Quote:WASHINGTON (AP) — Twelve Chinese nationals — including mercenary hackers, law enforcement officers and employees of a private hacking company — have been charged in connection with global cybercrime campaigns targeting dissidents, news organizations, U.S. agencies and universities, the Justice Department says.

A set of criminal cases filed in New York and Washington add new detail to what U.S. officials said Wednesday is a booming hacking-for-hire ecosystem in China, in which private companies and contractors are paid by the Chinese government to target victims of particular interest to Beijing in an arrangement meant to provide Chinese state security forces cover and deniability.

The indictments come as the U.S. government has warned of an increasingly sophisticated cyber threat from China, such as a hack last year of telecom firms called Salt Typhoon that gave Beijing access to private texts and phone conversations of an unknown number of Americans, including U.S. government officials and prominent public figures.

One indictment charges eight leaders and employees of a private hacking company known as I-Soon with conducting a sweeping array of computer breaches around the world meant to suppress speech, locate dissidents and steal data from victims. Among those charged is Wu Haibo, who founded I-Soon in Shanghai in 2010 and was a member of China’s first hacktivist group, Green Army, and who is accused in the indictment of overseeing and directing hacking operations.

Earlier reporting by The Associated Press on leaked documents from I-Soon mainly showed I-Soon was targeting a wide range of governments such as India, Taiwan or Mongolia, but little on the United States.

But the indictment contains new revelations about I-Soon’s activities targeting a wide range of Chinese dissidents, religious organizations and media outlets based in the U.S., including a newspaper identified as publishing news related to China and opposed to the Chinese Communist Party. Other targets included individual critics of China living in the U.S., the Defense Intelligence Agency and a research university.

The targets were in some cases directed by China’s Ministry of Public Security — two law enforcement officers were charged with tasking certain assignments — but in other instances the hackers acted at their own initiative and tried to sell the stolen information to the government afterward, the indictment says.

The company charged the Chinese government the equivalent of between approximately $10,000 and $75,000 for each email inbox it successfully hacked, officials said.

Phone numbers listed for I-Soon on a Chinese corporate registry rang unanswered, and I-Soon representatives did not immediately respond to an AP email requesting comment Wednesday.

A spokesperson for the Chinese foreign ministry on Thursday denied the charges, calling the U.S. “hypocritical” and pointing to U.S. cyberattacks on China.

“China firmly opposes the groundless accusation made by the US and urges the US to immediately stop abusing sanctions,” Chinese Foreign Ministry spokesperson Lin Jian said at a press conference in Beijing.

Quote:The Government of Costa Rica announced today that the Costa Rican Electricity Institute (ICE) suffered a security attack linked to cyber espionage. Officials revealed the breach during an emergency press conference at Casa Presidencial. They said a threat actor with possible ties to China infiltrated ICE systems and extracted data.

The attack came to light after the Ministry of Science, Innovation, Technology and Telecommunications received an alert in February from Mandiant, a Google cybersecurity firm. The company flagged a breach in ICE infrastructure. Forensic analysis later confirmed the presence of the actor, who targets the telecom sector for espionage purposes.

Minister Paula Bogantes described the group as one that focuses on cyber espionage in telecommunications. She noted it has appeared in 42 countries and is already known internationally. ICE President Marco Acuña said the hackers pulled 9 gigabytes of internal emails from a server located in Costa Rica, not in the cloud. The utility holds far more data of that type, around 10,000 gigabytes in total, he added.

Acuña filed a criminal complaint with the Public Ministry and the Judicial Investigation Organization on Thursday. He called the act a crime under Costa Rican and international law. “We have profiled the threat and we are working on it,” he stated. “We are containing it.”

He stressed that basic telecom services continue to operate normally with no reported impact. Bogantes said the government treats the case as a national security matter. Costa Rican authorities reached out to the United States for technical support and coordination to handle the incident.

The government first spotted suspicious activity at ICE toward the end of January. Teams from the ministry and the utility then worked together on the review. Acuña confirmed the complaint includes a timeline of events. Authorities aim to identify those responsible and check for any local involvement.

This marks the latest cybersecurity challenge for Costa Rica’s critical infrastructure. Officials continue to monitor systems and strengthen defenses.

Quote:Newly discovered Chinese threat operation CL-UNK-1068 has been covertly compromising telecommunications, energy, technology, pharmaceutical, government, and law enforcement organizations in South, Southeast, and East Asia, as part of a years-long hacking campaign, The Hacker News reports.

Misconfigured web servers have been exploited by CL-UNK-1068 to distribute the Godzilla and ANTSWORD webshells, achieve lateral movement, and pilfer browser history, XLSX and CSV files, and database backups, according to Palo Alto Networks Unit 42 researchers. Attackers have also weaponized Python executables to run illicit DLLs. Other tools powering CL-UNK-1068's credential theft activities include Mimikatz, LsaRecorder, DumpItForLinux, Volatility Framework, and the SQL Server Management Studio Password Export Tool.

"This cluster of activity demonstrates versatility by operating across both Windows and Linux environments, using different versions of their tool set for each operating system. While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cybercriminal intentions," said researchers.

Quote:Multiple China-nexus threat operations have launched cyberattacks against Qatar amid escalating tensions in the Middle East, according to HackRead.

Intrusions by Chinese advanced persistent threat operation Camaro Dragon that commenced on Mar. 1, just a day after the joint U.S.-Israel military strikes against Ukraine, involved the delivery of a file with photos showing the aftermath of an Iranian missile strike against a Bahrain-based U.S. military base, which triggered a DLL hijacking attack leading to the injection of the PlugX backdoor, a report from Check Point Research showed.

Another China-linked attack campaign aimed at Qatar's oil and gas sector entailed the distribution of a password-protected ZIP file detailing strikes against Gulf oil and gas facilities. Threat actors had concealed malicious code within a component of the legitimate open-source screen reader NVDA to deploy Cobalt Strike. Such a development comes after Iranian APT group MuddyWater was reported to have compromised U.S. organizations with the DinDoor malware.