Chinese and North Korean Cyber Operations Surge as New Threats Emerge
Chinese and North Korean cyber activities have witnessed a significant increase in sophistication and effectiveness, posing new threats to global security. In its report, technology giant Microsoft sheds light on the cyber capabilities of these two nations and highlights their evolving tactics.
Microsoft’s findings reveal that Chinese influence operations have grown more effective, particularly in the past year. Chinese-aligned social media networks have engaged directly with authentic users on various social media platforms, including posing as American voters and targeting specific candidates during US elections. Moreover, China’s state-affiliated multilingual social media influencer initiative has successfully reached and engaged target audiences in over 40 languages, amassing a staggering 103 million followers. China’s cyber operations in 2023 have primarily focused on countries surrounding the South China Sea, the US defense industrial base, and critical infrastructure within the United States.
On the other hand, North Korean cyber operations have become increasingly sophisticated. Microsoft highlights Pyongyang’s interest in stealing maritime technology research-related information. In a recent incident, the Lazarus Group, believed to be affiliated with North Korea, was responsible for pilfering $31 million worth of cryptocurrency from CoinEx. Forensic analysis conducted by cybersecurity firm Elliptic suggests that some of the stolen funds were laundered by the Lazarus Group through the mixing of funds stolen from different sources.
Telecommunications providers in the Middle East have also been targeted by a new intrusion set called ShroudedSnooper, as described by Cisco Talos. Using two implants called HTTPSnoop and PipeSnoop, the threat actor exploits internet-facing servers to gain initial access. Although the tactics, techniques, and procedures employed by this group do not align with any known cyber threat groups, state-sponsored actors from Iran and China have recently shown a strong preference for attacking telecommunication providers, particularly in the Middle East and Asia.
Additionally, cybersecurity firm Trend Micro warns of a China-aligned threat actor known as Earth Lusca, which has developed a new Linux backdoor named SprySOCKS. This backdoor, based on the open-source Windows malware Trochilus, targets government departments involved in foreign affairs, technology, and telecommunications. Earth Lusca primarily focuses on countries in Southeast Asia, Central Asia, and the Balkans, using known vulnerabilities against unpatched systems.
Furthermore, Proofpoint has identified suspected Chinese cybercriminal campaigns targeting Chinese-speaking users through malware-laden phishing emails. These low-volume campaigns are primarily directed at global organizations operating in China, using email subjects and content related to business themes such as payments, invoices, and new products. Notably, Japanese organizations have also become targets, suggesting a potential expansion of activity.
In a separate incident, Microsoft’s AI research team inadvertently exposed 38 terabytes of private data, including confidential information, passwords, and internal messages. The data breach occurred when an employee published open-source training data to a public GitHub repository. Although Microsoft swiftly fixed the issue and no customer data or additional internal services were compromised, this incident serves as a reminder of the importance of robust data protection measures.
As cyber threats continue to evolve and intensify, organizations and individuals must remain vigilant in implementing robust cybersecurity measures to safeguard sensitive information and networks. Cooperation among international stakeholders is crucial to effectively combatting cyber threats and ensuring a secure digital environment for all.
