Hybrid War Multinational state-sponsored cyber attack news


Mi Private
MI.Net Member
Jul 21, 2022
So, I was surprised to not see a dedicated thread where members can post various cyber attacks done by state-sponsored actors for either espionage or any other purpose. So, I created this thread?. Members are free to post news about cyber attacks and espionage campaigns carried out by any nation's state actors if they happen to come across it. Members are also free to discuss anything else related to such news like how the victims are responding to it, what steps/actions were taken after the attack or any further technical insight as to how such attacks are carried out is always welcome and much appreciated.

I will go first:
Recently, in May 2022 a successful cyber attack was conducted by the suspected Indian APT actor called Sidewinder against Pakistan Air Force Headquarters, reported by Check Point Research. The attack led to compromise of about 20,000 files critical to Pakistani military which included identities of "high ranking military officers" as well. Along with it, Check Point Research found a username in one of those files called 'gnss' and they suggest that it might refer to (BeiDou) Global Navigation Satellite System used by Pakistani military as other "files seen also had names relating to satellite communication, implying data around this".

Link to the report: https://web.archive.org/web/2022071...er-attacks-pakistan-military-focused-targets/
Last edited:

On 25 May, Australia and its partners in the Five Eyes intelligence-sharing network—Canada, New Zealand, the UK and the US—made a coordinated disclosure on a state-sponsored cyber hacking group dubbed ‘Volt Typhoon’. The group has been detected intruding on critical infrastructure since 2021, but the nature of recent intelligence on its behaviour hints at worrying developments in the Chinese cyber establishment. While the Five Eyes’ disclosure is direct in its attribution of Volt Typhoon to the Chinese government, there are many layers that need to be peeled away to reveal the true nature, and implications, of the threat.

State-aligned or state-sponsored cyber threats emerging from China can be grouped under two broad government structures: the Ministry of State Security and the Strategic Support Force. The MSS is China’s peak foreign intelligence, counterintelligence and political security agency, and the SSF is the joint information warfare command of the People’s Liberation Army’s, akin to US Cyber Command. While its US counterpart focuses solely on military cyber operations, the SSF has a broader mandate covering electronic warfare, strategic military cyber operations and political warfare. The SSF was founded in 2015 as part of structural reforms to the PLA spearheaded by Chinese President Xi Jinping.

The most recent intrusion highlighted by the Five Eyes isn’t the type of espionage that is the veritable background noise of enduring competition among states. Chinese cyber operators have become notorious for intellectual property theft, but their cyber espionage activity has gradually shifted to meeting other strategic imperatives, as the Volt Typhoon case shows.

Offensive cyber intrusions for specific strategic effects usually require the preplacement of technical implants and long-term access to the adversary’s network well in advance of the operation. Former White House cybersecurity adviser Chris Inglis has called these implants intelligence, surveillance and reconnaissance platforms that are ‘ubiquitous, real-time and persistent’. Volt Typhoon appears to have been performing just such a preplacement operation.

The commercially available intelligence on Chinese cyber activity can be confusing. The MSS and even the SSF use the services of politically influential private contractors to develop their offensive toolchains. The contractors may also moonlight as criminals, unabashedly using the same toolchains. This operational and infrastructural overlap means that commercial intelligence analysts end up grouping China-linked cybercrime, cyber espionage and military cyber activity into big clusters known in the industry by names such as Winnti, APT40, APT41, Barium and Hafnium. That has greatly muddied the waters.

However, it is possible to unpack these clusters. The MSS and its affiliates have been spotted on global networks and linked with sophisticated political and economic espionage operations. The SSF, working with the five geographically aligned theatre commands of the PLA, has been mainly active in China’s near abroad. After the 2015 reforms, the theatre commands inherited the old, inertial bureaucracies of the PLA and their integration into the joint information warfare command of the SSF is said to be a work in progress.

The technical reconnaissance bases (previously known as bureaus), or TRBs, are the numerous detachments hailing from the legacy structures of the PLA’s signals intelligence setup. Most of them have been reorganised into the theatre commands and are responsible for various cyber missions. The TRBs rely on a mixture of bespoke toolchains and toolchains shared with contractors and the MSS. One example is ShadowPad, which is thought to be behind one of China’s first known prepositioning operations, RedEcho. RedEcho was discovered in the Indian power grid in 2021 during the height of the Indo-China border standoff and is most likely the handiwork of a TRB under the Western Theatre Command.

A de-clustering of Chinese cyber operations undertaken for groups active in China’s near abroad and associated with the PLA was able to link intrusions to TRBs. According to this analysis, which was based on commercially available and open-source intelligence, the ‘Tonto Team’ was related to Unit 65016, a TRB of the Northern Theatre Command; ‘Naikon’ was linked to the Southern Theatre Command; and ‘Tick’ was related to Unit 61419, which is likely a TRB directly under the SSF.

There has been some debate among the experts about how the TRBs fit into the joint command structure of the theatre commands and the SSF. However, the consensus is that because the theatre commanders have managed to remain the foci in a slow-changing bureaucracy, most TRBs are more closely associated with them than with the SSF.

This is the assumption that the Volt Typhoon disclosure seems to challenge. It was undoubtedly a strategic operation and its prepositioning extends far beyond China’s near abroad. Its scope is a sign that the integration of joint information warfare forces into the PLA has matured. The military cyber elements seem to have been extricated from the stovepipes of the theatre commands and are ready to produce strategic effects extending beyond the Indo-Pacific. And the integration isn’t just militaristic but also political: the PLA is the Chinese Communist Party’s army. Strategic cyber operations are directly sanctioned by the Central Military Commission and ultimately authorised by Xi.

An alternative hypothesis is that the MSS or a team of contractors were tasked with gathering intelligence to prepare for a future battlefield. The MSS and its privateers have gone beyond their remit in the past. The 2020–21 exploitation of Microsoft Exchange, for example, which aggressively targeted many Western organisations, is thought to have been orchestrated by a regional bureau of the MSS and so wouldn’t have gone through PLA channels to the top.

That said, the Chinese cyber apparatus also relies on decentralisation and outsourcing to maintain deniability. And while the Volt Typhoon intrusion could have been the result of private contractors’ reckless manoeuvring, such a move would have been deemed risky by the Chinese political establishment, which is keenly aware of the risk of escalation in cyber operations.

The intelligence that has trickled through from the Five Eyes points to interesting doctrinal and strategic developments in the Chinese cyber establishment, especially the extent and success of its integration with the PLA. A rigorous, transparent assessment by interdisciplinary experts, aided by governments, is required to fully understand these developments and their potential consequences.
https://www.aspistrategist.org.au/r...ese cyber intrusions signal a strategic shift
Israel and the United Arab Emirates have established a global platform to fight against ransomware hackers, according to an announcement made Wednesday by Israel’s government.

This comes a day after Israel helped the UAE fend off a major cyberattack, according to the UAE head of cybersecurity Sheikh Mohamed Al Kuwaiti, reported the Jerusalem Post.

The UAE is going through "a great digital transformation" in all sectors, Kuwaiti said at the Tel Aviv Cyber Week conference Tuesday. "And, in fact, we need to do a safe and secure transformation.”

The Crystal Ball initiative announced on Wednesday seeks to enhance the sharing capabilities of cyber-intelligence collected by multiple countries to improve the collective defenses against digital crime. The advanced cloud platform is a collaboration between Microsoft Israel, the Israeli National Cyber directorate, and the UAE Cyber Council.

While introducing the Crystal Ball platform in Israel on Wednesday, Microsoft Israel CEO Alon Haimovich said that this response is needed to combat the growing sophistication of hackers.

The platform will offer "the power, capabilities, and knowledge to fight ransom attacks in real time with continuous, convenient and high-quality cooperation,” he said, in an Israeli government press statement.

The platform is designed by Microsoft as part of the International Counter Ransomware Initiative (CRI), a global enterprise led by the White House that includes 15 member states including the UAE, Germany, Great Britain, Singapore, and also the International Criminal Police Organization, better known as Interpol.

The CRI was founded in late 2022 to strengthen the global response to cybercrime. The Covid-19 pandemic, and other factors that contributed to relying on cloud-based solutions, has severely heightened the exposure of government and private entities alike.

Cyberattacks targeting government agencies increased by 95% in the second half of 2022 compared to the same period the year before. About 40% of these threats targeted India, the United States, Indonesia and China.

Vibin Shaju, the vice president of solutions engineering for Europe, the Middle East, and Africa at global cybersecurity company Trellix, said that emerging, quickly digitizing economies are prime targets.

“At the moment the UAE, Saudi Arabia and Qatar — during the World Cup — are the countries that are putting a lot of money and going digital with mega and giga-projects. This has big entities investing heavily, which is also attracting the interest of attackers,” he told Al-Monitor.

A shared data initiative, such as the UAE-Israel led Crystal Ball platform, could help faster identify the source, type or mechanism of these attacks, especially ones that are recycled and reused in multiple countries, added Shaju.

This is the case with rapidly advancing artificial intelligence, which allows hackers to automate the generation of ransomware and attack multiple entities more easily. Yet at the same time, artificially generated ransomwares are similar and can be spotted.

“The base model and the symptoms are the same. It has been done before and is easy to identify,” said Shaju, especially as more entities and countries share their knowledge of cyberattacks with one another.

Although the fast evolution of automated ransomwares makes it difficult to keep up, he added, initiatives like the UAE-Israel-led Crystal Ball can increase its chances.

Read more: https://www.al-monitor.com/original...l-initiative-fight-cyberattacks#ixzz86sB4b3wT
Israel has incurred several cyberattacks following the large-scale surprise attack by Palestinian militant group Hamas.

Among the recorded incidents was an attack on the country’s services and government information website, resulting in the portal’s connectivity failure.

It was claimed by hacktivists called Killnet, a pro-Russian cyber group that gained notoriety after Moscow’s 2022 invasion of Ukraine.
The Australian government has launched what it calls a "game changing" blueprint to protect the country from a rising number of cyberattacks.
The strategy was released on Wednesday in Sydney by Clare O'Neil, minister for home affairs and also for cybersecurity. It includes awareness and protection initiatives for businesses and the broader community, safe technology and coordination measures, critical infrastructure resilience, and national and global networking.
"We have a cyber threat in front of us, but we also have a cyber opportunity," O'Neil said, while adding that "things are going to get worse and we are facing increased threats."
The first two years of the new schedule through 2025 will pay particular attention to better coordinating private and public sectors on cybercrime protection, and on developing a more cooperative approach between major sectors of the national economy.
This may include obliging telecommunications companies to allow "data roaming," by which customers from a hacked provider can shift temporarily to a competitor's network to help reduce the impact of a single data outage.
The second phase of the new strategy seeks to encourage greater "cyber maturity across the whole economy."
The complete package includes an injection of 587 million Australian dollars ($385 million), adding to an AU$2.3 billion cybersecurity commitment through 2030 made earlier by Prime Minister Anthony Albanese's Labor government.
Approximately half of the AU$291 million in new funding will support a range of programs aimed at the small and medium enterprise sector and at public identity protection, among others.
The tranche will specifically target ransomware and hacking models perfected by online thieves who extract money from individuals and organizations in return for stolen or locked private data.
The government had previously announced requirements for businesses to report on their cybersecurity measures and also to inform the government on specific attacks encountered, including details on amounts.
The strategy is "aspirational" but is also "a very solid piece of work," said David Tuffley, senior lecturer in cybersecurity at Griffith University in Queensland. "I believe it will achieve much of what it sets out to do."
A controversial aspect of the overall strategy is the possibility of outlawing ransomware payments, which may see victims lose their data or may generate underreporting of cybercrime.
Some AU$130 million has been earmarked for building greater regional resilience and coordination among Asian and Indo-Pacific nations in particular.
O'Neil said she wants to create "a world-class threat sharing and threat blocking" system and is seeking to place greater obligations on companies in Australia and overseas in relation to their own data security.
International sanctions are being considered as a deterrent to hackers and their source networks.
The plan is the result of a high-level review of Australia's existing cybersecurity regime and likely security threats, chaired by former Telstra CEO Andrew Penn.
There were 1,100 cybersecurity incidents from local entities in the last year, according to the Australian Signals Directorate (ASD). The average cost of cybercrime to local businesses increased in the same period 14%, with the cost to medium-sized businesses estimated at almost AU$100,000 per reported incident.
The ASD reported that almost 94,000 separate or individual incidents were recorded by local law enforcement agencies -- around one every 6 minutes over the past 12 months.
Last year, Australia's second-largest telecom, Optus, was the victim of Australia's largest-ever cyberattack. This resulted in the private data of some 10 million customers being compromised. Soon after, in an apparently unrelated incident, sensitive patient data was stolen from the national public health body Medibank, after which the data was released on the dark web.
More recently, port operator DP World was forced to close facilities in Sydney, Melbourne, Brisbane and Fremantle and to delay the shipment of key exports after data was breached in a major cyberattack.
Tuffley at Griffith University said the threat is every bit as troubling as the minister suggests.
"There is that danger [that] if anything, she's understating it," he said.

ASPI has recently observed a coordinated inauthentic influence campaign originating on YouTube that’s promoting pro-China and anti-US narratives in an apparent effort to shift English-speaking audiences’ views of those countries’ roles in international politics, the global economy and strategic technology competition. We have published details of this campaign in a new ASPI report.

This new campaign—which ASPI has named ‘Shadow Play’—has attracted an unusually large audience and is using entities and voiceovers generated by artificial intelligence to broaden its reach and scale. The narratives it promotes include China’s efforts to ‘win’ the US–China technology war amid US sanctions targeting China. It also has a focus on Chinese and US companies, such as pro-Huawei and anti-Apple content.

The Shadow Play campaign involves a network of at least 30 YouTube channels that have produced more than 4,500 videos. Those channels have so far attracted just under 120 million views and 730,000 subscribers. The accounts began publishing content in around mid-2022. The campaign’s ability to amass and access such a large global audience—and its potential to covertly influence public opinion on these topics—should be cause for concern.

ASPI reported our findings to YouTube/Google on 7 December for comment. By 8 December, they had taken down 19 YouTube channels from the Shadow Play network—10 for coordinated inauthentic behaviour and nine for spam. These channels now display a range of messages from YouTube indicating why they were taken down. For example, one was ‘terminated for violating YouTube’s community guidelines’, while another was ‘terminated due to multiple or severe violations of YouTube’s policy for spam, deceptive practices and misleading content or other Terms of Service violations’.

ASPI also reported our findings to British artificial intelligence company Synthesia, whose AI avatars were used by the network. On 14 December, Synthesia disabled the Synthesia account used by one of the YouTube accounts for violating its news media reporting policy.

We believe it’s likely that this new campaign is operated by a Mandarin-speaking actor. Indicators of this actor’s behaviour don’t closely map to the behaviour of any known state actor that conducts online influence operations. Our preliminary analysis is that it could be a commercial actor operating under some degree of state direction, funding or encouragement. This could suggest that some patriotic companies increasingly operate China-linked campaigns alongside government actors.

The campaign focuses on promoting six narratives. Two of the most dominant are that China is ‘winning’ in crucial areas of global competition—first, in the ‘US–China tech war’ and second, in the competition for rare earths and critical minerals. Other key narratives are that the US is headed for collapse and its alliance partnerships are fracturing; that China and Russia are responsible, capable players in geopolitics; that the US dollar and the US economy are weak; and that China is highly capable and trusted to deliver massive infrastructure projects.

The montage below shows examples of the style of content generated by the network, which used multiple YouTube channels to publish videos alleging that China had produced a 1-nanometre chip without using a lithography machine.


This campaign is unique in three ways. First, there’s the broadening of topics; previous China-linked campaigns have been tightly targeted and often focused on a narrow set of topics. For example, the campaign’s narrative that China is technologically superior to the US is presented through detailed arguments on technology topics including semiconductors, rare earths, electric vehicles and infrastructure projects. In addition, it targets, via criticism and disinformation, US technology firms such as Apple and Intel.

Chinese state media outlets, Chinese officials and online influencers sometimes publish on these topics in an effort to ‘tell China’s story well’ (讲好中国故事). A few Chinese state-backed inauthentic information operations have touched on rare earths and semiconductors, but never in depth or by combining multiple narratives in one campaign package. The broader set of topics and opinions in this campaign may demonstrate greater alignment with the known behaviour of Russia-linked threat actors.

Second, the campaign’s leveraging of AI points to a change in techniques and tradecraft. To our knowledge, this is one of the first times that video essays, together with generative AI voiceovers, have been used as a tactic in an influence operation. Video essays are a popular style of medium-length YouTube video in which a narrator makes an argument through a voiceover, while content to support their argument is displayed on the screen.

This shows a continuation of a trend that threat actors are increasingly moving towards: using off-the-shelf video-editing and generative AI tools to produce convincing, persuasive content at scale that can build an audience on social-media services.

We also observed one account in the YouTube network using an avatar created by Sogou, one of China’s largest technology companies. We believe this is the first instance of a Chinese company’s AI-generated avatar being used in an influence operation.

Third, unlike previous China-focused campaigns, this one has attracted large numbers of views and subscribers. It has also been monetised, although only through limited means. For example, one channel accepted money from US and Canadian companies to support production of its videos. The substantial number of views and subscribers suggest that the campaign is one of the most successful influence operations related to China ever witnessed on social media.

Many China-linked influence operations, such as Dragonbridge (also known as ‘Spamouflage’ in the research community), have succeeded in attracting initial engagement but failed to draw a large audience on social media. However, further research by YouTube is needed to determine whether view counts and subscriber counts demonstrated real viewership, were artificially manipulated, or both.

In our examination of comments on videos in this campaign, we saw signs of a genuine audience. ASPI believes that this campaign is probably larger than the 30 channels covered in the report, but we constrained our initial examination to channels we saw as core to the campaign. We also believe there to be more channels publishing content in non-English languages; for example, we saw channels publishing in Bahasa Indonesia that aren’t included in the report.

That’s not to say that the effectiveness of influence operations should be measured only through engagement numbers. As ASPI has previously demonstrated, Chinese Communist Party influence operations that troll, threaten and harass on social media seek to silence and cause psychological harm to those being targeted, rather than seeking engagement. Similarly, influence operations can be used to ‘poison the well’ by crowding out the content of genuine actors in online spaces, or to poison datasets used for AI products, such as large-language models.

The report also discusses another way that an influence operation can be effective: through its ability to spill over and gain traction in a wider system of misinformation. We found that at least one narrative from the Shadow Play network—that Iran had switched on its China-provided BeiDou satellite system—began to gain traction on X and other social-media platforms within a few hours of its posting on YouTube.

To fight against influence operations on social media, the report recommends that trust and safety teams at social-media companies, analysts in government and the open-source-intelligence research community immediately investigate this ongoing information operation, including operator intent and the scale and scope of YouTube channels involved.

We recommend that social-media and technology companies require users to disclose when generative AI is used in audio, video and image content and institute an explicit ban in their terms of service on the use of their content or platforms in influence operations.

We also recommend broader efforts by the Five Eyes countries and allied partners to declassify open-source social-media-based influence operations and share information with like-minded nations, relevant non-government organisations and the private sector, as well as consideration of whether national intelligence-collection priorities support the effective amalgamation of information on Russia-, China- and Iran-linked information operations.
https://www.aspistrategist.org.au/s...nti-US influence operation thrives on YouTube

Similar threads