A wide-ranging cyberespionage campaign conducted by China’s Ministry of State Security has been uncovered by Recorded Future’s Insikt Group. The campaign, known as RedHotel, primarily targets Southeast Asia but has also been active in other regions. Microsoft tracks RedHotel as Charcoal Typhoon, while Secureworks calls it Bronze University. The operation is believed to be run by contractors based in Chengdu on behalf of the Ministry of State Security. Recorded Future notes that RedHotel’s activity has been marked by its unusual scope and intensity since 2019. The threat actor utilizes both shared, commodity tools such as ShadowPad and Winnti, as well as bespoke malware like Spyder and FunnySwitch.
In response to cyberespionage activities, the US Department of Homeland Security’s Cyber Safety Review Board (CSRB) has announced its focus on strengthening identity management and authentication in the cloud, specifically in relation to the recent cyberespionage against Microsoft Exchange Online. The board aims to develop actionable recommendations to enhance cybersecurity practices for both cloud computing customers and cloud service providers. This investigation represents the third inquiry conducted by the CSRB, following previous reports on Log4j and the Lapsus$ Group. Microsoft has characterized the cyberespionage as a case of cyber espionage and has attributed it to a Chinese-associated group known as Storm-0558.
The cyberthreat landscape also includes attacks against industrial systems. Kaspersky warns of a new version of the SystemBC malware being used in an attack on a critical infrastructure power generator in an undisclosed southern African nation. The attack involved Cobalt Strike beacons and DroxiDat, a variant of the SystemBC payload. The incident has been tentatively attributed to a Russian-speaking cybercriminal gang known as FIN12. The group has previously targeted the healthcare sector and is motivated by financial gain.
Kaspersky has also discovered that APT31, a threat actor affiliated with the Chinese government, has been targeting industrial systems in Eastern Europe. APT31 aims to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. The group has been implicated in industrial espionage and political intelligence collection.
In the realm of satellite communications, CSO Online provides insights into the incident response lessons learned from a Russian cyber operation that disrupted Viasat service in Ukraine during Russia’s invasion in February 2022. The attack involved a well-timed wiper attack on Viasat’s KA-band satellite communications, resulting in the shutdown of thousands of ground-based modems. Viasat identified the importance of incident response, information sharing, and a baseline understanding of normal operations. One mystery surrounding the incident is how the Russians obtained the credentials used to gain access to Viasat’s FTP server.
Additionally, Ukraine’s State Security Service (SBU) has claimed that Russia’s GRU is attempting to deploy malware against the Starlink satellite communications system to collect data on Ukrainian troop movements. The SBU has discovered ten malware strains in the GRU’s campaign, including an infostealer designed to gather data from the Starlink system. The focus of this campaign is espionage rather than disruption or sabotage.
In terms of cybersecurity developments, CISA has released two Industrial Control Systems Advisories covering vulnerabilities in Schneider Electric and Rockwell Automation products. The advisories provide information on the vulnerabilities and recommend mitigation measures.
In terms of law enforcement efforts, INTERPOL and AFRIPOL have announced Africa Cyber Surge II, a coordinated action across twenty-five African countries that resulted in fourteen arrests and the identification of thousands of “suspicious cyber networks.” The action was supported by private-sector partners Group-IB, Trend Micro, Kaspersky, and Coinbase. In a joint operation, the Polish and US authorities took down the LolekHosted bulletproof hosting provider, which was involved in various criminal activities, including NetWalker ransomware attacks.
Several class action lawsuits have been filed against Johns Hopkins University and Health System, alleging failure to protect private data. The breach occurred due to hackers exploiting a vulnerability in the MOVEit file transfer protocol, impacting approximately 300,000 individuals. Hopkins is one of many organizations affected by the MOVEit supply-chain issue, with an estimated 46 million individuals impacted worldwide. Cybersecurity experts note that even organizations like Hopkins, who prioritize cybersecurity, were practically unable to avoid exploitation via the MOVEit bug.
In terms of policy and procurement, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a Remote Monitoring and Management (RMM) Cyber Defense Plan. The plan aims to defend against cyberthreat actors gaining access to managed service providers (MSPs) or manage security service providers (MSSPs) servers through RMM software. It emphasizes operational collaboration and cyber defense guidance as key pillars of defense.
Overall, the wide-ranging cyberespionage campaign by China’s Ministry of State Security, the investigation by the Cyber Safety Review Board into cyberespionage against Microsoft Exchange, attacks against industrial systems, and threats to satellite communications highlight the ongoing challenges and evolving nature of the cyberthreat landscape. These incidents serve as a reminder of the importance of robust cybersecurity measures and the need for continuous vigilance and adaptation to counter cyber threats.