At a glance.
- Russian cybercriminal group targets Ukraine.
- Iranian threat actor conducts ransomware campaigns.
- Chinese government compiles DNA database of Tibetans.
Russian cybercriminal gang targets Ukraine.
Google's Threat Analysis Group (TAG) warns that the Russian cybercriminal gang tracked as UAC-0098 has shifted its focus to assist the Russian government in targeting Ukraine. UAC-0098 is an initial access broker that compromises organizations via malware-laden phishing emails:
"In the activity observed following April 2022, the group’s targeting wildly varied from European NGOs to less targeted attacks on Ukrainian government entities, organizations, and individuals. Rather uniquely, the group demonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine, going as far as launching multiple distinct campaigns against the same hotel chains. So far, TAG has not identified what post-exploitation actions UAC-0098 takes following a successful compromise.
"Activities described in this post are consistent with findings from IBM Security X-Force and CERT-UA. TAG can further confirm attribution based on multiple overlaps between UAC-0098 and Trickbot or the Conti cybercrime group."
The researchers conclude, "UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests."
Iranian threat actor conducts ransomware campaigns.
Microsoft describes several ransomware campaigns being run by the Iranian threat actor Nemesis Kitten (which Microsoft tracks as DEV-0270). Nemesis Kitten is part of the Iranian government threat group PHOSPHOROUS, but Microsoft suspects that these ransomware operations are being conducted independently for financial gain:
"Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation."
Chinese government compiles DNA database of Tibetans.
The University of Toronto's Citizen Lab has published a report finding that the Chinese government is compiling a database of DNA samples from people living in the Tibet Autonomous Region. Police have collected samples from up to 1.2 million people (one-third of the region's population):
"Police have targeted men, women, and children for DNA collection outside of any ongoing criminal investigation. In some cases, police have targeted Buddhist monks. Authorities have justified mass DNA collection as a tool to fight crime, find missing people, and ensure social stability. But without checks on police powers, police in Tibet will be free to use a completed mass DNA database for whatever purpose they see fit. Based on our analysis, we believe that this program is a form of social control directed against Tibet’s people, who have long been subject to intense state surveillance and repression."
Citizen Lab notes that the recent data leak of Chinese citizens' information underscores the risk of storing this amount of biometric data:
"The leak of files on nearly one billion people from a Shanghai police-run database in 2022 highlighted persistent issues with data security and accuracy during a period when the Chinese police are collecting ever greater amounts of data from the public."