Saturday, Feb 22, 2025 // (IG): BB // GITHUB // SN R&D
China’s Cyber Blame Game: Propaganda or Legitimate NSA Accusation
Bottom Line Up Front (BLUF): Chinese government agencies and state-backed cybersecurity firms are accusing the U.S. National Security Agency (NSA) of cyberattacks against Northwestern Polytechnical University, a military-linked research institution. Reports from China’s National Computer Virus Emergency Response Center (CVERC) and Qihoo 360 claim that the NSA’s Tailored Access Operations (TAO) unit deployed 41 malware strains for espionage. However, these allegations lack independent verification and appear to be part of a broader Chinese propaganda strategy to shift attention away from Beijing’s own extensive cyber activities.
Analyst Comments: China’s claims against the NSA follow a familiar pattern of disinformation tactics, using selective evidence—such as IP addresses, keyboard inputs, and attack timelines—that can easily be forged or manipulated. The accusations conveniently mirror previous narratives pushed by Chinese state media, which frequently fabricate cyber threats from Western nations to justify their own cyber warfare efforts. Moreover, linking the attack to the Shadow Brokers leak of NSA tools is a well-worn tactic, despite the fact that many of these tools have been repurposed by various actors, including China itself. Given Beijing’s documented history of state-sponsored hacking, these accusations serve as a strategic misdirection to downplay its own cyber intrusions against Western governments, corporations, and infrastructure.
FROM THE MEDIA: The attack allegedly used 54 jump servers and five proxy servers to obfuscate its origin. China’s forensic analysis also points to U.S. keyboard layouts and operational activity that paused on American holidays, suggesting NSA involvement. However, cybersecurity experts note that sophisticated state-sponsored actors—including China’s own APT groups—frequently use deceptive tactics to plant misleading forensic evidence and obscure the true origins of cyberattacks.
READ THE STORY: SecurityWeek
Analyst notes:
China's attribution of the cyberattacks on Northwestern Polytechnical University to the U.S. National Security Agency (NSA) follows a familiar pattern of state-controlled narratives designed to deflect from its own cyber activities while escalating tensions in the ongoing cyber rivalry with the U.S. The evidence presented—such as IP addresses, keyboard layouts, and operational timelines—relies on easily manipulated indicators that sophisticated threat actors can spoof or plant as false flags. The heavy reliance on the Shadow Brokers leak, which has been widely available since 2017, raises questions about whether the malware and tactics used were genuinely NSA-exclusive or simply repurposed by another actor. China’s cybersecurity agencies, including CVERC and Qihoo 360, are closely tied to the state and have a history of making unverified or exaggerated claims about Western cyber activity, often without providing verifiable forensic data. This report serves a broader geopolitical objective: portraying China as a victim of Western cyber aggression while justifying its own expansive cyber capabilities and surveillance programs. By framing the NSA as an aggressor, Beijing can rally domestic support, bolster national cybersecurity initiatives, and shift global focus away from its own documented cyber espionage campaigns against governments, businesses, and research institutions worldwide.
Russia Accused of Election Interference in Germany Through Disinformation Campaigns
Bottom Line Up Front (BLUF): German security services have warned of a Russian disinformation campaign aimed at influencing the country’s upcoming federal elections. Fake videos purporting to show ballot manipulation are being circulated online, with officials attributing the effort to Storm-1516, a group previously linked to election interference in the U.S. These activities appear to be targeted at supporters of the far-right Alternative for Deutschland (AfD) party.
Analyst Comments: Russia’s involvement in European elections is a recurring theme, with tactics ranging from social media manipulation to fabricated content aimed at eroding public trust in democratic processes. This latest campaign follows a broader trend of Moscow’s interference in Western elections, often by amplifying existing societal divisions. While Germany has actively worked to counter such threats, the effectiveness of these measures will be tested in the coming days. If these claims hold true, this would reinforce concerns about Russia’s continued use of cyber-enabled influence operations as a strategic tool.
FROM THE MEDIA: These videos falsely claim to show votes for the AfD being discarded or missing from ballots. The Interior Ministry has attributed the operation to Storm-1516, the same group Microsoft linked to Russian election meddling in the U.S. last year. The disinformation effort is part of a broader pattern of Russian influence in European politics, with German authorities closely monitoring the situation ahead of Sunday’s federal election. Officials have noted that these tactics mirror past interference efforts, including in the 2016 U.S. election.
READ THE STORY: The Record
Trump's Push for Ukraine's Minerals Sparks Geopolitical and Economic Debate
Bottom Line Up Front (BLUF): President Donald Trump is urging Ukraine to grant the U.S. access to its vast mineral resources, including lithium, titanium, and rare earth elements, as compensation for military aid. While Ukraine acknowledges the potential for a deal, President Volodymyr Zelensky has emphasized the need for security guarantees before moving forward. Many of these valuable resources are located in Russian-occupied territories, making extraction complex.
Analyst Comments: The discussion around Ukraine’s mineral wealth highlights the broader economic and geopolitical interests at play. The article frames Trump’s approach as a transactional exchange, suggesting that U.S. support comes with expectations of economic return. While Ukraine’s mineral reserves are significant, the challenges of extraction—such as infrastructure investment, legal barriers, and ongoing conflict—are not fully explored. The piece also suggests that Russia’s continued occupation of certain regions may be influenced by resource control, adding another layer of complexity to potential negotiations. Additionally, linking Trump’s push for access to these materials with U.S. efforts to reduce reliance on China aligns with broader trade and security policies.
FROM THE MEDIA: Ukraine is home to valuable deposits of lithium, titanium, and rare earth elements, essential for various industries, including defense and technology. However, much of these resources remain undeveloped and require major investment. Additionally, a significant portion of these deposits is located in Russian-occupied areas, raising concerns about feasibility. While Zelensky has expressed willingness to negotiate, he insists that any deal must include security assurances for Ukraine. Meanwhile, Russian officials have acknowledged the strategic value of these minerals, further complicating potential agreements.
READ THE STORY: WSJ
Leaked Data Reveals TopSec’s Role in China’s Censorship-as-a-Service Operations
Bottom Line Up Front (BLUF): A data leak from Chinese cybersecurity firm TopSec exposes its deep involvement in China’s state-backed censorship programs. The leaked documents include infrastructure details, work logs, and references to web content monitoring services designed to enforce online censorship. The findings reveal TopSec’s collaboration with government agencies and state-owned enterprises, providing tailored monitoring solutions to suppress politically sensitive information.
Analyst Comments: Advanced monitoring tools—such as keyword tracking and content filtering—highlight China’s systematic approach to controlling online discourse. The documents also reveal how cybersecurity firms assist in shaping public narratives, including managing the fallout from corruption scandals. This leak underscores the growing role of private firms in China’s information control strategy and raises concerns about similar tactics being exported to other authoritarian regimes. This highlights the need for increased scrutiny for global businesses when engaging with Chinese cybersecurity vendors that may be complicit in government-led surveillance and censorship.
FROM THE MEDIA: SentinelLabs researchers analyzed a leaked file uploaded to VirusTotal on January 24, 2025, revealing over 7,000 lines of work logs from TopSec. The documents outline TopSec’s involvement in monitoring internet content for public and private sector clients. The company provided bespoke services to a state-owned enterprise during a corruption scandal, indicating its role in managing politically sensitive topics. The leaked files reference the Cloud Monitoring Service Project, a Shanghai Public Security Bureau initiative to detect security threats and sensitive keywords. While TopSec did not win the contract, the leak confirms its extensive work in censorship enforcement, including monitoring hidden links, sensitive words, and politically charged content. The breach also revealed that sensitive content alerts were escalated through WeChat for a prioritized response, further demonstrating China’s tightly integrated online surveillance network.
READ THE STORY: SentinelLabs // THN
Hackers Steal $1.5 Billion in Largest-Ever Crypto Heist from Bybit Exchange
Bottom Line Up Front (BLUF): Crypto exchange Bybit has suffered a massive $1.5 billion hack, marking the largest cryptocurrency theft in history. Hackers targeted Bybit’s cold wallet, which is typically considered more secure than online wallets. CEO Ben Zhou confirmed the breach, stating that Bybit is securing bridge loans and will reimburse affected users. The attack comes as the crypto industry experiences renewed optimism under the Trump administration, which is expected to take a more favorable stance on digital assets.
Analyst Comments: The attack raises concerns about the vulnerability of centralized exchanges and the potential for insider threats or sophisticated exploits. The timing is notable, as the crypto industry has seen a resurgence with expectations of reduced regulatory pressure under the Trump administration. However, this breach could prompt calls for stricter security measures and regulatory oversight, particularly regarding how exchanges manage large reserves of digital assets. The rapid liquidation of stolen funds also underscores the ongoing challenge of tracking illicit crypto transactions across multiple accounts.
FROM THE MEDIA: Bybit CEO Ben Zhou confirmed that hackers stole approximately 400,000 Ethereum (ETH), valued at $1.5 billion, from the exchange’s cold wallet. The wallet was compromised despite requiring multiple signers for transactions, and an investigation is underway. Research group Arkham Intelligence tracked at least $1.36 billion of the stolen funds being moved into various accounts and rapidly liquidated. The breach follows a history of high-profile crypto hacks, including the $570 million Binance exploit in 2022 and the infamous Mt. Gox collapse in 2011. Bybit has assured users that it will cover any unrecovered losses, but the hack significantly loses confidence in the industry’s security measures.
READ THE STORY: FT
Cisco Confirms Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecoms
Bottom Line Up Front (BLUF): Cisco has confirmed that Salt Typhoon, a Chinese state-sponsored hacking group, exploited CVE-2018-0171 to infiltrate U.S. telecommunications networks. The attackers maintained persistent access for over three years by leveraging stolen credentials, intercepting network authentication traffic, and using compromised infrastructure to evade detection. The campaign involved living-off-the-land (LOTL) techniques, network misconfigurations, and a custom JumbledPath tool for packet capture and log clearing.
Analyst Comments: Exploiting a known vulnerability (CVE-2018-0171)—despite available patches since 2018—suggests inadequate security hygiene across targeted networks. Using LOTL techniques and stolen credentials indicates a shift from traditional malware-based intrusions, making detection and mitigation more challenging. As the U.S. ramps cybersecurity defenses, this breach underscores the importance of proactive network monitoring, zero-trust architectures, and rapid patch management to defend against state-backed cyber threats.
FROM THE MEDIA: Cisco Talos confirmed that Salt Typhoon gained access to telecom networks by exploiting CVE-2018-0171—a flaw in Cisco's Smart Install protocol. The group also harvested credentials by intercepting SNMP, TACACS, and RADIUS authentication traffic and deciphering weak passwords. Salt Typhoon modified network configurations to evade detection, created local accounts, and used JumbledPath, a custom Go-based tool for packet capture and forensic obfuscation. The hackers altered loopback interfaces to bypass access control lists (ACLs), allowing lateral movement within telecom environments. Cisco stated that while Salt Typhoon has not exploited newer vulnerabilities like CVE-2023-20198 and CVE-2023-20273, it has identified other ongoing attacks targeting exposed Smart Install instances.
READ THE STORY: THN
Trump to Restrict Chinese Investments in Strategic Sectors via CFIUS
Bottom Line Up Front (BLUF): President Donald Trump will sign a memorandum directing the Committee on Foreign Investment in the United States (CFIUS) to impose stricter restrictions on Chinese investments in key industries such as semiconductors, artificial intelligence, quantum computing, biotechnology, and aerospace. The move aims to prevent China from leveraging U.S. technology and capital for military and intelligence purposes. The administration is also considering restrictions on U.S. outbound investments in these sectors.
Analyst Comments: By utilizing CFIUS, the administration is reinforcing economic security as a national security priority. While these restrictions could protect U.S. intellectual property and strategic assets, they may also heighten tensions with Beijing and disrupt investment flows in the technology sector. Additionally, restricting outbound investment could have significant consequences for U.S. firms operating in China, potentially leading to retaliatory measures. Companies in affected sectors should prepare for increased regulatory scrutiny and geopolitical risks.
FROM THE MEDIA: According to a White House official, the new rules are designed to prevent foreign adversaries like China from exploiting U.S. innovation for military and intelligence advancements. The memorandum will establish stricter oversight mechanisms for foreign investments and acquisitions in sensitive industries. The Trump administration is also considering expanding controls on U.S. investments in China’s high-tech sectors, signaling a broader effort to decouple critical supply chains. While the exact details of implementation remain unclear, the policy aligns with previous efforts to curb China’s technological rise through export controls and investment restrictions.
READ THE STORY: Reuters
OpenAI Bans Accounts Misusing ChatGPT for Surveillance and Influence Campaigns
Bottom Line Up Front (BLUF): OpenAI has banned multiple accounts misusing ChatGPT for malicious activities, including an AI-powered surveillance tool linked to China. The tool, named Qianyue Overseas Public Opinion AI Assistant, monitored anti-China protests in the West and shared insights with Chinese authorities. Other banned networks were tied to North Korean IT fraud, Chinese disinformation campaigns, Iranian propaganda, and cyber intrusion research. The takedown highlights AI's growing role in state-sponsored cyber operations and influence campaigns.
Analyst Comments: The use of AI to automate large-scale surveillance and social media influence campaigns presents a significant security challenge. OpenAI's move is a positive step, but it raises questions about how AI platforms can enforce safeguards while maintaining open access. The presence of multiple state-linked actors—China, North Korea, Iran, and Russia—suggests that AI-driven threats will only intensify. Companies and governments must collaborate to mitigate AI-enabled cyber risks and develop regulatory frameworks for responsible AI usage.
FROM THE MEDIA: OpenAI's investigation revealed that ChatGPT was used to develop and refine Qianyue, an AI-driven tool to track social media discussions and analyze political discourse. The tool reportedly monitored anti-China protests in Western countries, collecting real-time data for Chinese authorities. Additionally, OpenAI disrupted several other networks abusing its AI models. One was linked to North Korean fraud, where operatives created fake job applications to gain employment in Western tech firms. Another involved a Chinese disinformation campaign that produced anti-U.S. content for distribution across Latin American media. OpenAI also identified an Iranian propaganda effort tied to Storm-2035, which generated pro-Hamas and anti-Israel narratives. Further, a Cambodian-origin romance scam network used AI to craft messages in multiple languages to defraud social media users. Another banned cluster focused on cyber intrusion research, with North Korean actors leveraging ChatGPT to refine hacking techniques and study cryptocurrency vulnerabilities. Finally, an influence operation targeting Ghana’s 2024 presidential election was discovered, using AI-generated English-language content to manipulate public perception.
READ THE STORY: THN
Pentagon Accelerates ‘Cyber Command 2.0’ Overhaul, Seeks Expanded Authorities
Bottom Line Up Front (BLUF): Defense Secretary Pete Hegseth has fast-tracked the implementation of Cyber Command 2.0, cutting the original 180-day timeline in half. The revamped strategy aims to enhance U.S. Cyber Command’s capabilities through innovation centers, advanced training, and a new force generation model. Additionally, the Pentagon has asked Cyber Command to identify legal and regulatory barriers hindering its cyber operations, signaling a potential push for expanded offensive cyber authorities.
Analyst Comments: The urgency behind Cyber Command 2.0 reflects the Trump administration’s commitment to a more aggressive cyber posture in response to escalating threats from China and other adversaries. While the condensed timeline may accelerate much-needed reforms, it could also strain coordination with military branches over funding and manpower. The request for a list of expanded cyber authorities suggests a push to streamline digital warfare operations, potentially reducing bureaucratic constraints on offensive cyber campaigns.
FROM THE MEDIA: Cyber Command was initially given 180 days to develop its modernization plan, but Hegseth now requires a full implementation blueprint by March 22. The revised strategy consists of four main pillars: a cyberwarfare innovation center, an advanced training facility, a revamped force generation model, and a task force focused on talent retention. In parallel, the Pentagon has tasked Cyber Command with identifying authorities it needs to be more effective and any regulations that hinder operations. The Defend Forward strategy, which authorizes preemptive cyber operations against foreign threats, is expected to be a focal point of this review. Experts believe these efforts will shape future U.S. cyber policy, including potential updates to Trump’s 2018 directive streamlining offensive cyber operations.
READ THE STORY: The Record
U.S. Pressures Iraq to Resume Kurdish Oil Exports Amid Sanctions on Iran
Bottom Line Up Front (BLUF): The Trump administration is pressuring Iraq to restart Kurdish oil exports to global markets via Turkey, aiming to curb the smuggling of Kurdish crude to Iran. The U.S. sees this as a way to offset potential global supply losses by reinstating a "maximum pressure" campaign against Tehran. Iraq’s announcement of resumed exports next week follows Washington’s warnings that failure to comply could lead to sanctions.
Analyst Comments: This development underscores the U.S. strategy of leveraging economic pressure to isolate Iran, using Iraq as a key battleground. By urging Baghdad to redirect Kurdish oil to Turkey instead of Iran, Washington aims to cut off a critical revenue stream for Tehran. However, Iraq remains caught between its alliances with both the U.S. and Iran, making compliance politically sensitive. Additionally, logistical hurdles, including payment disputes and OPEC+ production commitments, could complicate efforts to restart exports. If Washington escalates pressure, it risks further destabilizing Iraq’s political landscape, where Iranian-backed factions hold significant influence.
FROM THE MEDIA: The U.S. has urged Iraq to halt Kurdish oil smuggling to Iran, estimated at 200,000 barrels per day, and instead reopen the Turkey-bound pipeline closed since 2023. While Iraq’s oil minister announced plans to resume Kurdish exports next week, financial and operational challenges remain unresolved. The pipeline was originally shut after Turkey was ordered to pay Iraq $1.5 billion for unauthorized exports. Oil firms operating in Kurdistan, such as Norway’s DNO, are demanding clarity on payment mechanisms before resuming shipments. Meanwhile, a restart could put Iraq at odds with OPEC+ quotas. The Trump administration views these exports as a way to stabilize global oil markets while it intensifies sanctions on Iran.
READ THE STORY: Reuters
GOP Megadonor Takes Over as Clearview AI Co-CEO Amid Federal Expansion Plans
Bottom Line Up Front (BLUF): Clearview AI, a controversial facial recognition firm, has appointed GOP megadonor Hal Lambert and former Rudy Giuliani adviser Richard Schwartz as co-CEOs. The leadership change is expected to help the company expand its federal contracts, including with the Department of Defense and Department of Homeland Security. Clearview has faced legal challenges over its data collection practices and financial struggles despite securing contracts with U.S. law enforcement agencies.
Analyst Comments: The company’s new leadership, with deep Republican connections, is well-positioned to navigate political and regulatory hurdles to secure larger government contracts. However, Clearview remains a lightning rod for privacy advocates, having faced multiple lawsuits and over $100 million in fines from European regulators. If the firm expands its government partnerships, it could reignite debates over mass surveillance, data privacy, and AI ethics.
FROM THE MEDIA: Clearview AI, known for its controversial facial recognition technology, has appointed Hal Lambert and Richard Schwartz as co-CEOs, replacing founder Hoan Ton-That. Lambert, a major Republican fundraiser and Trump supporter, has already engaged with federal agencies to expand Clearview’s contracts. The company, which allows law enforcement to search a database of 30 billion scraped internet images, has struggled financially and faced legal challenges over privacy concerns. Clearview’s contracts with DHS, ICE, and the FBI have been limited in scale, with its largest U.S. partnerships coming from state and local law enforcement. Privacy lawsuits and regulatory fines in Europe continue to pose hurdles to the company's expansion.
READ THE STORY: The Record
Items of interest
Unmasking China’s Digital Censorship: Web Filtering, Sensitive Words, and Online Control
Bottom Line Up Front (BLUF): Recent leaks and research expose how China's web filtering systems, enforced by private firms like TopSec, systematically control online discourse. Automated tools detect "sensitive words," hidden links, and unauthorized content modifications, allowing authorities to suppress politically undesirable discussions. The findings underscore the fusion of artificial intelligence-driven censorship and human moderation to maintain strict narrative control over digital spaces.
Analyst Comments: China’s web filtering infrastructure demonstrates the extent to which government agencies and private companies collaborate to manage digital narratives. While keyword-based censorship has long been a core tactic, the increasing use of AI and machine learning enables more sophisticated filtering and content suppression. This control extends beyond preventing political dissent and shaping internet culture and user behavior through self-censorship. These developments raise concerns about digital rights, as such models could be exported to other nations seeking authoritarian-style information control.
FROM THE MEDIA: The WebSensitive system identifies politically sensitive words, while WebHiddenLink detects covert links in online posts. Research from Elsevier’s Discourse, Context & Media Journal highlights how netizens creatively evade censorship using homophones, slang, and coded language. Despite such countermeasures, China's censorship model continues to evolve, integrating machine learning with manual oversight to refine content suppression. These findings illustrate how China’s digital censorship ecosystem influences internet culture while restricting freedom of expression.
READ THE STORY: SD
China's Great "Firewall" of Internet Censorship (Video)
FROM THE MEDIA: Ever heard of the ‘Great Firewall’ in China? In this video, we dive into the reasons behind China’s strict internet censorship and how the 'Great Firewall' controls online access.
The Great Firewall of China: Censorship and Cybersecurity (Video)
FROM THE MEDIA: Journey with us into the heart of China's Great Firewall. Understand how this sophisticated system of internet censorship and surveillance functions, blocking access to foreign websites, filtering content, and monitoring online activities to maintain control over the information that reaches Chinese citizens.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.