
Gingham Typhoon’s Cyber Expansion Into the South Pacific
Sherrod DeGrippo: Welcome to the Microsoft threat intelligence podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cyber crime, social engineering, fraud? Well, each week dive deep with us in to the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. Hello and welcome to the Microsoft threat intelligence podcast. I am Sherrod DeGrippo and I am joined with my colleague Nick Monaco, principal threat intelligence analyst at Microsoft and the Microsoft threat analysis center. Nick, how are you?
Nick Monaco: I'm great. Thanks for having me.
Sherrod DeGrippo: Thanks for coming on. We're here to talk about the recent release of a report from Microsoft on east Asia and let's kind of get right into it. Let's talk about China cyber operations. One of the first things in the report is about Gingham Typhoon. One of the things I thought was interesting about Gingham Typhoon is that they're saying it's going after executive offices in government, trade related departments, internet service providers, and transportation entities. What have we learned about Gingham Typhoon lately?
Nick Monaco: Yeah. Gingham's done some really interesting stuff. I would say broadly just to frame the report before we jump in this report looks into cyber operations as well as influence operations within the east Asia realm and that mainly means Chinese government linked actors as well as North Korean government actors. So Gingham Typhoon is one of the cyber actors we track at Microsoft threat intelligence and in this report we look in to Gingham's recent kind of expanding of its targets into the South Pacific islands. So I think one of the most interesting things that's going on there is Gingham has actually been targeting strategic partners as well as other targets that may not be perceived of as strategic partners. And a really interesting case here is Papua, New Guinea. Papua, New Guinea has benefited a lot from belt and road initiative projects which are led by the Chinese government, but it's still getting targeted by these kinds of cyber attacks and espionage attacks. So Gingham seems to be really pursuing a lot of targets within the South Pacific island chain.
Sherrod DeGrippo: So the belt and road initiative for those of you who aren't familiar, but it essentially is an economic cooperative and partnership agreement across multiple different countries that China wants to engage in trade with. And it's interesting that China is putting a significant amount of targeting on one of those belt and road partners.
Nick Monaco: Yeah. Absolutely. And actually this is something that's consistent. We released two reports in the last year. The first was September 2023 and the most recent one that we'll mostly talk about today was in April of 2024. But we actually found that strategic partners were being targeted by cyber activity, hacking, espionage, in that September 2023 report, the first one that we put out as the east Asia team or our lead research at the Microsoft threat analysis center.
Sherrod DeGrippo: Okay. So that's where we're leaving Gingham Typhoon. Let's move on to Nylon Typhoon. For those of you who don't know, the typhoons are China based threat actors. That's -- it's the naming convention debate raging on eternal. But any actor that has the suffix of typhoon is generally associated with nations sponsored out of China. And so we're looking at Nylon Typhoon going after foreign affairs entities in countries globally between June and December of 2023. Anything we should know about Nylon Typhoon's targeting and what kind of things they're doing there?
Nick Monaco: Yeah. There's definitely a wider scope of targets and it appears to be more aligned with strategic kind of geopolitical collection and intelligence collection all around the world. South America and Europe are just two of the regions that we reported on in this report where we saw some extra activity from Nylon Typhoon. I'm going to go back to Gingham Typhoon. One thing I forgot to mention is these are sophisticated spear phishing campaigns that we're seeing from Gingham Typhoon in the South Pacific islands.
Sherrod DeGrippo: Okay. And so with Gingham Typhoon they're leveraging essentially email as a vector to distribute malware?
Nick Monaco: Yeah. That's right.
Sherrod DeGrippo: Okay. Let's take a look. The number one China actor that we hear the most about in my world is definitely Volt Typhoon. I was on a panel at the RSA conference in May talking with a panel of representatives from CISA, from NSA, and from the FBI about Volt Typhoon. Volt Typhoon typically targets American interests that have to do with critical infrastructure. So let's talk a little bit about from this report what we're seeing with Volt Typhoon.
Nick Monaco: Yeah. I mean I think the biggest news about Volt Typhoon in the Microsoft world in the last year or two has been the big hack that happened in 2023 that was targeting, just as you mentioned, U.S entities. Volt Typhoon is very sophisticated. They do a lot of very interesting things. They keep us very busy.
Sherrod DeGrippo: Yeah. I've seen that Volt Typhoon continues to be active even up to now. One of the things that sets them apart, I guess really two things that set them apart, is that they're heavily living off the land. So they find remote management and monitoring software that is existent within the network currently and they leverage that. They also love the edge devices. So they're very focused on compromising residential or small office routers and leveraging those to launch attacks from residential IP space which can be very concerning if you're not able to suss out that kind of traffic because it just blends in with the rest of your residential traffic.
Nick Monaco: That's absolutely right. Yeah. And that's one of the things that's tough to do even on the security and detection side if you're doing living off the land techniques and compromising small office or small home routers. It can be tough to find that there are bad actors doing that. It takes a little while to catch on and those residential IPs at those very specific IPs often are used for legitimate purposes so it can take a while to figure out that they're being used for nefarious purposes.
Sherrod DeGrippo: Another thing about living off the land that I sort of dug into because one of the things customers ask me a lot, people ask me a lot, is, "Oh, how do we protect from living off the land?" Because it's so popular now. It is one of the hardest things to defend against, but there is a really comprehensive CISA guide about how to understand living off the land, how to hunt for it, and how to protect yourself from threat actors that leverage those techniques of applications that are resident on the system that aren't necessarily malware or aren't necessarily any kind of privilege escalation or anything. Like they're just apps that are meant to be on that machine and when they're leveraged by those threat actors they can kind of go unseen within the environment.
Nick Monaco: It can be very tough. Yeah. There was a story a few years ago I believe in 2018 there a while ago where there was several thousand, tens of thousands, routers that were actually compromised before delivery. So that's the kind of thing that makes living off the land kind of impossible to fight against if you have a router you buy that's already compromised that you don't know about. There are always hardening techniques you can use to bolster your home system, kind of use different networks for different activities, but yeah. If you have -- if you have a bad router from the get go it's very tough to keep yourself from being compromised.
Sherrod DeGrippo: And I think that's something too. Like I'm so network focused on a lot of things, but I think that's where ingress and egress traffic monitoring really kind of helps with noticing if there's activity coming out of your particular infrastructure that looks suspicious. Let's talk influence operations which something, Nick, I'm pretty up front about the fact that I'm not an influence operations analyst and don't really know a ton about it.
Nick Monaco: That's totally fine.
Sherrod DeGrippo: What that creates is that every kind of IO that I talk about with those in the threat analysis center I'm constantly shocked. And one of the things that really sort of threw me here to start are these AI generated news anchors doing fake news. Like they're not even real anchors. Obviously the news is fake, but Storm 1376 is using AI generated news anchors for at least it looks like this past six or nine months. And tell me what we're getting for this.
Nick Monaco: Yeah. Absolutely. I'll start by noting that like I think that this is common to people in the security industry, you know. We're as a large umbrella MTAC is part of that, the Microsoft Threat Analysis Center. We look into influence. But I think there's a natural reaction when we start talking to other people about their fields of expertise and the stuff they do every day to get a little intimidated and surprised because there's a lot of crazy stuff going on. I think within your own orbit of research -- certainly for us a little bit at the Microsoft Threat Analysis Center you get a little desensitized to an extent. That shock you're talking about I remember feeling at the beginning of starting this career like 10 years ago, but now it's just kind of what's going on, how can I analyze this, and what's the best approach for figuring out how to spread awareness and ultimately disrupt these campaigns? So yeah. So Storm 1376 is who we refer to in the report. You alluded earlier to -- so the Storm 1376 is now known under several names. Probably the most widespread of them is Spamouflage. There have been research reports on Spamouflage for about five years now. Dragon Bridge is the term that Mandiant uses, another cybersecurity company. And then Tides of Flood is the name that we're using now at Microsoft. And I'm happy to go in to what floods are if that's of interest.
Sherrod DeGrippo: That was going to be my next question. Flood is not a suffix that I work with very often. So what's flood?
Nick Monaco: Yeah. So with the recent in the last year we kind of did an overhaul of the Microsoft threat actor naming convention. You've heard a lot about different kinds of storms. So Typhoon is a designation that is applied to Chinese government related threat actors. So Volt Typhoon being one of those that we just talked about, Raspberry Typhoon, Granite Typhoon. Similarly in Iran we have Sand Storm. I know my colleagues Bryan and Nirit were on your podcast a few months ago talking about Cotton Sandstorm which is a big threat actor in that zone. And then cyber actors associated say with the North Korean government are sleet. So Jade Sleet, Sapphire Sleet, all kinds of stuff like that. So that's on the kind of hard cyber side, the people who are doing the hacking and doing the cyber operations. In the influence operations domain once we find an actor that we have enough attribution data on according to the diamond model we upgrade them to a flood. So a flood is simply an influence operations actor that is associated with a government of some sort. So Tides of Flood is the new name for Storm 1376 and what happened there is we kind of filled out the diamond attribution model and they're no longer a storm. We've upgraded them to a flood. So Tides of Flood is the new name at Microsoft for Spamouflage if that makes sense.
Sherrod DeGrippo: That does make sense and it also makes sense why I have not encountered any flood actors generally in my work because, for those listening, they know that I'm crime time when I can be. And crime is tempest so I try to spend at least half of my time in the tempest world.
Nick Monaco: There will be more floods coming out through MTAC. We're kind of going through that diamond attribution model and had several on the Russia side and the Iran side that we'll start referring to as flood. So it's something you're going to be hearing as much as you hear sleet or typhoon or any of those things on the cyber side. So Tides of Flood or Spamouflage as it's commonly known is an actor that's been active for about five years now in the cyber space. I always like to give a little bit of background on Chinese influence operations when I give talks to people or discuss these matters. So China's really only been active in terms of internet influence operations for about five years. Things have changed a lot since then. There are a lot more actors on the scene. They're getting better at language localization, stuff like that. But one of the main actors that not only MTAC, but a lot of Chinese influence operations researchers track is Tides of Flood of Spamouflage. This is a well resourced actor. It has tens of thousands of accounts. You may have heard the headlines about six months ago about Meta taking down its largest influence operation of all time. That was Spamouflage or Tides of Flood. I believe the numbers was something like 10,000 accounts. So basically this is a persistent manipulator resistant influence operations actor that spreads a high volume of content. Currently we're tracking them in 58 languages on over 180 social media platforms and websites. So they really go for it in terms of scale. It's not always the most sophisticated content.
Sherrod DeGrippo: So that's an interesting thing and I feel like everyone listening is like learning influence operations along with me because I don't know a ton about it. So you say they're not super sophisticated. But at the same time they have this really big language capability. So is this a situation where sophistication isn't necessary because they've got big scale?
Nick Monaco: I think that that may have been one of the hypotheses that was used to launch these operations. I think that that hypothesis has largely proven untrue. They've been caught a lot and every time they're caught I refer to them as the hydra of influence operations which basically a hydra was a Greek monster that had snake heads and if you chopped one head off two would appear in its place. Basically the same thing is the case with Tides of Flood. If you take down one account, nine appear in its place. So every time it comes back bigger than it was before. I would say that, you know, for the most part the big social media platforms have done a good time of kind of down ranking or catching this kind of content since it can be quite formulaic. Oftentimes it doesn't hit eyeballs that are not other Spamouflage or Tides of Flood assets. So yeah. I don't think it's done a great job. There have been some instances, but they haven't done a great job at breaking out of their bubbles so to speak. But as you rightly pointed out the language capabilities are pretty -- pretty interesting. And we've seen some slight improvements in the last year. So that is likely due to generative AI which can not only produce a language -- a prompt in a language that you don't speak, but can produce it in a way that sounds quite native.
Sherrod DeGrippo: One of the things that this particular threat actor has sort of been attributed with is something that I was reading through this report and I stopped in my tracks. I took my hand off my mouth. Like my mouth dropped open. There are posts created by this threat actor alleging that the United States government has a weather weapon and can control weather.
Nick Monaco: Yeah. So there's never a dull moment in doing this research. There's always interesting new conspiracy theories that are heard particularly when you're tracking actors like Tides of Flood. So that was one of the most interesting operations that we came across I would say in the past year. We released our first report on east Asia, the threat landscape, in September of 2023. Literally the next day we detected this operation from Spamouflage, from Tides of Flood that was spreading AI generated photos of fires that were very dramatic and posts in, you know, over 3 dozen languages saying that the U.S had created a weather weapon or a meteorological weapon and that the Hawaii wildfires that were taking place at the time were actually an experiment of the U.S government to test on its own population. This was terrifying and this was -- there were a couple salient kind of lessons I took from this particular operation. One of them is the speed with which it took place. Like this was right when the Lahaina wildfires took off and we saw Spamouflage within days spreading tens of thousands of messages in over 30 languages about this thing. The other was it was one of the first operations where we saw AI weaponized to augment and influence operations. So there were pictures of crazy fires and burning buildings and stuff like that that to the naked human eye looked very real, but in fact were AI generated. We used some in house tooling and other investigative techniques to uncover that. So it was a very concerning event.
Sherrod DeGrippo: If you're listening and you want to see these images, they are in the report that you can download and we'll link that in the show notes so you can look at these pictures. I'm looking at them now. And, you know, just to the naked human eye they don't look AI generated. They look very real.
Nick Monaco: And this is a pattern we're seeing not only in this particular case study, but around the world. So earlier you mentioned these AI generated news anchors. Tides of Flood has actually been using AI generated news anchors since I think a little more than a year. So February 2023. Graphika, an influence operations research startup I used to work at, actually released a report called "Deepfake It Till You Make It" that showed that they were using new anchors for kind of smaller operations, but we saw a much greater use of them recently in January and December during the Taiwanese election. So Tides of Flood was using AI generated news anchors to spread negative and false information about the sitting president of Taiwan at that time. And there were thousands of videos that were uploaded within a matter of hours or days on YouTube. They were actioned very quickly, but you can find all kinds of open source reporting on this from places like the "Taipei Times" or of course documented in our report that we just put out. Interestingly this tool that they use for these AI generated anchors was CapCut. This is -- one of the points I wanted to bring up in this interview is that propagandists are pragmatists which is to say they don't always use the most sophisticated or most impressive tools to get it done, to spread their message. So by no means am I alleging that this was a high level conspiracy or anything like that. I think this is more just that CapCut was an available tool. Tides of Flood needed a tool to make these AI generated anchors and this was one that was at their disposal.
Sherrod DeGrippo: I saw that in the report as well which I thought that was interesting. And then another one with the same actor. You know I have to say this probably is the first time in my 20 year career in information security and threat intelligence where I have seen a picture of Godzilla in a report as part of the legitimate illustrations of threat actor activity and in this one they're going after the Fukushima wastewater situation. Essentially it looks like they're condemning Japan's choices to dispose of wastewater. Tell us a little bit more about this one and help me understand like Godzilla good choice or bad.
Nick Monaco: Yeah. I'm laughing for two reasons. One is just the humor of using Godzilla in an influence operation which personally I think is funny and good. That's engaging content. People want to read what the post is. The second is just that I've been trying to finish "Godzilla Minus One" for the last five days and I keep falling asleep. I don't know why. It's not a boring movie at all. That's just that's my bad. I think I'm too tired at the end of the work day.
Sherrod DeGrippo: It looks so good.
Nick Monaco: It's great.
Sherrod DeGrippo: "Godzilla Minus One." I haven't seen it also, but I'm too stressed out for that. But the reason it's called -- right? It's too stressful for me. But you're falling asleep. So maybe that shows the different scale of our --
Nick Monaco: I think you can handle it. Yeah. So yeah. This actual incident is at the core of two of the case -- two of the four case studies that we present on Tides of Flood's influence operations in the last six months here in the report. So Japan began disbusing -- or excuse me. Disposing of radioactive nuclear wastewater. This was treated wastewater critically. Into the Pacific Ocean in late August of 2023. The international -- what was the atomic energy agency did a scientific assessment beforehand claiming that it was safe, using science to kind of make sure that this was a safe thing to do for the world. And consistently this has been a main talking point for not only Chinese state media, but also for covert assets like Tides of Flood. So covert influence operations actors. So I think it's really an area where we can see covert influence operations, what we think of when we think of influence operations, social media accounts that don't claim to be Chinese, but are. They all line up with this messaging of casting doubt on the International Atomic Energy Agency's assessments on the morality of Japan's decision to do these things. And the goal behind that is really to sow discord within the Asia Pacific region. So we talk about Japan. I could jump in to Korea, but it looks like you have a question. So I'll let you go.
Sherrod DeGrippo: So that's an interesting piece of it. Leveraging these, you know, potential ecological concerns. And the other thing I'm noticing is that if you're sort of on the fringes, if you're a little bit prone to conspiracy theories, you could really take some of these posts and memes and AI generated news anchors and AI generated images and not just share them, but create almost like further information operations, influence operations, of your own as a consumer that then I can imagine people not just amplifying these, but going deeper and finding more things.
Nick Monaco: Yeah. Absolutely. And I mean I think this is a great instance in which to highlight like there's genuine outrage about this particular decision. Right?
Sherrod DeGrippo: The wastewater decision?
Nick Monaco: And so this is one of those issues that's kind of ideal for influence operations. Right? You do have grassroots people. You have grassroots organizations that are angry about a particular decision, a particular event. You can amplify that discord and then layer your own messaging on top of it as with a lot of political and social topics. This is a complex one so by no means am I saying any side's right or wrong, but it is a good case study in which you can see taking organic outrage and kind of layering on additional covert and overt messaging on top of it.
Sherrod DeGrippo: That's one of the great things about the internet. So let's talk just really quickly about this one -- this final piece for China and it's about sock puppets which I'm old school Live Journal so sock puppets are near and dear to my heart. Yeah. A lot of people don't know I'm that old, but I am. So I love that we're talking about Chinese influence operations sock puppets, but something I noticed really about this section of the report is that it's focused on the fact that a lot of these posts end with a question to the reader. So one example is, "Only under the Biden administration could the U.S military lose an $80 million F35 jet in the air. What do you think about this?" And then the other one is talking about a border aid package. You know, calling Ukraine and Israel in a single post which is really hitting a lot of hot button issues and then the last question is, "What's your reaction?" So can you kind of help us understand like what's with the -- what's with the asking for input?
Nick Monaco: Definitely. So I think one of the main points I may have alluded to earlier, and if I didn't I meant to, about evolution of Chinese influence operations over the last five years is that there are multiple actors. We're tracking multiple networks. I've talked a lot about Tides of Flood of Spamouflage in this interview, but there are other actors and other networks that we're tracking that are active. And this kind of network of IO sock puppet accounts that you're alluding to is one of them. This is not Tides of Flood. This is a separate network of actors that are cultivating kind of patriotic American accounts that look very much like real accounts. There's a lot more effort put in to kind of giving them social capital, making them look genuine. And, as you said, they're talking a lot about divisive issues. But interestingly we noticed that they're starting to do a lot of polling on X. On what was formerly known as Twitter. So they'll talk about these hot button issues and they'll say, "How do you all feel about this?" We have two hypotheses for what's going on here. And by no means are they mutually exclusive. One is to gain engagement. So get more followers around these accounts that they're putting a lot of time and effort into so that they can spread their messaging possibly in later months of 2024. Another is just to simply learn more about the American political landscape. One of the chief differences I would say between say Russian influence operations on one hand, 2016 being the classic example, and Chinese influence operations is that Russia has a very sophisticated detailed knowledge of the American social and political fabric that it used in those operations in 2016 and beyond. We haven't seen the same kind of nuanced understanding of social and political issues in the United States from China as it regards online influence operations. Certainly in what I call offline influence operations, things like united front work department operations and what's referred to as sharp power operations, kind of more person to person operations, China understands very well how the United States works. But it's clear on the influence side there's kind of a lack of nuance there, a lack of understanding about what's going on. So these polling kind of incidents seem to be a way to kind of do recon in real time and say like how do these Americans feel about these topics and how can we message on them. So kind of a preliminary stage to more advanced messaging.
Sherrod DeGrippo: And then I think also it could stand to reason that the actor could take all of those responses, put them into an LLM, do sentiment analysis, and get some kind of people that responded to this the consensus among them is XYZ.
Nick Monaco: Sure. I mean there's a lot you could do with an LLM on that regard. Another one of them that we already alluded to is just making more kind of natural language. Like how do -- how do the respondents speak about these things and how can we speak about them in a more legitimate and nuanced way? Kind of a challenge for Chinese influence operations in the last five years has been in Chinese domestically certainly when spreading the party's message there's a tendency to adhere to what's called tifa which is wording. Whatever the party wording is about a particular event you will see it kind of cascade down from the top to the bottom. And they use the exact same characters, the exact same wording, every single time verbatim.
Sherrod DeGrippo: On message.
Nick Monaco: On -- exactly. It's very scripted. And this is something that they've tended to do in the past in other languages like in English or French or whatever it may be, but it feels stilted. It feels strange. It doesn't really land as well with audiences. So this is an area where LLMs can kind of help to understand like what's the best way to naturally translate this message in a way that might land better. Another evolution we've seen in the last few years that has also been a more human solution to this problem is using and co-opting influencers to spread that message in local languages. And we have an old, old blog post about this from the days of when we were a startup called Miburo. You can go to miburo.substack.com if you want to read more about that influencer initiative. It's a really interesting piece of work that the team has done.
Sherrod DeGrippo: Let's wrap up on China because we have one of my favorites coming up next. Anything that we want to leave for listeners when it comes to east Asia reporting for China?
Nick Monaco: Definitely. I think one thing that we didn't hit that I'd like to hit is just talking about Taiwan, kind of the epicenter of the stuff I research. We did a lot of work on the January elections in Taiwan and in the report you can see a timeline of attempted AI influence from Tides of Flood, the actor that we've been talking about, the Chinese government linked actor. So I encourage people to check that out and I'd also just add that we built on the great work of a lot of organizations on the ground in Taiwan which has a really robust civil society and tech sector. So my go pen, the Taiwan fact check center, the "Taipai Times," IORG, the information operations research group, and double think lab are all doing a lot of great work which I really think helped contribute to understanding what the information ecosystem was in this last election in January 2024.
Sherrod DeGrippo: So one of the regions that I love talking about and we in fact did a full episode of the Microsoft threat intelligence podcast on the threat landscape in DPRK, North Korea. We did that back in January 2024. Nick, what's going on with North Korea actors? Obviously I enjoy hearing about that threat landscape because it is so crime adjacent. What are we seeing?
Nick Monaco: It's a fascinating landscape and you know we have team members that do really great deep work on this stuff. So I'm standing in for them, but yeah. Excited to talk about it. So the -- as I mentioned before, the cyber actors that we attribute as being linked to the China -- or excuse me, the North Korean government we refer to as sleet. So Jade Sleet, Sapphire Sleet, and Citrine Sleet are three actors that have been involved in the last year in crypto heists. So hijacking crypto exchanges or cryptocurrency. While it's -- and they've gotten up to 1 billion U.S dollars in 2023 alone through these heists. So very impressive numbers. If there are any dark net diaries fans out there there's some great episodes of that podcast where they talk about big North Korean heists of crypto exchanges, but I would say this is a continuation of what we've seen in past years from North Korean actors, but you know it never fails to impress me and it sounds like you as well how much money comes from these operations. And these are in turn used to fund government programs including likely nuclear and missile programs. So it's a big priority, perhaps the top priority, of the North Korean government and their cyber actors.
Sherrod DeGrippo: Yeah. So let's go ahead and walk through some of these actors. I love the naming convention honestly because the sleets are typically prefixed with some kind of gemstone. So Jade, Sapphire, Citrine. Moonstone is one that we recently released a blog on. Tell me what's happening with the sleet actors.
Nick Monaco: There's a lot of interesting stuff in the report about how they're using back doors in software or using AI tools to kind of enhance and augment their cyber operations. Perhaps less surprisingly I'd say they're continuing to target probably the adversaries you would think about, South Korea, the U.S, and Japan being some of the main ones. And those are usually for intelligence collection purposes. Another thing that I think jumps out of the report is the education being one of the top targeted sectors from North Korean actors, and the rationale there we think is to just keep tabs on prominent academics studying topics of interest to the attackers and the North Korean government. So the idea there being access to innovation and technology, keeping tabs on diaspora and dissonance, and just kind of doing that traditional intelligence collection virtually which is certainly not a trend that's unique to North Korea in terms of keeping tabs on dissidents and academia, but we can see in this last report it was a big focus in the last year.
Sherrod DeGrippo: One of the things that really stuck out to me here is Sapphire Sleet going after employees, executives, and developers at cryptocurrency websites targeting venture capital and other financial organizations. Also they're using things like fake meeting invites containing a link to the attacker's domain. They're registering fake job recruiting websites. So they're creating this entire apparatus for socially engineering potential employees that I think are cryptocurrency employees or venture capital employees. They're really going after the cryptocurrency hard.
Nick Monaco: Yeah. And I think that the past justifies their wanting to go after that. They've been pretty successful. And it's been a good way for them to make money. So, as with any game theory, I think the more rounds you play the more sophisticated you need to get to fool people with social engineering attacks like this and stuff like that. But by all means they've been successful in getting a lot of money from these cryptocurrency exchanges. So I think we can expect that it will remain a primary target of North Korean cyber actors in the future.
Sherrod DeGrippo: I think that they're going to continue after cryptocurrency yeah. I mean they found their stride with it. It's their focus and they're experts in it. I also see that Diamond Sleet and Onyx Sleet use team city, the CBE 2023 42 793. We actually have a blog on that one as well, and that allows remote code execution. So they're going after the software supply chain as well to be able to get into their victims', United Kingdom, Denmark, Ireland, Germany -- going after software which is pretty interesting that they have sort of caught on to the software supply chain trend.
Nick Monaco: Yeah. I mean these are sophisticated attacks, but if you can pull them off they really give you a great amount of access to a broad set of victims. Very troubling and hopefully they aren't very good at it and get worse at it, but it's certainly something we continue to track and keep an eye on at Microsoft Threat Intelligence.
Sherrod DeGrippo: So let's wrap up with just one thing that I get asked about all the time which is threat actors using AI. For North Korea they are doing things with LLMs to be more efficient, more effective, and the report talks about how they leveraged Open AI via our partnership with Open AI and research we did with them to enhance spear phishing campaigns and do research. So what do you think is going to be sort of the relationship for North Korean based threat actors and AI going forward? Because it seems a little dangerous to put AI in the hands of such a isolated populous. It seems dangerous for the administration.
Nick Monaco: I think there's a couple things there. I think you can -- this is a big question right now in the AI field. Right? There are governments that historically have been quite wanting to contain information and then you have these LLMs that are generative AI that produce information. How do you constrain what a generative model does? Perhaps you can train it on a limited set of training data, but there's always the risk that, you know, weights are downloaded from somewhere else or you train on a larger set of data if you're an individual who knows how to do that kind of thing. So I think that this speaks to a problem that we've kind of chatted about a few minutes earlier which is just helping to enhance and kind of naturalize and really localize language to make it more convincing. And when you're doing these social engineering attacks or these phishing attacks, you're sending an email to someone, the more convincingly you can seem not only like a native speaker, but like a boss or like a senior employee and talk in a way that's more convincing that you might be someone who's higher up, the higher the probability that these attacks are going to succeed. So this is one of many ways we're seeing AI being used to augment these kinds of cyber operations. We talked earlier about augmenting influence operations. We can definitely expect to see more abuse in the future.
Sherrod DeGrippo: And we worked with Open AI at Microsoft to disable those accounts that we found being used by threat actors. So that partnership has been really good and there's also a blog post that we'll link in the show notes. Nick, anything else we need to know about North Korea from a threat actor perspective?
Nick Monaco: Just keep keeping an eye on them. Keep your Bitcoin wallet safe or your crypto wallet safe. Make sure you have good passwords and protection for those.
Sherrod DeGrippo: Nick, thank you so much for joining us. I was joined today by Nick Monaco, principal threat intelligence analyst at the Microsoft Threat Analysis Center. That was pretty fun. Thanks for the east Asia update.
Nick Monaco: Thank you, Sherrod. Great to be here.
Sherrod DeGrippo: Thanks for listening to the Microsoft threat intelligence podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out. Msthreatintelpodcast.com for more. And subscribe on your favorite podcast app.