Synopsis

1. This is our end of year report. We cover the three major cyber arenas: Russia vs Ukraine, Israel vs Iran, and the People’s Republic of China (PRC). Of note: Romania has annulled a presidential election due to hacking/interference, an unknown actor has launched a hacking campaign against Russian businesses, there is a ‘Salt Typhoon’ update, and there is another new hacking campaign from the PRC.

2. It is our assessment that the three major cyber conflicts, (Russia vs Ukraine, Iran vs Israel, and the People’s Republic of China) are the most likely sources for the creation of next generation malware and/or a primary source of cyber attacks. This includes government funded hackers (military, intelligence and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer ‘supporters’.

Russia vs Ukraine

3. The Browser ‘Backdoor’. A Russian hacking group called ‘RomCom’ (also known as Storm-0978, Tropical Scorpius, and UNC2596) have exploited two browser flaws to conduct opportunistic and targeted campaigns as part of both espionage and cybercrime operations. The compromised browsers are: Firefox, Thunderbird, and Tor browser. The cyber security company ESET reports: “In a successful attack, if a victim browses to a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required – which in this case led to the installation of RomCom’s eponymous backdoor on the victim’s computer.” According to the data collected by ESET, most of the victims were in the United States and Europe. “In 2024, it was seen targeting entities in the US and Europe, including government, defence, and energy organizations for espionage, as well as pharmaceutical, legal, and insurance companies for cybercrime operations.”2

4. Analysts Comment: Although the vulnerability has been patched in all affected browsers, many users do not consistently update their software. This means RomCom can still plant new backdoors and run their scripts on unpatched computers. Worse, the removal of the backdoor does not mean that any malware planted in the computer has been removed.

5. Cyber Attacks on Ukraine.

• 10th Dec. “The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new set of cyber attacks that it said were aimed at defence companies in the country as well as its security and defence forces.” A Russia-linked threat actor called UAC-0185 has been generating phishing emails mimicking ”official messages from the Ukrainian League of Industrialists and Entrepreneurs. … CERT-UA said the threat actor is primarily focused on stealing credentials associated with messaging apps like Signal, Telegram, and WhatsApp, and Ukraine’s military systems such as DELTA, Teneta, and Kropyva.” Analysts Comment: This attack is an ‘enabler’ in that the data collected is highly useful to other cyber attacks Russia is conducting.3

• Russian hacking group ‘Secret Blizzard’ is using a cybercrime campaign to insert its own tools into victims in Ukraine. The Microsoft threat intelligence team said it observed the group “leveraging the Amadey bot malware to download custom malware onto “specifically selected” systems associated with the Ukrainian military between March and April 2024. … Secret Blizzard has a track record of targeting various sectors to facilitate long-term covert access for intelligence collection, but their primary focus is on ministries of foreign affairs, embassies, government offices, defense departments, and defence-related companies across the world.”4

6. Analysts Comments: In general, we assess Russia’s cyber attacks on Ukraine to be of minimal to low impact. By this, we mean the victim count appears to be low, and the attacks have been relatively quickly identified.

7. Other Russian Attacks.

• Japanese Websites DDoSed. Starting in mid-October, pro-Russian hacktivist operations NoName057 and the Russian Cyber Army Team launched a series of Distributed Denial of Service Attacks (DDoS) against Japanese logistics, manufacturing, and government sectors. Also targeted were harbours and shipbuilders across Japan. NoName057 also used the DDoSia botnet to maximize intrusions.5 Cybersecurity researchers believe the attacks “have not significantly altered the overall threat landscape in Japan.“6

• Russian Hackers target Australia. Australia had more than 60 attacks on government institutions, other organizations, and their websites last month. “The attacks began on 1 November, with several a day happening at times throughout the month. Activity peaked on 25 November, when six victims were targeted, with many more occurring in the following days, with the highest number of attacks occurring on 30 November, when 13 organizations were attacked.” Researchers at cyber security firm Radware said “The participation of allied groups such as the Cyber Army of Russia Reborn and Z-Pentest further underscores the coordinated and multifaceted nature of the pro-Russian hacktivist community. … Of the attacks, 34.4 percent were carried out by pro-Palestinian hacktivists RipperSec, supported by the People’s Cyber Army and Pro-Palestinian Hacker Movement. The hackers claimed to also be attacking Ukraine for its support for Israel.”7 There were no reports of significant damage.

• Russian Information Operations Use AI. Recorded Future’s Insikt Group has identified a new Russian influence operation. “A Moscow-based company, … Social Design Agency (SDA) leverages videos enhanced using artificial intelligence (AI) and bogus websites impersonating reputable news sources.” Their targets are Ukraine, Europe, and the U.S. According to Recorded Future, “This operation, running in tandem with other campaigns like Doppelganger, is designed to discredit Ukraine’s leadership, question the effectiveness of Western aid, and stir socio-political tensions.”8

• Russia hacks … hackers. Russian hacker group ‘Turla’ has been “infiltrating the command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to conduct its own operations since 2022.” Microsoft and Lumen Technologies Black Lotus Labs said “Secret Blizzard command-and-control (C2) traffic emanated from Storm-0156 infrastructure, including infrastructure used by Storm-0156 to collate exfiltrated data from campaigns in Afghanistan and India.”9 Analysts Comment: Leveraging other hackers’ infrastructure is a Standard Operating Procedure for this group. They had previously compromised command and control infrastructure from: an Iranian group ‘OilRig’, a commodity malware called ANDROMEDA (attacking Ukraine), and a Kazakhstan-based threat actor tracked as Storm-0473.

• UK Defense Officials Exposed. The UK Ministry of Defence is investigating the “personal information of almost 600 employees, including UK Armed personnel, civil servants and defence contractors, being stolen and leaked on the dark web by cybercriminal groups. The stolen data includes email addresses, as well as other log-in information needed to access the MoD’s Defence Gateway portal, an online platform for British military personnel. … Details of MoD staff based in Iraq, Qatar, Cyprus and mainland Europe have also been stolen, which could present a significant security risk. … There is a significant risk here of further blackmail to members of the armed forces using exfiltrated personal data. These are the new techniques used by adversaries to infiltrate the UK.“10

• Romania Annuls Election Due to Hacking. Romania’s constitutional court has annulled the result of the first round of voting in the presidential election amid allegations of Russian interference. “The Romanian Intelligence Service (SRI) disclosed that the E.U. and North Atlantic Treaty Organization (NATO) member state was the target of more than 85,000 intrusion attempts before and during the first round of the election that was designed to gain access to election websites and IT systems. … “The mode of operation, as well as the scale of the cyber campaign, lead to the conclusion that the attacker possesses considerable resources, consistent with a mode of operation specific to a state-sponsored attacker,” the SRI said. The constitutional court ruled: “The electoral process for the election of the President of Romania will be resumed in its entirety.”11

• Danish Municipalities Get DDoSed. Danish municipalities “of Århus, Vejle, Esbjerg, Dragør, Frederiksberg, and other municipalities” reported ‘website disruptions’. Mark Fiedel, director of Denmark’s Centre for Cyber Security (CFCS) said “that when it comes to DDoS attacks … it’s usually pro-Russian cyberactivists. … “It’s not always clear who they are targeting. Activists are looking for attention to their cause. That’s why they often choose symbolic targets, for example, someone who seems to have a clear connection to Denmark’s support for Ukraine.”12

• Russian Hackers Target Operational Technology (OT). “The People’s Cyber Army (PCA) and Z-Pentest – posted videos to their Telegram channels allegedly showing the hackers tampering with operational technology (OT) controls on critical infrastructure. … The Russian hacktivist groups were observed targeting critical infrastructure in the United States and around the world, most notably in the oil and gas, and water systems sectors. … Such attacks have also taken place in many other countries, including Canada, Australia, France, South Korea, Taiwan, Italy, Romania, Germany, and Poland — often claiming retaliation for a country’s support for Ukraine in its longstanding war with Russia.”13

8. Ukrainian Cyber Attacks on Russia

• Ukraine Targeting Russian Telecommunications Infrastructure. Ukraine’s Ministry of Digital Transformation reported that “The largest Russian operators – Megafon, MTS, YOTA, Beeline, Rostelecom, T2, Tinkoff Mobile – experienced a large-scale failure. There were also interruptions in the work of Telegram and Discord, which the enemy is actively using to coordinate its actions.”14 Analysts Comments: We don’t usually publish single source reports. We have included this report because it fits a pattern we have observed.

• Russian bank ‘Gazprombak’ Has Outages from DDoS Attacks. On 6th December Russian users reported ‘difficulties’ accessing services at Gazprombank. The bank is one of Russia’s largest privately owned banks. “Russian state-owned media outlet RIA Novosti reported on Wednesday [4th Dec] that Gazprombank’s online services were temporarily unavailable in France and Germany. On Friday [6th Dec], Gazprombank said in a statement on Telegram that its mobile app is currently unavailable on Google Play but can be downloaded from the Russian alternative, RuStore.” Ukraine’s military intelligence agency (HUR) claimed responsibility for the DDoS attack.15 Analysts Comment: This is the most recent Ukrainian cyber attack on Russian banks. The actual impact of these Ukrainian DDoS attacks is unknown due to the lack of reporting from Russia.

9. Cyber Campaign on Russia. Russian cyber security company ‘Kaspersky’ has identified attacks on Russian businesses using ‘RedLine information stealing malware’. The targets of the attacks are Russian businesses using “unlicensed copies of corporate software for automating business processes.” Kaspersky’s report notes that targeting businesses ‘seemed rather unusual’. They also found the high level of sophistication disguising the malware an ‘unusual detail’.16

Israel vs Iran

10. Iran and her ‘proxies’ are quiet. The hacker group identifying itself as ‘Gaza based’ has gone silent. Likewise, two Hezbollah linked hacker groups in Southern Lebanon are quiet. Even Iranian government and Iran based hacking groups are quiet. Analysts Comment: I expect instructions will be given to all of the hackers in Iran to increase their activity. The most likely target will be Israel. The pro-Israel sentiment in the newly elected American government may draw cyber attacks as well.

11. Although there is no visible activity among Israeli hackers and their proxies, they have excellent operational security (OPSEC). Analysts Comment: I expect Israeli hacking teams are busy crafting new attacks. The most likely target is Iran. The intention of the attacks may be to expose the weakness of Iran’s government.

People’s Republic of China

12. Salt Typhoon – Update. There has been a stream of updates on the ‘Salt Typhoon’ hack covered in our previous Cyber Intelligence Report. One 3rd December a senior FBI official said the cyber attacks “intrusions into U.S. telecom networks with “much broader” aims than just compromising the systems that facilitate court-authorized wiretap requests.” Salt Typhoon sought to exploit national security and law enforcement intercepts as one of several targets. The intercepts “monitor, capture and collect communications data as they are transmitted. … Forensic analysis for two of the victims “indicated that the actors were on other parts of their network conducting reconnaissance before pivoting to the CALEA system and surrounding devices,” the FBI official said.” The official declined to be more specific. “While there were some commonalities and some common threads, they were not locked into a single playbook here.”17 The scope of the attacks has lead to warnings of a PRC compromise of major global telecommunications providers.18

13. On 5th December, Deputy National Security Adviser Anne Neuberger offered new details about the ‘Salt Typhoon’ campaign. She reported “at least eight U.S. telecom firms and dozens of nations” were hacked. When pressed for details, a senior administration official said “The number of countries impacted by the hack is currently believed to be in the “low, couple dozen.”19 According to NextGov: “So far, the cyberspies have ensnared around 80 providers in the U.S. and abroad, including AT&T, Verizon, Lumen and T-Mobile. They’ve accessed communications of some 150 select, high-value targets, including people affiliated with President-elect Donald Trump, according to previous media reports.”20

14. T-Mobile’s security boss, Jeff Simon said that T-Mobile US “began hunting for Salt Typhoon in early summer, upon hearing reports from law enforcement and other operators about a “large, coordinated attack on telecommunications infrastructure.” He observed the attack “technique that was used to go from one telecommunications infrastructure to another … is novel. That’s not something that I’ve seen in my 15-plus-year career in cyber security.” The Register reported, “miscreants (Salt Typhoon) managed to get into some edge network infrastructure devices including a T-Mo-operated router, but got no further as they were stopped there.”21

15. Microsoft Warning Of Another PRC Cyber Threat Group. ‘Storm-2077’ have been operating since “at least January” according to Microsoft. Microsoft declined to provide a victim count, saying instead “there are indicators that this group is active as of yesterday (6 Dec 2024), actively pursuing threat activity,” said Sherrod DeGrippo, director of threat intelligence strategy.” Once Storm 2077 has broken into a network, they use its existing applications to look like another user while stealing email communications and sensitive files. “Storm-2077’s victims overlap with some of the sectors hit by other Chinese cyber-spy crews like Salt Typhoon (which has attacked telcos around the world) and Volt Typhoon. … DeGrippo said the threat isn’t going away anytime soon.”22

16. EagleSpy Surveillance Spyware, For PRC Telecommunications Hacks. “Cybersecurity researchers have discovered a novel surveillance program that’s suspected to be used by Chinese police departments as a lawful intercept tool to gather a wide range of information from mobile devices. The Android tool, codenamed EagleMsgSpy by Lookout, has been operational since at least 2017, with artifacts uploaded to the VirusTotal malware scanning platform as recently as September 25, 2024.” … “EagleMsgSpy collects extensive data from the user: third-party chat messages, screen recording and screenshot capture, audio recordings, call logs, device contacts, SMS messages, location data, network activity.” EagleMsgSpy has been described by its developers as a “comprehensive mobile phone judicial monitoring product” that can obtain “real-time mobile phone information of suspects through network control without the suspect’s knowledge, monitor all mobile phone activities of criminals, and summarize them.”23

17. PRC National Compromised 81,000 Firewalls. The U.S. government on Tuesday unsealed charges against a Chinese national, Guan Tianfeng, “Guan Tianfeng is wanted for his alleged role in conspiring to access Sophos firewalls without authorization, cause damage to them, and retrieve and exfiltrate data from both the firewalls themselves and the computers behind these firewalls,” the U.S. Federal Bureau of Investigation (FBI) said. “The exploit was used to infiltrate approximately 81,000 firewalls.” Guan worked at Sichuan Silence Information Technology Company, Limited. “Sichuan Silence has been assessed to be a Chengdu-based cybersecurity government contractor that offers its services to Chinese intelligence agencies, equipping them with capabilities to conduct network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression.”24 The indictment “claims that Guan and his employer acquired Sophos firewalls to test them for vulns and later registered the domain sophosfirewallupdate.com.” The domain “was allegedly used to deliver malware to Sophos firewalls after a successful SQL injection attack. That payload stole info from the Sophos firewalls and sent it to a Chinese IP address.”25