By the CyberWire staff
At a glance.
- US government charges Chinese nationals for alleged ties to APT31.
- Finland attributes parliament breach to APT31.
- US DOD releases cybersecurity strategy for the defense industrial base.
- APT29 launches phishing campaign against German politicians.
- Chinese threat actors target ASEAN entities.
- Florida cities disrupted by cyberattacks.
- Threat actor targets Indian government and energy entities.
- PyPi temporarily suspends project creation and user registration to deal with malware.
US government charges Chinese nationals for alleged ties to APT31.
The US Treasury Department has sanctioned a Chinese tech firm, the Wuhan Xiaoruizhi Science and Technology Company, for allegedly operating as a front for the Ministry of State Security-linked threat actor APT31. Treasury also sanctioned two individuals connected to the company, Zhao Guangzong and Ni Gaobin, for their alleged "roles in malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors, directly endangering U.S. national security."
In addition, the US Justice Department charged seven Chinese nationals, including Zhao Guangzong and Ni Gaobin, with "conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14 years targeting U.S. and foreign critics, businesses, and political officials in furtherance of the PRC’s economic espionage and foreign intelligence objectives."
The Justice Department stated, "The APT31 Group was part of a cyberespionage program run by the MSS’s Hubei State Security Department, located in the city of Wuhan. Through their involvement with the APT31 Group, since at least 2010, the defendants conducted global campaigns of computer hacking targeting political dissidents and perceived supporters located inside and outside of China, government and political officials, candidates, and campaign personnel in the United States and elsewhere, and American companies. The defendants and others in the APT31 Group targeted thousands of U.S. and foreign individuals and companies. Some of this activity resulted in successful compromises of the targets’ networks, email accounts, cloud storage accounts, and telephone call records, with some surveillance of compromised email accounts lasting many years."
A spokesperson for the Chinese embassy in Washington DC told the BBC that "without valid evidence, relevant countries jumped to an unwarranted conclusion" and "made groundless accusations."
Finland attributes parliament breach to APT31.
The Finnish Police disclosed yesterday that the China-linked threat actor APT31 was responsible for a breach of the Finnish Parliament in late 2020 and early 2021, BleepingComputer reports. The police said in a press release yesterday, "The criminal investigation has involved demanding investigations and analyses, and international exchange of information. The National Bureau of Investigation has worked in close cooperation with international actors and the Finnish Security and Intelligence Service. The criminal investigation is ongoing." The police have identified one suspect connected to the incident.
Team Cymru’s Threat Intelligence solutions allow you to aim your sights on the malicious actors.
Imagine a world where you're always one step ahead of cyber threats, where your defenses are impenetrable because you see what others don't. With real-time access to the worlds largest threat intelligence data ocean, we enable you to turn the tables on attackers. Transform your security from reactive to proactive through accelerated threat hunting and incident response, made possible through automation. Team Cymru: be the hunter, not the hunted.
US DOD releases cybersecurity strategy for the defense industrial base.
The US Defense Department yesterday released its Defense Industrial Base Cybersecurity Strategy, outlining a plan to bolster the cybersecurity of the department's supply chain, the Record reports. The DOD said in a press release, "Central to the goal of strengthening DOD's cybersecurity governance structure are efforts to bolster interagency collaboration and develop regulations that will further govern the cybersecurity responsibilities of contractors and subcontractors. In terms of enhancing the DIB's cybersecurity posture, the strategy outlines steps to evaluate compliance with departmental cybersecurity requirements and evaluate the effectiveness of regulations and requirements. It also outlines steps to improve cyber-related threat and intelligence information with industry partners, identify vulnerabilities, and recover from malicious cyber activity."
According to SecurityWeek, the strategy covers fiscal years 2024 through 2027.
APT29 launches phishing campaign against German politicians.
Researchers at Mandiant warn that APT29, a threat actor attributed to Russia's SVR, launched a phishing campaign against German politicians in late February 2024. The phishing emails impersonated invites to a dinner reception, and were designed to deliver the WINELOADER backdoor discovered by Zscaler last month.
Mandiant states, "Notably, this activity represents a departure from this APT29 initial access cluster’s typical remit of targeting governments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an operational interest in political parties from this APT29 subcluster. Additionally, while APT29 has previously used lure documents bearing the logo of German government organizations, this is the first instance where we have seen the group use German-language lure content — a possible artifact of the targeting differences (i.e. domestic vs. foreign) between the two operations."
The top 5 malware that hackers use to steal your users’ passwords
Redline malware is the hacking community’s current favorite password-stealing toy, racking up 170 million stolen credentials over the past six months. The prevalence of Redline highlights the alarming danger of password reuse and the potential compromise of sensitive information.
See the data and learn how you can block compromised passwords from your Active Directory with Specops Password Policy. Learn more and sign up for a free trial.
Chinese threat actors target ASEAN entities.
Palo Alto Networks' Unit 42 has published a report on two Chinese APTs that are conducting cyberespionage against "entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN)." The first threat actor, Stately Taurus, earlier this month launched malware campaigns against organizations in Myanmar, the Philippines, Japan, and Singapore. The second threat actor has targeted government entities in Cambodia, Laos, and Singapore. This group compromised at least one entity associated with ASEAN.
Unit 42 notes that "ASEAN-affiliated entities are attractive targets for espionage operations due to their role in handling sensitive information regarding diplomatic relations and economic decisions in the region."
Florida cities disrupted by cyberattacks.
The city of St. Cloud, Florida, disclosed a ransomware attack that affected city services and shut down some phone lines, the Record reports. The city stated, "While many City departments have been affected, City government remains open and is operating as best as possible until the issue is resolved. In-person payments for Parks and Recreation events and services are temporarily cash-only. Online facility reservation payments and online event registrations are still accepting credit card payments. Police and Fire Rescue are responding to calls for service. Payment for services at the Transfer Station temporarily will be cash only, and all trash and recycling collection routes will operate as scheduled."
Pensacola, Florida, also sustained a disruptive cyberattack over the weekend that knocked out the city government's non-emergency phone system.
Keep your teams performing at their best and stay ahead of the curve.
N2K’s Strategic Cyber Workforce Intelligence offers an all-in-one solution for security leaders to enhance hiring, development, and retention strategies. With our workforce experts and data-driven framework, we can help you benchmark skills, revamp job profiles, create configured training paths, and much more. Click here to learn more.
Threat actor targets Indian government and energy entities.
Researchers at EclecticIQ are tracking a malware campaign that's targeting Indian government organizations and the energy sector: "Analysts identified that multiple government entities in India have been targeted, including agencies responsible for electronic communications, IT governance, and national defense. Moreover, the actor targeted private Indian energy companies, exfiltrated financial documents, personal details of employees, [and] details about drilling activities in oil and gas. In total, the actor exfiltrated 8,81 GB of data, leading analysts to assess with medium confidence that the data could aid further intrusions into the Indian government's infrastructure."
The researchers don't attribute the campaign to any known threat actor, but they believe the goal of the operation is cyberespionage. The threat actor gained initial access via phishing lures that delivered a modified variant of the open-source information stealer HackBrowserData.
PyPi temporarily suspends project creation and user registration to deal with malware.
The Python Package Index (PyPi) late Wednesday night suspended new project creation and new user registration in order to "mitigate an ongoing malware upload campaign," Checkmarx reports. PyPi said Thursday morning that the issue had been resolved.
Checkmarx says the incident involved malicious Python packages that were uploaded to PyPi yesterday: "The research team of Checkmarx simultaneously investigated a campaign of multiple malicious packages appear to be related to the same threat actors. The threat actors target victims with Typosquatting attack technique using their CLI to install Python packages. This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc..) and various credentials. In addition, the malicious payload employed a persistence mechanism to survive reboots."
Suspicious NuGet package appears to target developers in the industrial sector.
Researchers at ReversingLabs have identified a suspicious package hosted by the open source package manager NuGet that may be tied to "a malicious software supply chain campaign with the goal of conducting industrial espionage on systems equipped with cameras, machine vision, and robotic arms." The package, called "SqzrFramework480," is designed to take screenshots and send them to a remote server.
The package appears to be targeting "developers working with technology made by BOZHON Precision Industry Technology Co., Ltd., a China-based firm that does industrial- and digital equipment manufacturing."
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Crime and punishment.
The US State Department is offering up to $10 million for information leading to the identification or location of members of the ALPHV/BlackCat ransomware-as-a-service gang. One of the group's affiliates was responsible for the attack against UnitedHealth Group's Change Healthcare platform last month, which caused disruptions at thousands of healthcare providers across the US for weeks.
Law enforcement in Romania and Spain have arrested nine individuals who were allegedly "engaged in the publishing of fake advertisements for cheap holiday rentals," Infosecurity Magazine reports. Europol said in a press release, "Although this sort of cyber fraud is not new, the level of sophistication exhibited by the gang involved in this case is unprecedented, and a multifaceted investigation was required to crack the case." The police searched twenty-two houses in Romania and seized 174,000 euros and 41,000 Romanian lei.