IronNet Monthly Global Threat

IronNet Monthly Global Threat Update April 2023

While much of the cybersecurity world’s focus has been on attacks related to the Russian-Ukraine war, there is an urgent need to raise awareness about the growing threat of a barrage of “digital strikes” by China against the United States, particularly if the conflict over Taiwan deepens, suggests Congressional Rep. Mike Gallagher (R-Wis.), chair of the House Select Committee on China. In line with our ongoing tracking of the threat of Chinese cyber attacks, we agree that it is critical to take note of a cyber strategy by China to target critical infrastructure on U.S. soil such as military and transportation networks as well as in the energy, water, financial markets, and business sectors, as mentioned in this recent Politico article.

In our April post we underscored the tension between China and the West playing out in the news and posited that this could be the start of a new cold war. This past week the Chinese Ambassador to France, Lu Shaye, made remarks questioning the sovereignty of former Soviet states, possibly indicating China’s real views of sovereignty (in spite of China’s having disavowed Lu’s comments later in the week as “personal comments”).

In a potential cyber cold war, what do we expect could be China’s objectives?

1. Avoid a hot war while still achieving its geopolitical ambitions; 
2. Minimize impacts on its own economy, especially with respect to sanctions; and
3. Pursue a strategy that maximizes reputational damage to the U.S.

China can achieve these objectives by strategically garnering support from, and neutralizing, those who would be against them, as well as conversely by harming those who would be opposed.  

On the latter point, one such opportunity as we have highlighted is to create reputational harm against the U.S. and countries with whom we are allied, through high profile failures in critical infrastructure (i.e., energy, water, space development) accomplished in such a way that would be difficult to attribute directly to China.  The advantages of using cyber to accomplish this are obvious.

A second and more economically defensive opportunity is to create new allies, hoping to minimize the impact from sanctions that would be imposed in the wake of cyber or overt military aggression. 

Below is a list of China’s top trading partners in terms of export sales (the countries importing  the most Chinese shipments by dollar value during 2022 and percentage of total Chinese exports), which reflects that nearly two-thirds (63.7%) of Chinese exports in 2022 was supported by the following countries:

1. United States: US$582.8 billion (16.2% of China’s total exports)
2. Hong Kong: $297.5 billion (8.3%)
3. Japan: $172.9 billion (4.8%)
4. South Korea: $162.6 billion (4.5%)
5. Vietnam: $147 billion (4.1%)
6. India: $118.5 billion (3.3%)
7. Netherlands: $117.7 billion (3.3%)
8. Germany: $116.2 billion (3.2%)
9. Malaysia: $93.7 billion (2.6%)
10. Taiwan: $81.6 billion (2.3%)
11. United Kingdom: $81.5 billion (2.3%)
12. Singapore: $81.2 billion (2.3%)
13. Australia: $78.8 billion (2.2%)
14. Thailand: $78.5 billion (2.2%)
15. Mexico: $77.5 billion (2.2%)

Monitoring China’s approach in this regard to achieve its objectives in a cyber cold war is our approach to better understanding levels of risk over the next few months.

April Cyber Activity

In terms of cyber developments this past month, we would highlight:

North Korean cyber activity

3CX Intrusion - A supply chain attack within a supply chain attack
    • In late March, it was reported there was a supply chain attack on a widely used voice and video calling desktop client called 3CX, where installers for several recent Windows and Mac versions of the software were compromised and modified by the attackers to deliver additional info-stealing malware to a user’s computer.

    • Over the past month, more information about the intrusion has been released, revealing one of the first instances of a software supply chain attack leading to another software supply chain attack. 

    • Mandiant researchers found the 3CX intrusion was enabled through a prior supply chain attack where the threat actors had previously implanted malicious software on the website of a company called Trading Technologies. The malicious package, which was disguised as X_Trader software, was then downloaded by a 3CX employee, allowing the threat actors to gain access to the 3CX networks and subsequently the company’s downstream customers. 

    • In addition to the 3CX compromise, researchers also uncovered that the X_Trader software supply chain attack impacted several organizations beyond 3CX, leading to attacks on two critical infrastructure organizations in the energy sector and two finance organizations. 

    • The 3CX intrusion and supply chain attacks have been attributed to North Korean threat actors broadly categorized as The Lazarus Group (but referred to by Mandiant as UNC4736). 

    • As a result of the 3CX attack, several cryptocurrency customers were reportedly compromised, indicating a potential financial motivation. These cascading supply chain compromises indicate North Korean actors are attempting to be more creative and persistent in how they exploit network access and distribute malware – aiming to have standby access to various target networks that can support North Korea’s strategic goals.

Russian APT activity

  • Kaspersky released a report on a Russian-aligned APT called Tomiris targeting Commonwealth of Independent States (CIS) countries in Central Asia since 2021. Tomiris is a cyberespionage group and appears to have a strong focus on CIS affairs – even when discovered targeting victims in other regions, those targets were found to be foreign representatives of CIS countries.
  • According to Rob Joyce, the Director of Cybersecurity at the National Security Agency, Russian threat actors have been hacking into private security cameras across Ukraine coffee shops and other businesses to collect intelligence on aid convoys passing through Ukraine’s territory.
  • The Polish CERT team and military intelligence issued an alert about a widespread Russian cyberespionage campaign targeting NATO member states, European Union states, and, to a lesser extent, African countries since October 2022. Linking the ongoing campaign to APT29 under the Russian SVR, Polish officials reported on three new malware strains used in the attacks: SNOWYAMBER, HALFRIG, and QUARTERRIG.
  • Building on its prior report reviewing cyber activity in the Ukraine-Russia War in 2022, Google’s Threat Analysis Group (TAG) published its insights on war-related cyber activity seen in the first quarter of this year.
    • TAG noted that between January and March 2023, 60% of Russian phishing operations were aimed at Ukrainian targets, with APT28 (aka FROZENLAKE) sending multiple large waves of phishing emails to hundreds of users in Ukraine throughout the beginning of the year. 
    • Additionally, Sandworm (aka FROZENBARENTS) carried out multiple attack campaigns against Eastern European energy organizations, often using a variant of the Rhadamanthys stealer to exfiltrate stored credentials.
    • Russian information operations also remain rampant, with Belarus-aligned APT Ghostwriter (aka PUSHCHA) and Russia’s Sandworm group continuing to invest resources in information operations to amplify narratives favorable to the Russian government.
About Ironnet
IronNet is dedicated to delivering the power of collective cybersecurity to defend companies, sectors, and nations. By uniting advanced technology with a team of experienced professionals, IronNet is committed to providing peace of mind in the digital world.