There has been an observed escalation of various state-sponsored cyber threat actors’ activities. Recently exposed activity by Russian and Chinese-backed hacking groups indicates that the cyber threat landscape has been permanently altered. In particular, the activity signals a fundamental shift in the goals and techniques of state-sponsored cyber operations. The primary goals of state-sponsored APT activities are often limited to strategic and industrial espionage. Whether the threat actors act on behalf of official government entities or independent gangs sponsored by national governments, their efforts primarily aim to infiltrate systems to steal valuable data. However, there have been notable changes in specific tactics and observed intended outcomes.

Chinese state-sponsored threats:

Increased tensions in the Asian Pacific region involving US allies like the Philippines and Taiwan have subsequently escalated cyber threat activity. The People’s Republic of China (PRC) modus operandi typically aims to position itself in systems to disrupt capabilities. This could involve sabotaging critical infrastructure and industrial capacities, causing disruption and potential panic. A recent analysis report revealed that threat actors in the China-aligned cyberespionage ecosystem are engaging in an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence. Two clusters of activity involve ransomware or data encryption tooling – one linked to a suspected Chinese cyberespionage threat group, ChamelGang, and the second cluster resembles previous intrusions involving artifacts linked to suspected Chinese and North Korean APT groups. The majority of the affected organizations were primarily located in the US, with the manufacturing sector being the most significantly affected. Other sectors impacted to a lesser extent included education, finance, healthcare, and legal. The utilization of ransomware by threat actors associated with the PRC and North Korea against government and critical infrastructure sectors denotes an intensification in cyber threats. Their dual objectives of financial gain and espionage underscore the imperative for heightened international cooperation and the implementation of robust defense strategies.

Russian state-sponsored threats:

Recorded Future analysts identified a likely Russian government-aligned influence network known as CopyCop has shifted its focus to the 2024 US elections. CopyCop creates and spreads political content using AI and inauthentic websites, disseminating targeted content through YouTube videos. Between May 10 and May 12, 2024, the network registered 120 new websites using similar tactics, techniques, and procedures (TTPs). In June, analysts discovered the network expanded its influential content sources to include mainstream news outlets in the US and UK, conservative-leaning US media, and Russian state-affiliated media. Within twenty-four hours of the original articles being posted, CopyCop scrapes, modifies, and disseminates content to US election-themed websites using over 1,000 fake journalist personas. Despite the rapid content generation, AI-generated content has seen limited amplification on social media.

Earlier this year, Microsoft identified an ongoing cyberattack cautioning that the Russian Midnight Blizzard (APT 29, Cozy Bear) continues to attempt to exploit various shared secrets for further attacks via email. Recent Microsoft notifications on social media reveal that the hack had a broader impact on the company’s customer base. Additionally, Midnight Blizzard was attributed to the recent cyberattack that breached the remote access software company TeamViewer.

The company noted that the incident occurred on June 26 after their security team detected an irregularity in TeamViewer’s internal corporate IT environment. While there is no evidence to suggest that the product environment or customer data is affected, the investigation is ongoing.

Recommendations

• Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
• Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Keep systems up to date and apply patches after appropriate testing.
• Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
• Implement email filtering solutions, such as spam filters, to help block messages.
• Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments.
• Cyber incidents can be reported to the FBI’s IC3 and the NJCCIC.