Friday, Dec 13, 2024 // (IG): BB // GITHUB // SGM Jarrell
Decoding China’s Propaganda Infrastructure: A Focus on ICCs
Bottom Line Up Front (BLUF): China has dramatically increased its global propaganda reach by establishing over 100 International Communication Centers (ICCs) since 2018, with most emerging after 2023. These centers leverage sophisticated social media strategies, foreign influencers, and local partnerships to promote pro-China narratives and influence public opinion during geopolitical crises. Despite resource and credibility challenges, ICCs signify an evolution in China’s propaganda apparatus.
Analyst Comments: The rapid expansion of ICCs highlights the Chinese Communist Party's intent to centralize and modernize its influence strategies. ICCs underscore China’s commitment to reshaping global perceptions of its policies and culture by employing tailored messaging and exploiting digital platforms like TikTok and YouTube. However, the effectiveness of these centers is limited by inherent credibility issues and operational constraints. Moving forward, governments and social media platforms must prioritize transparency and monitor these operations to mitigate covert influence campaigns.
FROM THE MEDIA: China has scaled up its propaganda activities by establishing over 100 International Communication Centers (ICCs) since 2018, many since 2023. These hubs focus on “precise communication” strategies, tailoring content to resonate with specific demographics. Fujian’s ICC, for example, manages TikTok accounts targeting Taiwanese users, using cultural and critical political messaging. Additionally, ICCs collaborate with foreign media, influencers, and journalists to amplify China’s global narratives. Despite these efforts, challenges like lack of expertise, insufficient funding, and reliance on central media limit their effectiveness. ICCs aim to counter anti-China sentiment while promoting economic and geopolitical interests, especially during crises.
READ THE STORY: Recorded Future
Vodafone-Three Merger Signals Potential Revival for European Telecom Sector
Bottom Line Up Front (BLUF): The UK’s Competition and Markets Authority (CMA) approved the merger of Vodafone and Three UK, signaling a shift in regulatory attitudes towards consolidation in the telecom sector. This decision reflects a growing emphasis on investment in infrastructure, such as 5G rollout, rather than structural remedies like asset sales.
Analyst Comments: This merger’s approval could create a more favorable environment for telecom operators in Europe. By prioritizing investment commitments over strict de-consolidation requirements, regulators may address the sector's systemic challenges, including underinvestment and intense competition. However, challenges persist, particularly with competitive pressures from mobile virtual network operators (MVNOs) that benefit from low-cost network access. If this trend continues, it could return investor interest to a historically undervalued sector.
FROM THE MEDIA: The Vodafone-Three merger, valued at £16.5 billion, received approval from the UK’s CMA without major structural remedies. This decision allows Vodafone to achieve £700 million in cost and investment savings while committing £11 billion to network investment. Analysts suggest this could improve the combined group’s return on capital. The CMA's focus on investment aligns with broader recommendations from regulatory figures like Mario Draghi, who emphasized prioritizing infrastructure commitments over asset sales. The decision is a potential turning point for European telecom operators, who have long struggled with declining revenues and a challenging regulatory environment.
READ THE STORY: FT
Russian Turla Group Adopts Cybercriminal Tools to Target Ukrainian Military
Bottom Line Up Front (BLUF): een leveraging cybercrime tools and infrastructure, including Amadey malware, to infiltrate Ukrainian military networks. Microsoft researchers have linked these campaigns to espionage efforts aimed at data exfiltration and long-term intelligence gathering, complicating attribution and expanding attack vectors.
Analyst Comments: Turla’s adoption of cybercriminal tools demonstrates a cost-effective and covert strategy to expand its operations. By repurposing third-party infrastructure and malware, the group obscures its activities and complicates attribution. This shift reflects broader trends in threat actor behavior, where state-sponsored groups increasingly blend criminal and espionage techniques. Organizations in geopolitical hotspots like Ukraine must enhance defenses against such hybrid operations, including robust threat detection and proactive intelligence sharing.
FROM THE MEDIA: Between March and April 2024, Turla used the Amadey bot malware—initially designed for cryptocurrency mining—to implant advanced backdoors such as Tavdig and KazuarV2 on devices associated with the Ukrainian military. These backdoors enabled long-term access while bypassing traditional security measures. Microsoft noted this tactic aligns with Turla’s recent trend of leveraging third-party tools and infrastructure. For instance, in January 2024, the group exploited a backdoor controlled by another Russian-aligned actor, Storm-1837, targeting Ukrainian drone operators. Turla’s broader activities extend to foreign ministries, embassies, and defense companies worldwide. In a separate campaign, Turla repurposed Pakistani APT infrastructure to conduct espionage targeting Afghanistan and India. These efforts are attributed to Russia’s Federal Security Service (FSB), highlighting the group’s alignment with state intelligence objectives.
READ THE STORY: Cyberscoop // The Record
CISA Director Warns of Chinese Cyber Threats to U.S. Infrastructure
Bottom Line Up Front (BLUF): Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), warned that recent Chinese cyber intrusions represent only the "tip of the iceberg" of potential attacks on U.S. critical infrastructure. These actions, linked to state-sponsored groups like the Volt Typhoon, aim to disrupt essential services and sow societal panic during a U.S.-China conflict, particularly over Taiwan.
Analyst Comments: China’s evolving strategy of embedding cyber actors into U.S. telecommunications and critical infrastructure underscores the severity of the threat. These intrusions not only highlight vulnerabilities in private sector-managed systems but also reflect a focus on preemptive disruption capabilities. Increased investment in resilience, secure-by-design technology, and cross-sector collaboration is essential. To mitigate potential national security impacts, businesses must treat cyber risk as a core governance priority.
FROM THE MEDIA: During the Cyber Initiatives Group Winter Summit, Easterly emphasized that Chinese state-backed actors like Volt Typhoon have been embedding themselves in U.S. critical infrastructure to prepare for potential conflict scenarios. The Salt Typhoon espionage breach, discovered six months ago, has exposed the challenges of eradicating embedded threats from telecommunications systems. Volt Typhoon, active in probing pipelines, water facilities, and communication networks, has been linked to efforts that could disrupt essential services during a crisis in the Taiwan Strait. Easterly noted that these attacks focus on creating societal chaos and deterring U.S. military mobilization. Easterly also highlighted the importance of public-private partnerships, improved cyber hygiene, and secure-by-design principles in mitigating these threats. CISA’s efforts to enhance resilience include outreach to CEOs, strengthening information-sharing frameworks, and advocating for encrypted communications to protect against adversarial exploitation.
READ THE STORY: The Cipher
Ivanti Patches Critical Authentication Bypass and SQL Injection Vulnerabilities
Bottom Line Up Front (BLUF): Ivanti has addressed critical vulnerabilities in its Cloud Services Appliance (CSA), including an authentication bypass (CVE-2024-11639) with a CVSS score of 10. Exploiting these flaws could allow remote attackers to gain administrative access or execute arbitrary SQL commands. The latest version, CSA 5.0.3, mitigates these risks, and Ivanti reports no evidence of active exploitation before disclosure.
Analyst Comments: These vulnerabilities highlight the critical importance of securing management interfaces for cloud infrastructure. With a CVSS score of 10, CVE-2024-11639 poses an exceptionally high risk to organizations using affected versions of Ivanti CSA. While no active exploitation has been reported, threat actors will likely probe unpatched systems. Organizations should prioritize applying updates and bolstering monitoring of these critical systems. The disclosure also underscores the value of proactive vulnerability management and responsible disclosure processes.
FROM THE MEDIA: Ivanti released CSA version 5.0.3 to address multiple vulnerabilities in its Cloud Services Appliance. The most critical flaw, CVE-2024-11639, allows remote unauthenticated attackers to bypass authentication and gain administrative access. Additionally, two critical SQL injection vulnerabilities (CVE-2024-11772 and CVE-2024-11773) permit remote authenticated attackers with admin privileges to execute arbitrary SQL statements. In a related security update from early October, Ivanti addressed three other CSA vulnerabilities (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) and a chained zero-day (CVE-2024-8963), which had been exploited in the wild. These earlier flaws were actively leveraged by attackers to perform SQL injection, command execution, and path traversal attacks on CSA gateways.
READ THE STORY: SA
U.S. Sanctions Chinese Firm Sichuan Silence for Role in Ragnarok Ransomware Attacks
Bottom Line Up Front (BLUF): The U.S. Treasury Department has sanctioned Sichuan Silence, a Chinese cybersecurity firm, for its role in exploiting a Sophos XG firewall zero-day vulnerability (CVE-2020-12271) to deploy Ragnarok ransomware in 2020. The attack targeted 81,000 firewalls globally, including critical U.S. infrastructure. The U.S. Department of Justice has also indicted Sichuan Silence researcher Guan Tianfeng (aka GbigMao), who developed the exploit.
Analyst Comments: This development highlights the increasingly aggressive nature of Chinese cyber operations targeting critical infrastructure. Sanctions on Sichuan Silence and Guan Tianfeng are significant steps toward curbing state-sponsored cyberattacks. Using a zero-day exploit underscores the importance of timely patching and robust threat intelligence. However, this incident also reveals the challenges in securing supply chains and infrastructure against sophisticated adversaries. Continued international collaboration and investment in proactive defenses are essential to mitigating these risks.
FROM THE MEDIA: In April 2020, Sichuan Silence and Guan Tianfeng exploited a zero-day vulnerability in Sophos XG firewalls (CVE-2020-12271) to compromise 81,000 devices worldwide. Victims included 23,000 U.S.-based systems, with 36 linked to critical infrastructure entities, such as a U.S. energy company. Guan reportedly attempted to deploy Ragnarok ransomware across the infected networks, though many attacks were thwarted before significant damage occurred. The Treasury Department sanctioned Sichuan Silence and Guan, prohibiting U.S. citizens and entities from conducting business with them. The State Department has also offered a $10 million bounty for information about their operations. Sophos, which patched the vulnerability in 2020, applauded the sanctions and emphasized their ongoing efforts to disrupt Chinese cyber campaigns.
READ THE STORY: SNG
Cybersecurity Must Be America’s Top Priority to Prevent Catastrophic Digital Attacks
Bottom Line Up Front (BLUF): As cyber threats from state-sponsored actors like Salt Typhoon and Volt Typhoon increase, the U.S. must strengthen its cyber defenses to protect critical infrastructure. Weaknesses such as outdated systems, poor cybersecurity practices, and insufficient training leave the nation vulnerable to large-scale disruptions that could affect utilities, communications, and financial systems. Preparing for these threats must become a cornerstone of the national agenda.
Analyst Comments: Rep. Morgan Luttrell’s comparison of the cyber threat landscape to the advent of nuclear technology aptly underscores digital connectivity's transformative and dual-use nature. The pervasive reliance on networks across industries demands a comprehensive cybersecurity approach beyond reactive measures. Proactive strategies, such as mandating cybersecurity training, securing supply chains, and integrating threat intelligence, will be key to mitigating risks from groups like Salt Typhoon. Federal leadership must drive change, but businesses and individuals also play critical roles in building national resilience.
FROM THE MEDIA: In a recent commentary, Rep. Morgan Luttrell emphasized the growing risks posed by state-sponsored hacking groups like China’s Salt Typhoon and Volt Typhoon. These adversaries exploit common vulnerabilities, including weak passwords, unencrypted data, and default software configurations, to target U.S. telecommunications and other critical infrastructure. Luttrell warned that future conflicts may begin with cyberattacks capable of crippling essential services such as water, power, and financial systems. His recommendations include integrating cybersecurity into business plans, mandating robust internal practices, and prioritizing national resilience in federal budgets. Luttrell also called on the incoming administration to make cybersecurity a central component of its governance strategy.
READ THE STORY: Cyberscoop // Industrial
Sen. Wyden Proposes Telecom Cybersecurity Legislation Amid Salt Typhoon Hacks
Bottom Line Up Front (BLUF): Senator Ron Wyden (D-OR) introduced the Secure American Communications Act, mandating telecom providers meet stringent cybersecurity standards to counter nation-state threats like China’s Salt Typhoon group. The legislation addresses systemic weaknesses in U.S. telecom networks exploited for espionage, including high-profile targets such as government officials.
Analyst Comments: Salt Typhoon’s success in breaching U.S. telecom infrastructure underscores the urgent need for comprehensive regulatory measures. While the proposed legislation addresses immediate security gaps, implementing generational upgrades to telecom hardware and ensuring compliance will require significant investment and coordination. The act reflects a growing recognition in Congress of the vulnerabilities of outdated infrastructure and insufficient oversight. Moving forward, collaboration between telecom providers, regulators, and security agencies will be critical to securing communications against advanced persistent threats.
FROM THE MEDIA: In response to widespread breaches by China’s Salt Typhoon hackers, Senator Ron Wyden proposed the Secure American Communications Act, requiring the Federal Communications Commission (FCC) to enforce cybersecurity rules for telecom systems. The legislation demands that carriers prevent unauthorized access, conduct annual compliance testing, and submit to independent audits. Wyden criticized the FCC for failing to implement security measures mandated under the Communications Assistance for Law Enforcement Act (CALEA) of 1994. Salt Typhoon hackers reportedly accessed sensitive communications of U.S. officials, including President-elect Donald Trump and Vice President-elect JD Vance, highlighting systemic weaknesses. The proposed act gives the FCC one year to draft security standards in collaboration with CISA and intelligence officials. While Wyden’s previous cybersecurity bills have faced hurdles, the urgency created by Salt Typhoon’s breaches may galvanize support for stricter telecom security laws.
READ THE STORY: The Register // The Washington Times
Mitigating the Russian Cyber Threat: Strategies for Businesses
Bottom Line Up Front (BLUF): Amid escalating geopolitical tensions, Russian cyber adversaries exploit unpatched vulnerabilities in critical infrastructure and supply chains. Groups like APT29 (Cozy Bear) deploy increasingly stealthy and sophisticated tactics. Businesses are urged to implement robust cybersecurity measures, including threat modeling, proactive detection, and rigorous patch management, to mitigate risks from these persistent threats.
Analyst Comments: Russian cyber operations represent a coordinated and well-resourced challenge to Western critical infrastructure and business systems. Integrating cyber activities into Moscow's geopolitical strategies emphasizes the need for businesses to align their cybersecurity practices with nation-state-level threats. Persistent campaigns such as supply chain infiltrations demand advanced anomaly detection, threat intelligence sharing, and collaborative responses across sectors. The difficulty of attribution further complicates the response, necessitating heightened vigilance and investment in proactive defenses.
FROM THE MEDIA: Organizations like the UK's National Cyber Security Centre and U.S. agencies have flagged unpatched vulnerabilities as primary entry points for Russian hackers. Supply chain attacks, such as the notorious SolarWinds incident, illustrate the sophistication and patience of these adversaries, who invest in stealthy operations and custom malware development. To counter these threats, businesses are advised to strengthen their cybersecurity frameworks, focusing on patch management, anomaly detection, and threat hunting. Advanced tools like honeypots and proactive defenses are crucial in detecting and mitigating threats before significant damage occurs. The call to adopt a "not if, but when" mindset reflects the inevitability of cyber incidents and the importance of resilience in the face of persistent threats.
READ THE STORY: ITPro
U.S. Indicts 14 North Korean IT Workers for Fraud and Cybercrime
Bottom Line Up Front (BLUF): The U.S. Department of Justice (DOJ) has indicted 14 North Korean IT workers accused of generating $88 million over six years through fraudulent employment schemes targeting U.S. companies. These individuals used stolen identities to secure remote IT jobs, funneling earnings to North Korea. The indictment also revealed cases of extortion involving the release of sensitive employer data.
Analyst Comments: North Korea’s use of IT workers in financial and cybercriminal schemes underscores the regime's resourceful approach to sanctions evasion and revenue generation. The indictment is a critical step in countering these tactics, but it highlights the need for organizations to improve hiring verification processes and cybersecurity defenses. The DOJ’s actions and international coordination could help disrupt these schemes, but Pyongyang’s capacity to adapt and escalate its operations remains a persistent challenge.
FROM THE MEDIA: The DOJ announced the indictment of 14 North Korean IT workers for fraudulently securing U.S. IT jobs and redirecting millions in wages to North Korea. These workers, operating through front companies in China and Russia, posed as U.S. citizens using false identities. Once employed, some gained access to sensitive business data, which they leveraged for extortion.
The scheme, linked to North Korean firms Yanbian Silverstar and Volasys Silverstar, operated for six years, exploiting remote work trends. The DOJ has seized $764,800 related to the conspirators and issued rewards of up to $5 million for information on the suspects.
According to experts, the group’s evolving tactics include escalating ransom demands and targeting cryptocurrency transactions. These developments reflect a broader trend in North Korea’s cyber strategy, which integrates espionage, financial fraud, and ransomware to support the regime.
READ THE STORY: Cyberscoop
Operation Digital Eye: China-Linked APT Targets Southern European IT Providers
Bottom Line Up Front (BLUF): A suspected China-linked APT group launched "Operation Digital Eye," targeting IT service providers in Southern Europe between late June and mid-July 2024. To evade detection, the campaign exploited trusted tools, such as Visual Studio Code Remote Tunnels and Microsoft Azure, for command-and-control (C2) operations. SentinelOne and Tinexta Cyber detected and disrupted the operation before a significant downstream impact occurred.
Analyst Comments: This operation underscores an evolving trend among China-linked APT groups toward leveraging legitimate tools and platforms to disguise malicious activities. By abusing trusted development technologies like Visual Studio Code, the attackers aimed to blend into everyday operations, challenging traditional detection systems. The strategic targeting of IT service providers reflects an effort to compromise the supply chain and access downstream organizations. Future campaigns will likely replicate these tactics, necessitating enhanced cloud infrastructure monitoring and widely trusted tools.
FROM THE MEDIA: Between late June and mid-July 2024, a China-linked threat actor conducted “Operation Digital Eye,” targeting IT service providers in Southern Europe. These companies, pivotal in managing data, infrastructure, and cybersecurity for various industries, presented high-value targets for cyberespionage. SentinelOne and Tinexta Cyber identified the campaign, which used Visual Studio Code Remote Tunnels for C2 operations, marking a Chinese APT group's first observed instance of this tactic. Attackers exploited SQL injection and PHP-based web shells like PHPsert for initial access and persistence. They also employed advanced techniques such as pass-the-hash, custom Mimikatz modifications (mimCN), and SSH-enabled lateral movement. The threat actors relied on European infrastructure, including M247 and Microsoft Azure, to blend in with legitimate operations and avoid detection.
READ THE STORY: SA
Facebook Disrupts Chinese APT Campaign Targeting Uyghur Community
Bottom Line Up Front (BLUF): Facebook dismantled a sophisticated cyber-espionage campaign by Chinese APT groups Earth Empusa and Evil Eye targeting the Uyghur minority. Hackers used fake social media accounts and malicious Android apps to infect devices with spyware. The operation, part of Beijing's broader surveillance strategy, highlights ongoing risks to human rights activists and journalists globally.
Analyst Comments: This operation reflects China's systematic use of cyber tools to suppress dissent and monitor minority groups, both domestically and abroad. Discovering third-party Android app stores spreading spyware underlines the APT's adaptability and reach. The attribution of attack tooling to specific Chinese companies points to a growing ecosystem of state-backed cyber vendors. These revelations emphasize the need for enhanced defenses for vulnerable communities and robust international responses to state-sponsored cyber campaigns.
FROM THE MEDIA: Facebook's security team, in collaboration with FireEye, disrupted a campaign targeting Uyghurs in China and abroad. Operatives used fake Facebook accounts to pose as journalists, students, and activists, luring victims to malicious websites or spyware-laden Android apps. Notable malware strains, including ActionSpy and PluginPhantom, were linked to Chinese companies Beijing Best United Technology Co. and Dalian 9Rush Technology Co., believed to be contractors for the Chinese government. The campaign employed watering hole attacks, zero-day exploits, and spyware to infiltrate the devices of Uyghur activists, journalists, and dissidents in countries such as Turkey, the U.S., and Canada. Facebook's investigation aligns with previous Google, Volexity, and Trend Micro reports, which documented similar operations targeting Uyghurs via iOS, Android, and Windows devices.
READ THE STORY: The Record
Items of interest
Cryptocurrency’s Role in Cybercrime: Russian Banks and Illicit Transactions
Bottom Line Up Front (BLUF): New research reveals that Russian-speaking cybercrime platforms use a Canadian-registered financial entity, Cryptomus, to process cryptocurrency payments. These payments often facilitate transactions with sanctioned Russian banks, enabling money laundering and funding cybercrime services. The investigation highlights systemic abuses in Canada’s money service business (MSB) registration process and the growing role of cryptocurrency in cybercrime.
Analyst Comments: Cryptocurrency continues to be a cornerstone of cybercrime operations, with services like Cryptomus operating in legal gray zones. These platforms highlight the international regulatory gaps criminals exploit by funneling illicit funds through sanctioned banks and anonymous exchanges. Addressing this issue will require tighter oversight of MSBs, stricter Know Your Customer (KYC) standards, and enhanced global collaboration between financial authorities and law enforcement. The connection to cyber operations supporting disinformation campaigns further underlines the intersection of cybercrime and geopolitical strategies.
FROM THE MEDIA: Investigative researcher Richard Sanders uncovered that 122 Russian cybercrime services, including platforms selling stolen financial accounts, proxies, and anonymous SMS services, are using Cryptomus for payment processing. Cryptomus is linked to Xeltox Enterprises Ltd., a Canadian-registered MSB with questionable ties to Russia. These services allow cryptocurrency-to-cash exchanges with central Russian banks under sanctions, suggesting that Cryptomus facilitates transactions supporting cybercrime and geopolitical disruptions. The platform's listed address in Vancouver connects it to a building housing dozens of MSBs without physical presence, raising concerns about systemic abuses in Canada’s MSB registration system. These services’ infrastructure relies heavily on Russian email providers, Russia-based hosting, and content delivery networks like Cloudflare. Despite multiple requests for comment, Cryptomus has not addressed the allegations, leaving its operations shrouded in opacity.
READ THE STORY: Krebs on Security
How Russian Hackers Stole $100M from US Banks (Video)
FROM THE MEDIA: Russian cybercrime is big business – and some say hackers get a pass when they work double duty for Putin and his geopolitical ambitions.
How Russian Hackers Stole Millions from U.S. Investors (Video)
FROM THE MEDIA: He was young, rich, and on the rise in Moscow. But when up-and-coming Russian oligarch Vladislav Klyushin boarded a private jet for a luxury ski vacation in the Swiss Alps, he had no idea it would come crashing down. Klyushin was the owner of a cybersecurity company in Moscow called M-13. Still, the firm was secretly a front for a computer hacking and insider trading operation that plagued Wall Street for years and generated more than $90 million in illicit profits for Klyushin’s criminal gang.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.