THE MEDIA: In 2021, a research cable off the coast of Norway was severed. It may have been accidentally snagged by a fishing vessel, but analysts allege it may be part of a wider pattern of Russian sabotage.ems.
US and allies warn of increased Russian activities near undersea cables (Video)
FROM THE MEDIA: Undersea cables, crucial to global communications, have recently become focal points of geopolitical tensions between Russia and the U.S. These cables, which sprawl across ocean floors, are vital for international data and power transfer, facilitating approximately $10 trillion in daily transactions.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.