The International Criminal Court (ICC) recently announced that it had experienced a cybersecurity incident, affecting not only the ICC’s staff but also lawyers for both victims and accused. The exact nature of the incident has not been disclosed, and the ICC is currently investigating with the assistance of Dutch authorities. Given that the ICC is currently involved in high-profile cases, particularly those involving allegations of war crimes and crimes against humanity committed by Russia in Ukraine, there is speculation that the cyberattack may be related to these cases. Last year, a Dutch intelligence agency foiled a sophisticated attempt by a Russian spy to work as an intern at the court, further highlighting the troubled relations between Russia and the ICC.
In other news, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint Cybersecurity Advisory warning about the Snatch ransomware. The advisory outlines the tactics, techniques, and procedures (TTPs) associated with Snatch, highlighting its evolution and success in targeting critical infrastructure sectors such as defense, food and agriculture, and information technology. Snatch not only encrypts victims’ data but also exfiltrates it and engages in double extortion, where the attackers threaten to release the stolen data if the ransom goes unpaid.
Cyber threats originating from East Asia are also trending, with both China and North Korea being mentioned in recent reports. Microsoft’s analysis reveals that China’s influence operations have become more effective, particularly on social media platforms. China-aligned social media networks have engaged directly with authentic users, targeted specific candidates in content about US elections, and posed as American voters. China has primarily focused its cyber operations on countries surrounding the South China Sea, the US defense industrial base, and US critical infrastructure. On the other hand, North Korean cyber operations have increased in sophistication, with a particular interest in stealing information related to maritime technology research.
Cisco Talos recently uncovered a new intrusion set called “ShroudedSnooper” that is targeting telecommunications providers in the Middle East. The threat actor behind ShroudedSnooper uses two implants known as “HTTPSnoop” and “PipeSnoop” to gain initial access to internet-facing servers. While the group’s tactics, techniques, and procedures appear to be new, state-sponsored groups, especially those associated with Iran and China, have recently shown a preference for attacking telecommunication providers in the Middle East and Asia.
Another threat actor, known as “Earth Lusca,” has been identified by Trend Micro. Earth Lusca is a China-aligned group that has developed a new Linux backdoor called “SprySOCKS” based on the open-source Windows malware Trochilus. The group primarily targets public-facing servers belonging to government departments involved in foreign affairs, technology, and telecommunications. Earth Lusca operates mainly in Southeast Asia, Central Asia, and the Balkans, exploiting known vulnerabilities to gain unauthorized access.
In addition to state-sponsored threats, Proofpoint has been tracking suspected Chinese cybercriminal campaigns targeting Chinese-speaking users with phishing emails containing malware. These campaigns are low-volume and typically sent to global organizations with operations in China. The targeted users have Chinese-language names or specific company email addresses that align with businesses’ operations in China. While most of the activity is focused on users in China, there has been at least one campaign targeting Japanese organizations, indicating potential expansion.
In a separate incident, Microsoft’s AI research team accidentally exposed 38 terabytes of private data, including secrets, private keys, passwords, and internal messages, due to a publication mishap on a public GitHub repository. The issue has since been fixed, and Microsoft assures that no customer data was exposed.
Lastly, cleaning product manufacturer Clorox has disclosed that a cyberattack it experienced in August has resulted in ongoing product availability issues. The attack damaged portions of Clorox’s IT infrastructure, leading to widescale disruption of its operations. Although production has resumed at most manufacturing sites, the company expects it will take time to fully normalize operations. The cyberattack is expected to have a material impact on Clorox’s Q1 financial results.
Overall, these recent developments highlight the persistent and evolving nature of cyber threats, with state-sponsored actors, criminal groups, and accidental exposures all contributing to the cybersecurity landscape. Organizations across various sectors must remain vigilant and adopt robust cybersecurity measures to protect their sensitive data and infrastructure.