By Prasad Nallapati*
Malicious activists of China and its allies, Pakistan and North Korea, are seen to be aggressively prowling to take control of adversaries’ cyber systems for espionage as well as their eventual use to pull down their critical infrastructure and cause immense damage in times of conflict.
Iran is also alleged to employ a sophisticated cyber campaign although it is limited to malign the Trump candidacy and damage his chances to win the American presidency.
China’s Extensive Operations in US and Elsewhere
The State-sponsored Chinese hacking campaign, known as Volt Typhoon, is reported to be actively exploiting a zero-day bug in a California-based startup, Versa Network’s Services, to hack internet service providers and other big organizations in the US and India.
Volt Typhoon has breached four US firms and another in India through a vulnerability in a Versa Networks server product, according to Lumen Technologies Inc.’s unit Black Lotus Labs. In their report on August 27, they gave a detailed technical analysis that led them to conclude that Volt Typhoon was behind the breaches of unpatched Versa systems and its exploitation was likely ongoing.
Volt Typhoon is a China-sponsored group that security researchers and the US government alike perceive as one of the most dangerous, pernicious and persistent nation state actors currently active. The group is well known for its attacks on US critical infrastructure targets going back to at least 2021.
Many believe the threat actor has established a hidden presence on numerous US networks and has the potential to create widespread disruption in the event that geopolitical tensions over Taiwan escalate into a military conflict between the US and China.
The Chinese government, however, has dismissed the US allegations, saying the hacking attacks attributed to Volt Typhoon are the work of cyber criminals.
In another ongoing campaign, hactivists of the China’s APT41 group are using rare stealth techniques to infect high-level organizations in southeast Asia. These include Taiwanese government agencies, the Philippine military, and energy organizations in Vietnam.
The techniques used are “GrimResource”, which allows attackers to execute arbitrary code in the Microsoft Management Console (MMC), and the second, “AppDomainManager Injection”, which uses dynamic link libraries (DLLs). The two techniques are used in combination to deliver Cobalt Strike tools onto target systems.
In yet another scheme, users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT. The tools “almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server.”
Given the limited functionality of the tool, it’s suspected that the malware is primarily used for credential harvesting and system reconnaissance activities.
India Is Fifth Most Breached Nation Globally
India has long been on high alert with its critical infrastructure – from finance to government systems and from manufacturing to healthcare – coming under increased cyberattacks. This and the recent global Microsoft outage that led to disruptions across industries have prompted the Reserve Bank of India Governor, Shaktikanta Das to call upon banks and financial institutions to strengthen their IT and cyber security systems.
According to RBI data, security incidents handled by the Indian Computer Emergency Response Team (CERT-In) have increased from 53,000 in 2017 to 13,20,000 in 2023. Unauthorized network scanning, probing, vulnerable services account for more than 80% of all security incidents in India. It is the fifth most breached nation globally and fourth in the Indo-Pacific region, according to a Cloudflare report.
Pakistan and China are known to frequently target Indian government organizations and other critical infrastructure, besides the global powers, the US, UK and Russia.
A report from Cisco Talos in June brought out a years-long cyber espionage campaign, under “Operation Celestial Force”, by the Pakistan’s “Cosmic Leopard” group. This works along with another Pakistani threat actor known as Transparent Tribe.
The latter targets India’s government, defense, and aerospace sectors, and now expanded its capabilities to attack Linux as well as Windows in its quest to compromise the Indian military’s homegrown MayaOS Linux systems.
The Cosmic Leopard’s attacks focus on espionage and surveillance against individuals and organizations associated with India’s government and defense sectors, as well as related technology companies, according to DarkReading cybersecurity magazine. It launched its operations way back in 2016, when it created a Windows version of its GravityRAT Trojan.
Earlier in April, a previously unknown hacker leaked 7.5 million records on dark web containing personal information stolen from India’s leading manufacturer of wireless audio and wearable devices, boAt.
In another espionage campaign, a malicious actor using “HackBrowersData”, a modified information stealer, targeted the systems of India’s government agencies and energy companies. According to researchers at EclecticIQ, a Dutch cybersecurity firm, the hacker exfiltrated 8.81 GB of data, leading analysts to assess that it could aid further intrusions into the government’s infrastructure.
North Korean UAT-5394
State-sponsored North Korean hacker group, tracked as UAT-5394, is recently observed deploying new version of the open source XenoRAT information-stealing malware, using a complex infrastructure of command-and-control (C2) servers.
The new version is named as MoonPeak by researchers. Their tactics, techniques and procedures (TTPs) and its infrastructure have considerable overlap with the East Asian country’s notorious Kimsuky group.
The Kimsuky is long known for its espionage activity targeting organizations in multiple sectors, especially nuclear weapons research and policy. The commonalities led some cyber experts to believe that either the UAT-5394 is in fact Kimsuky itself or another North Korean APT that used Kimsuky’s infrastructure.
Iran Targets Trump Campaign
American agencies have confirmed the recent claims of Republican Party presidential candidate, Donald Trump’s allegations of Iranian actors hacking into his campaign systems. Known as APT 42 or `CharmingKitten’, the Iranian hackers are widely believed to be associated with the intelligence organization of the Islamic Revolutionary Guard Corps (IRGC-IO).
The group has long been known for their invasive espionage operations against high-value targets in the US and Israel. Using phishing techniques, they plant surveillance software on the mobile phones of their victims, enabling them to record calls, steal texts and silently turn on cameras and microphones.
The Iranian permanent mission to the United Nations in New York, however, denied the allegations saying that their “government neither possesses nor harbors any intent or motive to interfere in the US presidential election.”
(*Prasad Nallapati is President of the Hyderabad-based think-tank, the Deccan Council for Strategic Studies and former Additional Secretary to the Govt of India)