Chinese Hackers

[kyonides]

US SURVEILLANCE SYSTEM HACKED

FBI declares suspected Chinese hack of US surveillance system a ‘major cyber incident’

The FBI last week deemed a recent China-linked cyber intrusion into a sensitive agency surveillance system a “major incident,” meaning it poses significant risks to U.S. national security, according to one congressional aide and two U.S. officials with knowledge of the matter.

The bureau first told Congress on March 4 that it was investigating suspicious activity on an internal agency system that contained “law enforcement sensitive information.” The FBI did not publicly identify who was behind the activity at the time, but POLITICO previously reported that China is suspected.

The FBI determined the intrusion meets the definition of a major incident under a federal data security statute known as FISMA, said the three people. Congress was informed of the decision earlier this week, according to the aide. This person, like others in this report, was granted anonymity because they were not authorized to speak publicly on the investigation.

The determination suggests the hackers successfully compromised swathes of sensitive data stored directly on FBI systems, likely marking a major counterintelligence coup for China. FISMA requires agencies to tell lawmakers within seven days about any digital intrusion it has determined is “likely to result in demonstrable harm” to U.S. national security.

Cynthia Kaiser, the former deputy assistant director of the FBI’s cyber division, said she is not aware of the FBI making any such determination on a hack affecting its own systems since at least 2020.

“Thresholds under FISMA are quite high, and only a few agencies declare a major cyber incident every year,” Kaiser said.

An FBI spokesperson declined to comment on the declaration, instead referring POLITICO to a prior comment it made on the incident in early March: “FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond.”

Under guidelines set by FISMA, an intrusion can meet the major incident threshold if it involves the exfiltration or compromise of personally identifiable data, or presents acute risks to the national security, foreign relations, public confidence or civil liberties of Americans.

It is not clear what finding triggered the FBI determination.

In the March notice to Congress viewed by POLITICO, the FBI told lawmakers that unspecified hackers appeared to break into an agency system by “leveraging a commercial Internet Service Provider’s vendor infrastructure,” which it described as a reflection of the group’s “sophisticated tactics.”

The notice also said the “affected” system contained “returns from legal process, such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations.”

Pen register and trap and trace devices allow law enforcement to monitor calls made to or from a specific phone, or websites visited by an internet-connected device. While these tools do not record the content of those communications, the information captured is valuable to foreign intelligence services or organized criminal groups because it could reveal the targets of FBI surveillance or criminal probes.

The breach of the FBI surveillance system does not appear to be connected to a recent Iranian-linked compromise of FBI Director Kash Patel’s personal emails. It is the latest sign that Chinese hackers have advanced to the point where they are consistently able to penetrate some of the country’s most sensitive national security systems.

“This incident is yet another stark reminder that the threat from sophisticated cyber adversaries like China has not gone away — in fact, it’s growing more aggressive by the day,” said Sen. Mark Warner (D-V.A.), the top Democrat on the Senate Intelligence Committee.

When an agency declares a major incident under FISMA, it is also supposed to trigger an interagency cyber response mechanism. It is unclear whether that has happened or if the hack has since been contained.

Separate spokespeople for the White House and the Cybersecurity and Infrastructure Security Agency referred to the FBI for comment. The NSA did not respond to requests for comment.

The White House hosted a meeting about the breach that included officials from the FBI, NSA and CISA in early March, according to the first U.S. official and a third U.S. official with knowledge of the meeting.

Chinese hackers have previously targeted commercial communications providers as a springboard into federal networks or to access sensitive national security data.

One Chinese hacking group dubbed Volt Typhoon has burrowed deep inside critical infrastructure across the United States — including ports, water facilities and energy substations — while a second group labeled Salt Typhoon has breached some of the country’s largest telecommunications providers. In the latter hack, first uncovered in late 2024, Chinese hackers were able to siphon off call records from millions of Americans, view FBI wiretap data and steal unencrypted communications from the phone of then-presidential candidate Donald Trump.

The first U.S. official said they believed the FBI had acted quickly to address the incident. But they noted it was “embarrassing” for the bureau to be breached by the same hackers it is supposed to be tracking.

CYBER-ATTACKING EUROPE & THE MIDDLE EAST

European-Chinese geopolitical issues drive renewed cyberespionage campaign

A Chinese cyberespionage group has shifted its gaze back to Europe after years of focusing on other parts of the world, Proofpoint research published Wednesday found.

The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, the company said. Proofpoint labels the government-linked group TA416, but other companies track it as Twill Typhoon, Mustang Panda or other names.

“This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,” Proofpoint’s Mark Kelly and Georgi Mladenov wrote. “TA416’s return to European government targeting occurred during heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports, and commenced immediately following the 25th EU–China summit.”

Separately, the same group took up targeting the Middle East in March after the start of the conflict in Iran, something it had never been spotted doing before, Proofpoint found.

“This aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war,” the firm said. “This likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict.”

TA416 was active in Europe in 2022 and 2023, coinciding with the onset of the Ukraine-Russia war, but stepped away from the continent afterward, according to the researchers. Its focus turned to Southeast Asia, Taiwan and Mongolia for a couple years.

The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland. It also included phishing emails about humanitarian concerns, interview requests and collaboration proposals, Proofpoint said.

“During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group’s customized PlugX backdoor via DLL sideloading triads,” the researchers wrote.

Proofpoint’s is not the only report of late about Chinese cyberespionage groups targeting Europe, with another focused on LinkedIn solicitations to NATO and European institutions.

MODERN MEDUSA DEMANDS RANSOMS NOW

China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware

A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.

"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and the United States," the Microsoft Threat Intelligence team said.

Attacks mounted by Storm-1175 have also leveraged zero-day exploits, in some cases, before they have been publicly disclosed, as well as recently disclosed vulnerabilities to obtain initial access. Select incidents have involved the threat actor chaining together multiple exploits (e.g., OWASSRF) for post-compromise activity.

Upon gaining a foothold, the financially motivated cybercriminal actor swiftly moves to exfiltrate data and deploy Medusa ransomware within a span of a few days, or, in select incidents, within 24 hours.

To aid in these efforts, the group creates persistence by creating new user accounts, deploying web shells or legitimate remote monitoring and management (RMM) software for lateral movement, conducting credential theft, and interfering with the normal functioning of security solutions, before dropping the ransomware.

Since 2023, Storm-1175 has been linked to the exploitation of more than 16 vulnerabilities -

• CVE-2023-21529 (Microsoft Exchange Server)
  
• CVE-2023-27351 and CVE-2023-27350 (Papercut)
  
• CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
  
• CVE-2024-1708 and CVE-2024-1709 (ConnectWise ScreenConnect)
  
• CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity)
  
• CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 (SimpleHelp)
  
• CVE‑2025‑31161 (CrushFTP)
  
• CVE-2025-10035 (Fortra GoAnywhere MFT)
  
• CVE-2025-52691 and CVE-2026-23760 (SmarterTools SmarterMail)
  
• CVE-2026-1731 (BeyondTrust)
  

CHINESE HACKERS WILL EXPLOIT TRUECONF'S WEAKNESSES

CISA gives agencies two weeks to patch video conferencing bug exploited by Chinese hackers

A bug in a popular line of video conferencing software is being exploited by hackers, prompting the U.S. government to order all agencies to patch the vulnerability within two weeks.

The Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies until April 16 to patch CVE-2026-3502, a vulnerability in the video conferencing tool TrueConf. The bug carries a severity score of 7.8 out of 10.

CISA’s confirmation that the vulnerability is being exploited follows a report from cybersecurity researchers at Check Point outlining an alleged Chinese hacking campaign targeting governments in Southeast Asia.

Check Point said Chinese hackers have been exploiting the vulnerability in a campaign they call TrueChaos. The campaign started in early 2026 and typically involved the Havoc penetration testing tool, which Chinese actors have repeatedly abused over the last year.

Check Point said it disclosed the bug to TrueConf, which developed a fix that was released in March.

“At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment,” the researchers said.

“The flaw affects the application’s updater validation mechanism and allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints.”

During exploitation of the bug, the hackers used the trusted update channel to distribute malicious updates. Check Point noted that the targeting indicates the campaign was likely focused on espionage.

TrueConf is used widely across organizations in Asia, Europe and the Americas, serving about 100,000 organizations globally. Check Point said it is used primarily by government, military, and critical infrastructure sectors “to ensure absolute data privacy and communication autonomy in secure or remote environments.”

“In locations with poor or no internet connectivity, or during natural disasters when traditional networks are down, it facilitates essential coordination. By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems,” Check Point explained.

Most infections likely began through a link sent to the victims. The links launched the TrueConf client and showed an update prompt alleging that there is a newer version available.

“Prior to the victim’s interaction, the attacker had already replaced the update package on the TrueConf on-premises server with a weaponized version, ensuring that the client retrieved a malicious file through the normal update process,” Check Point said.

“The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update.”

Check Point attributed the campaign to Chinese actors based on the tactics deployed and the use of Alibaba Cloud and Tencent hosting tools. The company also saw the same victim targeted with the ShadowPad malware — a hallmark of Chinese actors.

CHINESE HACKERS HAVE BECOME CYBER-SPEEDSTERS

China-linked hackers shrink ransomware attacks to hours

Threat actors from China, which hosts more hacking groups than any other country, are accelerating ransomware attacks by chaining dozens of vulnerabilities and compressing the entire kill chain into hours. A new report from Microsoft Threat Intelligence sheds light on how one group, tracked as Storm-1175, is turning exposed systems into fast-moving ransomware targets.
The Storm-1175 campaign adds a new dimension to the attacks – speed. According to Microsoft, Storm-1175 runs high-tempo campaigns that deliberately target the gap between vulnerability disclosure and patch adoption.

Since 2023, the attackers have exploited more than 16 vulnerabilities across widely used enterprise platforms, including Microsoft Exchange, ConnectWise tools, and file transfer software. In several cases, they sometimes weaponized zero-day flaws up to a week before public disclosure.

Once Storm-1175 gains access, it wastes no time. The group establishes persistence by creating new user accounts, deploying web shells, or legitimate remote monitoring and management (RMM) software for lateral movement. They begin credential theft almost immediately, though the endgame is deploying the Medusa ransomware.
In its research, Microsoft discovered that the group leverages tools like PowerShell, PsExec, and Impacket for lateral movement, modifies Windows firewall policy rules to enable remote access, and deploys utilities such as PDQ Deploy to push ransomware across compromised networks.

Besides Windows, Storm-1175 has also shown it can go after Linux environments. In late 2024, Microsoft observed the group exploiting vulnerable Oracle WebLogic instances across several organizations, although they were unable to identify the exact flaw that was exploited in those attacks.
Targets span multiple sectors, including healthcare, education, finance, and professional services across the US, UK, and Australia. However, the researchers stress that the common thread isn’t industry, it’s exposure. If an unpatched system sits on the internet, it comes into the group’s crosshairs.

Also worrying is the use of legitimate enterprise tools that give attackers a way to hide in plain sight by routing malicious activity through trusted, encrypted channels and making detection far more difficult for defenders.