ProtectWise's threat research shop, 401TRG, has identified a common actor behind a number of disparate threat groups that have been active since at least 2009, and perhaps as early as 2007. The group, "Winnti Umbrella," is, ProtectWise concludes, run by "the Chinese state intelligence apparatus." The groups that fall under the Umbrella include EAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti.
Security firms have tracked these groups for years; ProtectWise argues that they're a single operation. Researchers base attribution on common infrastructure, overlapping tactics, techniques, and procedures, and above all operational security lapses that reveal attackers' locations. The operation's initial targets are gaming studios and tech companies, where they seek to steal code-signing certificates. There's some collateral criminal bycatch, but the ultimate goal appears to be political intelligence.
Recorded Future's report last week that North Korean elites are changing their online behavior also notes that North Korean espionage services stage much of their cyber operations through other countries. Readily accessible gaming services, BitTorrent, and video streaming make a country attractive. So does hosting North Korean diplomatic and cultural missions.
Kaspersky warns of ZooPark (now in its fourth generation), an Android malware campaign active mostly in the Middle East and North Africa since 2015. One of its vectors is Telegram, the secure chat app.
Vulnerabilities in GPON routers, disclosed last week, are now under active exploitation by botnet herders.
ZTE appeals US sanctions to the US Commerce Department.
Russian Twitterbots tweet threats toward UK Labour leader Jeremy Corbyn's intraparty opponents.