Chinese Hackers

[kyonides]

The following article talks about what happened about 2 weeks ago.

Chinese Hackers Hit Russia in Cyberattack

Dozens of systems used by government bodies and IT companies in Russia have reportedly become the targets of Chinese hackers.

Moscow-based cybersecurity provider Kaspersky Lab, revealed that the backdoor malware used to gain access to the systems was "GrewApacha," a Trojan used since at least 2021 by the Chinese cyber-espionage group known as APT31 (Advanced Peristent Threat 31).

APT31 is believed to have ties to China's civilian spy agency, the Ministry of State Security (MSS). Earlier this year, the United States Justice department indicted several Chinese nationals and one company for allegedly carrying out APT31 operations.

"During these attacks, attackers infected devices using phishing emails with attachments containing malicious shortcut files," read an August 8 report by Kaspersky Lab-managed website SecureList. Kaspersky has dubbed the Russia-centered hacking campaign "EastWind."

Clicking on these files prompts the installation of the malware, which receives commands from the Dropbox cloud storage.

"With the help of this software, the attackers downloaded additional Trojans to the infected computers, in particular, tools used by the APT31 cybergroup, as well as the updated CloudSorcerer backdoor," the report said.

A Trojan is a type of malware disguised as legitimate software to trick users into installing it. Once installed, Trojans can perform malicious actions on the infected system, such as spying on users, stealing data and providing cybercriminals with unauthorized access.

The SecureList report said the method observed in the recent cyberattacks was similar to the one previously used to target a U.S. organization.

A SecureList report released last month called the updated CloudSorcerer malware "a sophisticated toolset targeting Russian government entities."

Its "ability to dynamically adapt its behavior based on the process it is running in, coupled with its use of complex inter-process communication through Windows pipes, further highlights its sophistication."

The Russian and Chinese foreign ministries didn't immediately respond to a written request for comment.

Last year, the intelligence chiefs of the Five Eyes intelligence alliance—the U.S., the U.K., Canada, Australia and New Zealand—warned of the threat posed by China's use of cutting-edge technology to carry out hacking and intellectual property theft on a large scale.

An anonymous source earlier this year leaked evidence of a massive surveillance campaign by I-Soon, an MSS-affiliated Chinese contractor, whose targets ranged from foreign governments, politicians and think tanks to private Chinese citizens.

The Chinese foreign ministry responded to the leak by saying it "firmly opposes and cracks down on all forms of cyber attack in accordance with the law."

But this one is very recent!

China seen using 'white hat' hackers to boost cyberattack capability

China is increasingly suspected of involving "white hat" hackers--who typically identify cybersecurity weaknesses--in cyberattacks. This development is believed to be boosting China's offensive capabilities by utilising its top private hackers, according to a report by Nikkei Asia. The investigation conducted by Nikkei Asia and other organisations, reveals that since the introduction of mandatory vulnerability reporting to the Chinese government in 2021, the number of attacks with suspected Chinese involvement has witnessed a sharp rise.

White hats, who work for security companies or as freelancers, are responsible for bug hunting. They identify vulnerabilities, report them to developers, and receive compensation. Nikkei Asia further reported that developers issue patches and request users to install them to enhance security. In September 2021, concerns emerged in Europe and the US about the exploitation of vulnerabilities before patches could be deployed.

Later that year, Chinese media reported that the Ministry of Information and Technology had suspended Alibaba Group Holding's cloud computing operations from participating in a cybersecurity partnership for six months due to a failure to report issues. In collaboration with cybersecurity firm Trend Micro, Nikkei Asia collected data on 222 software vulnerabilities identified by the US government and others as being exploited by hacker groups believed to be linked to the Chinese government. These groups are suspected of using these vulnerabilities to infiltrate networks.

Katsuyuki Okamoto, a cybersecurity expert at Trend Micro, told Nikkei Asia, "In the past, the main method of cyberattack was phishing, involving tricking victims into downloading malware via email. Now, vulnerability attacks are mainstream." A search on OTX (Open Threat Exchange), a collaborative platform developed by AlienVault (now part of AT&T Cybersecurity) for sharing and accessing threat intelligence, found a total of 1,047 attacks exploiting these vulnerabilities.

Chinese white hats, known for their bug-hunting skills, are highly regarded worldwide. In 2021, when the vulnerability reporting obligation was introduced, there were 16 reported cases. This number surged to 267 in 2022 and nearly doubled again to 502 in 2023. The current year is following a similar trend, with 242 cases reported in the first half.

Taiwan-based cybersecurity firm TeamT5, which examined the leaked files, reports that i-Soon has employed numerous self-identified white hat hackers. However, a significant portion of their work has been commissioned by Chinese state security.

Here's the original article but you'd need to subscribe to Nikkei website in order to read the full text.

[kyonides]

Guess what? We missed a cyber attack last week!

Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control

Details have emerged about a China-nexus threat group's exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliances and evade detection.

The activity, attributed to Velvet Ant, was observed early this year and involved the weaponization of CVE-2024-20399 (CVSS score: 6.0) to deliver bespoke malware and gain extensive control over the compromised system, facilitating both data exfiltration and persistent access.

"The zero-day exploit allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system," cybersecurity company Sygnia said in a report shared with The Hacker News.

Cybersecurity
Velvet Ant first caught the attention of researchers at the Israeli cybersecurity company in connection with a multi-year campaign that targeted an unnamed organization located in East Asia by leveraging legacy F5 BIG-IP appliances as a vantage point for setting up persistence on the compromised environment.

The threat actor's stealthy exploitation of CVE-2024-20399 came to light early last month, prompting Cisco to issue security updates to release the flaw.

Chinese Hackers
Notable among the tradecraft are the level of sophistication and shape-shifting tactics adopted by the group, initially infiltrating new Windows systems before moving to legacy Windows servers and network devices in an attempt to fly under the radar.

"The transition to operating from internal network devices marks yet another escalation in the evasion techniques used in order to ensure the continuation of the espionage campaign," Sygnia said.

The latest attack chain entails breaking into a Cisco switch appliance using CVE-2024-20399 and conducting reconnaissance activities, subsequently pivoting to more network devices and ultimately executing a backdoor binary by means of a malicious script.

But before you leave, you gotta know that another cyber attack hit the US and undisclosed country.

Chinese hackers exploited bug to compromise internet companies,
cybersecurity firm says

A Chinese hacking group exploited a software bug to compromise several internet companies in the U.S. and abroad, a cybersecurity firm said on Tuesday.

Researchers at the firm, Lumen Technologies (LUMN.N), opens new tab, said in a blog post that the hackers took advantage of a previously unknown vulnerability in Versa Director - a software platform used to manage services for customers of Santa Clara, California-based Versa Networks. It said four U.S. and one non-U.S. victim had been identified. Lumen did not name the victims and did not immediately respond to a request seeking further details.

Versa Networks issued an advisory on Monday acknowledging that the vulnerability had been exploited "in at least one known instance" by an advanced group of hackers, and urged customers to upgrade their software to fix the bug.

Lumen's blog post said that its researchers assessed with "moderate confidence" that the hacking campaign was carried by an alleged Chinese government-backed group nicknamed "Volt Typhoon." The attacks happened as early as June 12, Lumen said.

The Chinese Embassy in Washington did not immediately respond to a request seeking comment, although Beijing routinely denies allegations of its involvement in cyberespionage. U.S. officials did not immediately respond to a request for comment but on Friday the U.S. Cybersecurity and Infrastructure Security Agency added the Versa vulnerability to its list of "known exploited vulnerabilities."

Brandon Wales, the recently departed executive director of CISA, was quoted by the Washington Post on Tuesday saying that China's hacking effort had "dramatically stepped up from where it used to be."

Volt Typhoon has emerged as a group of particular concern to U.S. cybersecurity officials. In April, FBI Director Christopher Wray said China was developing the "ability to physically wreak havoc" on U.S. critical infrastructure and that Volt Typhoon had burrowed into numerous U.S. telecommunications, energy, water and other critical services companies.

[kyonides]

New Cyberattack Targets Chinese-Speaking Businesses with Cobalt Strike Payloads

Chinese-speaking users are the target of a "highly organized and sophisticated attack" campaign that is likely leveraging phishing emails to infect Windows systems with Cobalt Strike payloads.

"The attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks," Securonix researchers Den Iuzvyk and Tim Peck said in a new report.

The covert campaign, codenamed SLOW#TEMPEST and not attributed to any known threat actor, commences with malicious ZIP files that, when unpacked, activates the infection chain, leading to the deployment of the post-exploitation toolkit on compromised systems.

Present with the ZIP archive is a Windows shortcut (LNK) file that disguises itself as a Microsoft Word file, "违规远程控制软件人员名单.docx.lnk," which roughly translates to "List of people who violated the remote control software regulations."

"Given the language used in the lure files, it's likely that specific Chinese related business or government sectors could be targeted as they would both employ individuals who follow 'remote control software regulations,'" the researchers pointed out.
...
"The attackers further enabled themselves to hide in the weeds in compromised systems by manually elevating the privileges of the built-in Guest user account," the researchers said.

"This account, typically disabled and minimally privileged, was transformed into a powerful access point by adding it to the critical administrative group and assigning it a new password. This backdoor allows them to maintain access to the system with minimal detection, as the Guest account is often not monitored as closely as other user accounts."

The unknown threat actor subsequently proceeded to move laterally across the network using Remote Desktop Protocol (RDP) and credentials obtained via the Mimikatz password extraction tool, followed by setting up remote connections back to their command-and-control (C2) server from each of those machines.

The post-exploitation phase is further characterized by the execution of several enumeration commands and the use of the BloodHound tool for active directory (AD) reconnaissance, the results of which were then exfiltrated in the form of a ZIP archive.
...
The connections to China are reinforced by the fact that all of the C2 servers are hosted in China by Shenzhen Tencent Computer Systems Company Limited. On top of that, a majority of the artifacts connected with the campaign have originated from China.

"Although there was no solid evidence linking this attack to any known APT groups, it is likely orchestrated by a seasoned threat actor who had experience using advanced exploitation frameworks such as Cobalt Strike and a wide range of other post-exploitation tools," the researchers concluded.

[kyonides]

Employee of Chinese State-Owned Defense Contractor Charged with Hacking NASA, U.S. Military

A Chinese national named Song Wu, employed by a gigantic Chinese state-owned defense conglomerate, was indicted in the Northern District of Georgia on Monday for a scheme to hack U.S. government agencies including NASA, the Army, the Navy, the Air Force, and the Federal Aviation Administration (FAA).

The indictment accused Song of sending “spear phishing emails” to employees of the targeted agencies, as well as private sector contractors and “individuals employed in positions with major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio.”

“Spear phishing” is the dark art of sending very realistic-looking emails to a victim, often tarted up with convincing personal and professional details. When the victim opens attachments to these emails or clicks on links to websites contained within them, the victim’s computer is infected by malware. Some spear phishing attacks forego malware and simply trick the victim into revealing passwords or other valuable data.

Spear phishing attacks are carefully targeted and require a good deal of work by the hacker, who must create emails that look like realistic messages from friends, family, or colleagues of the victim.

According to the Department of Justice (DOJ), Song’s emails “appeared to the targeted victims as having been sent by a colleague, associate, friend, or other person in the research or engineering community.”

“Hi, [victim’s name], I sent Stephen an email for a copy of NASCART-GT code, but got no response right now. He must be too busy. Will you help and sent it to me?” read an example of the phishing emails, with spelling error in the original.

“Hi, [victim’s name] – sorry to bug you early in the morning. Please sent me a copy of the DAC software when you are available to help. FYI, it is urgently needed and please let me know,” read another.

Over the course of several years, Song allegedly attempted to trick his victims into sending him sensitive “source code or software” related to fields such as aerospace engineering and computational fluid dynamics.

“This specialized software could be used for industrial and military applications, such as development of advanced tactical missiles and aerodynamic design and assessment of weapons,” the indictment noted.

Computational fluid dynamics, for example, is employed by aerospace engineers to model airflow around the flight surfaces of aircraft and missiles.

According to the indictment, some of Song’s spear phishing attacks were successful. DOJ did not specify exactly what software he was able to steal, or from whom.

DOJ described Song as a 39-year-old employee of the Aviation Industry Corporation of China (AVIC), an aerospace and defense company based in Beijing and owned by the Chinese government. The indictment repeatedly stated that he was “aided and abetted by persons unknown.”

“AVIC manufactures civilian and military aircrafts and is one of the largest defense contractors in the world,” the indictment noted.

Song’s case is being handled by the Disruptive Technology Strike Force, a multi-agency force established by the Justice and Commerce Departments, the FBI, and the Department of Homeland Security in February 2023 to investigate export violations, smuggling, and information theft by Russia, China, North Korea, and Iran.

[kyonides]

Report: Chinese Spies Lurked for Months Inside U.S.-Based Engineering Firm’s Network

John Dwyer, research director for cybersecurity firm Binary Defense, said in an interview on Wednesday that Chinese state-sponsored hackers were able to infiltrate the network of a U.S.-based global engineering firm and linger for months before they were discovered.

Dwyer did not name the targeted engineering firm in his interview with The Register, or name the Chinese cyber-espionage team that penetrated its system. He said the company in question “makes components for public and private aerospace organizations and other critical sectors, including oil and gas.”

According to Dwyer, the Chinese intruders gained access to the network through “one of the victim’s three unmanaged AIX servers.”

AIX is a proprietary version of the Unix operating system sold by IBM. Unix is an older system, but it is still widely used, and IBM still actively supports AIX.

The Register inferred from Dwyer’s comments that the targeted company essentially forgot about the three old servers connected to its corporate network, creating a vulnerability for the Chinese hackers to exploit. All three of the servers were exposed to the Internet without adequate protection. One of them reportedly gave full administrator powers to remote users by default, a hideous security flaw.

The AIX servers were also allegedly comfortable nests for the intruders, who lurked in the network for four months before the company detected them and called in federal law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). Binary Defense also consulted on the response, which is how Dwyer learned the details of the intrusion.

The hackers were reportedly in the system long enough to upload some data and create bigger gaps in security for themselves, effectively gaining “full, remote access to the IT network.” Among other dangers, this could have given them the ability to manipulate the company’s supply chain to produce deliberately defective products.

“The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product – whether it is the government, the US Department of the Defense, school systems – assumes all of the risks of all the interconnected pieces of the supply chain,” he said.

Dwyer offered extensive details about the havoc the Chinese hackers wreaked on network security, but did not specify whether they stole data from the targeted company or tried to sabotage its supply chain. He found some dry humor in the attackers’ apparent confusion over AIX, which looks a great deal like Unix, but did not recognize some of the standard Unix commands the intruders attempted to execute.

Dwyer felt one of the important lessons to be learned from the incident was that older computers connected to massive networks can create huge security flaws, especially if they have not been updated and locked down in accordance with current security standards for the active systems on the network.

Dwyer noted the three AIX servers were not “compatible with the organization’s security monitoring tools,” which is why the hackers were able to lurk inside them for months undetected. The jig was finally up when the hackers tried to use a memory dump to steal user IDs and passwords from another computer on the network, a bit of mischief egregious enough to alert network security programs.

Cybersecurity professionals are increasingly worried about “legacy systems,” older machines that can become “digital time bombs” because network administrators forget about them, or underestimate how vulnerable they are. The last few generations of computers were much more robust and durable than their predecessors, so there are more elderly and semi-obsolete machines still running on big networks, especially at cost-conscious companies that avoid performing expensive upgrades for as long as possible.

[kyonides]

FBI Disrupts Chinese Botnet Infecting Thousands of US Devices

Authorities in the United States disrupted a group of Chinese hackers that infiltrated thousands of devices on behalf of China’s communist regime.

A group of Chinese state-sponsored hackers working for Integrity Technology Group, a company based in Beijing and known to the private sector as “Flax Typhoon,” used the infected devices to form a botnet to launch additional attacks, the Justice Department said on Sep. 18.

Malware was installed by the Chinese outfit on some 200,000 consumer devices in the United States and elsewhere. Infected utilities included cameras, video recorders, and home and office routers.

“The malware connected these thousands of infected devices into a botnet, controlled by Integrity Technology Group, which was used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices,” a statement released by the Justice Department read.

The FBI then engaged in a court-ordered operation to take control of the compromised devices and remotely disable the malware to prevent the hackers from further spying on and stealing data from universities, government agencies, and others.

Speaking at the Aspen Cyber Summit on Sept. 18, FBI Director Christopher Wray said that the government’s malware disabling commands were “extensively tested prior to the operation.”
“This was another successful disruption, but make no mistake—it’s just one round in a much longer fight,” Wray said.

“The Chinese government is going to continue to target your organizations and our critical infrastructure … and we’ll continue to work with our partners to identify their malicious activity, disrupt their hacking campaigns, and bring them to light,” he said.

Still, the hackers launched a counterattack on FBI devices, deploying a distributed denial-of-service (DDoS) campaign that targeted the infrastructure the FBI was using to take control of the devices.

“That attack was ultimately unsuccessful in preventing the FBI’s disruption of the botnet,” the Justice Department stated.

Acknowledgment of the operation comes nine months after Wray disclosed another campaign disrupted a Chinese botnet targeting critical infrastructure in the United States.

Wray testified at the time that the CCP’s intrusion into U.S. systems was unique for the extent to which it deliberately targeted civilian systems that would directly pose physical harm to Americans.

He said the malware removed in that operation was designed to disrupt, degrade, and destroy U.S. infrastructure, likely in coordination with direct military actions in the event of a conflict between the United States and China.

It is unclear if the Flax Typhoon malware served a similar purpose.

According to court documents, the Beijing-based Integrity Technology Group built an online application allowing its customers to log in and control infected victim devices with a menu of malicious cyber commands using a tool called “vulnerability-arsenal.”

The online application was prominently labeled “KRLab,” one of the main public brands used by Integrity Technology Group.

Attorney General Merrick Garland said in a statement that the cyber campaign was just one part of communist China’s robust efforts to undermine U.S. national security.

“The Justice Department is zeroing in on the Chinese government-backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security,” Garland said.

“We will continue to aggressively counter the threat that China’s state-sponsored hacking groups pose to the American people.”

The FBI will advise U.S. owners of devices affected by the operation through their internet service providers.

Charges Against Alleged Chinese Military Hacker Unsealed

Charges against Chinese national Jia Wei were unsealed on Sept. 17, alleging unlawful access to U.S. communications company networks to steal proprietary information on behalf of Chinese entities.

Wei, a member of the Chinese Communist Party’s (CCP) People’s Liberation Army (PLA), was assigned to Unit 61786, which is tasked with obtaining communications and information via hacking, according to the Department of Justice.

In March 2017, Wei and co-conspirators allegedly hacked an American company’s network about two days after the company sued a China-based competitor for theft of trade secrets.

According to the indictment, the hackers obtained documents related to the company’s “civilian and military communication devices,”  as well as “product development information, testing plans, and internal evaluations.” They also copied documents that discussed the China-based competitor.

In April 2017, the hackers allegedly tried to install malicious software on the company’s network.

The hackers continued to unlawfully access the network through May 2017, according to the indictment.

A special grand jury convened in May 2021 returned a six-count indictment in March 2022, charging Wei with wire fraud, conspiracy to commit computer intrusions, computer intrusions, and aggravated identity theft for using an employee’s account to access the company network.

Wei, also known as “chansonJW,” “JWT,” “JWT487,” “asmikace,” “asmikace3d,” “askikace3d,” and “haber william,” has not yet been arrested.

If convicted, he would face a maximum of 20 years in prison for wire fraud charges, five years in prison for conspiracy and computer intrusion charges, and two years for aggravated identity theft.

The United States has recognized CCP-backed cyber attacks as a top threat to national security. PLA hackers and other hacking rings tied to the CCP have been identified as responsible for several large-scale data breaches, such as the 2017 Equifax hack that compromised personal information, including social security numbers for 145 million Americans, 2021 Microsoft Exchange cyberattack that compromised some 10,000 networks, 2023 breach of government emails, and the ongoing “Volt Typhoon” campaign where hackers have infiltrated critical American infrastructure and are biding their time, according to FBI Director Christopher Wray.

The DOJ announced the unsealing of the indictment the same day it issued a major update of criminal charges in five separate cases resulting from the multiagency Disruptive Technology Strike Force.

The defendants include a Russian national who tried to illegally export drones to Russia and an employee of a Chinese regime-run aerospace conglomerate who allegedly tried to obtain software and source code from NASA, U.S. military branches, and the Federal Aviation Administration from 2017 to 2021.

Song Wu, a Chinese national, was indicted for running a large phishing campaign wherein he impersonated U.S.-based researchers and engineers to obtain aerospace engineering trade secrets. According to the DOJ, the technologies have industrial and military applications and could be used in the development of missiles and weapons.

Song was charged with 14 counts of wire fraud, which carries a maximum of 20 years in prison for each count, and 14 counts of aggravated identity theft, which carries a mandatory consecutive two-year term penalty.

[kyonides]

In this edition Canada became the latest target of those evil hackers!

Chinese Hackers Likely Got MPs’ Personal Emails From Volunteer Tortured in China, Committee Told

A Hong Kong pro-democracy activist reportedly tortured in China may have been the source through which China-backed hackers accessed personal emails of Canadian parliamentarians, a global legislative coalition director told a House of Commons committee.

Luke de Pulford, executive director of the global coalition Inter-Parliamentary Alliance on China (IPAC), made the comment on Sept. 26 in response to a question from Conservative MP Garnett Genuis during his testimony before the Standing Committee on Procedure and House Affairs.

The committee is investigating a 2021 cyberattack by the Chinese hacker group Advanced Persistent Threat Group 31 (APT31) that targeted legislative members of IPAC, including 18 Canadian parliamentarians. Genuis, who serves as the Canadian chair at IPAC, asked about how the hackers obtained his personal email and the IPAC email distribution list.

“I do not know how they obtained that, but I do have one possible theory: unfortunately, someone who used to volunteer for us, a man named Andy Li, was arrested in China under the National Security Law and imprisoned in Hong Kong. He awaits sentencing for National Security Law crimes, some of which are associated with IPAC,” de Pulford said in response.

“We know that they [Chinese authorities] breached his system, and they may have got our distribution list from him,” he added. “Very disturbingly, when he was apprehended, he was taken to Shenzhen prison in China and reportedly tortured.”

Li, a computer programmer, played a key role in a crowdfunding campaign to rally support for the 2019 pro-democracy protests in Hong Kong. He gained international attention after being one of 12 Hongkongers who attempted to flee to Taiwan by speedboat in August 2020. The group was intercepted by Chinese authorities at sea and detained at Shenzhen city.

In March, Li appeared as a prosecution witness during the trial of Hong Kong media mogul Jimmy Lai, alleging that Lai financed advertising campaigns to support the 2019 pro-democracy protests in the city. However, the United Nations Special Rapporteur on Torture, Alice Jill Edwards, expressed deep concerns about Li’s testimony, arguing that it should not be admitted as evidence since it “may have been obtained as a result of torture or other unlawful treatment.”

Cyberattack

The APT31 targeted 120 legislators from 18 countries who are members of the IPAC, de Pulford told the committee. However, they became aware of the cyberattack only recently, following the unsealing of an indictment by the U.S. Department of Justice in March, which charged seven hackers associated with the group.

According to the indictment, the hackers sent “thousands of malicious tracking email messages” with embedded hyperlinks to their targets. Once the recipients opened the emails and clicked the links, the hackers could steal their information, such as the victims’ locations, IP addresses, network details, and specific devices used to access their email accounts. These emails were sent to more than 400 unique accounts associated with IPAC members, the indictment stated.

Genuis had previously told the House of Commons that, following the 2021 cyberattack, the FBI alerted IPAC about the attempt and notified allied governments. However, he said the bureau did not directly inform non-U.S. legislators due to “rules regarding sovereignty.” Genius and other affected Canadian MPs have criticized Canadian authorities for not informing targeted parliamentarians for nearly a year after receiving U.S. intelligence about the threat.

In an April 30 statement to The Epoch Times, Mathieu Gravel, spokesperson for the House of Commons Speaker’s Office, said the administration had “determined that the risk-mitigation measures in place had successfully prevented any attack,” adding, “There were no cybersecurity impacts to any Members or their communications.” Genuis disputed this claim, noting that his personal email was targeted.

During the Sept. 26 committee meeting, de Pulford expressed concerns about parliamentarians being kept uninformed about the cyberattack, noting that it would prevent them from protecting themselves and sensitive information, such as “high-risk transnational repression cases” that many of them handle.

“Telling parliamentarians that this attack was not successful or not serious is questionable at best and misleading at worst,” he said.

China-Backed Group Hacked Over 9,000 Devices in Canada as Part of Global Operation, FBI Says

Over 9,000 consumer devices in Canada have been compromised by a Beijing-backed hacker group that installed malicious software on hundreds of thousands home and office internet-connected devices worldwide, an assessment done by U.S. authorities has found.

The hacker group called “Flax Typhoon” has controlled and managed a large network of compromised devices—a botnet—that’s been active since mid-2021, says a Sept. 18 “Joint Cybersecurity Advisory“ issued by the FBI and two other U.S. national security agencies along with partner agencies in Canada, Australia, New Zealand, and the UK.

The devices, such as routers, digital video recorders, internet protocol cameras, and network-attached storage devices, are infected with a type of malware that allows the hackers to have unauthorized remote access and to carry out cyber crimes. Using the botnet as a proxy, they are able to conceal their identities during cyberattacks and other malicious activities.

“As of June 2024, the botnet consisted of over 260,000 devices. Victim devices which are part of the botnet have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia,” the advisory stated.

The advisory said approximately 9,200 of those devices are based in Canada, accounting for just 3.5 percent of the total. The United States was hit hardest, with 126,000 affected devices, representing 47.9 percent of the total, far surpassing the next most impacted country, Vietnam, with 21,100 compromised devices.

The Epoch Times reached out to the Canadian Security Intelligence Service and Communications Security Establishment Canada for comment but did not hear back immediately.

The hackers of Flax Typhoon, backed by the People’s Republic of China (PRC), work for a Beijing-based publicly traded company called Integrity Technology Group that has several Chinese state-owned enterprises as key stakeholders.

The company has developed an online application that allows its customers to “log in and control specified infected victim devices,” according to court documents unsealed in the Western District of Pennsylvania, which detail the investigation of the botnet by an unnamed FBI special agent.

Botnets Disrupted

Citing the unsealed court documents, the U.S. Justice Department on Sept. 18 announced that a court-authorized law enforcement operation had disrupted the worldwide botnet.

The department said the Flax Typhoon hackers tried to interfere with the FBI-led international operation via a distributed denial-of-service attack, a cyberattack that floods a website or server with excessive traffic to make it function poorly or be knocked offline completely.

The attack targeted infrastructure the FBI was using to carry out the court’s orders but ultimately failed to stop the FBI from disrupting the botnet.

“The Justice Department is zeroing in on the Chinese government backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security,” U.S. Attorney General Merrick B. Garland said in a Sept. 18 press release.

“As we did earlier this year, the Justice Department has again destroyed a botnet used by PRC-backed hackers to infiltrate consumer devices here in the United States and around the world. We will continue to aggressively counter the threat that China’s state- sponsored hacking groups pose to the American people.”

In late January, U.S. authorities had announced an earlier court-authorized operation that disrupted another Chinese state-backed botnet run by a hacker group known as “Volt Typhoon,” which infected hundreds of U.S.-based routers in small offices and home offices.

FBI Director Christopher Wray condemned Beijing for “targeting American civilian critical infrastructure and pre-positioning to cause real-world harm to American citizens and communities in the event of conflict.”

“Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans,” he said in the Jan. 31 press release.

Chinese cyberattacks against Canada are a key focus of ongoing investigations by a parliamentary committee as well as the current public inquiry into foreign interference. These investigations are examining a 2021 incident involving another Chinese hacker group, known as Advanced Persistent Threat Group 31 (APT31), which targeted members of an international legislative coalition including 18 Canadian parliamentarians.

Luke de Pulford, executive director of the global coalition Inter-Parliamentary Alliance on China (IPAC), testified before the House of Commons Standing Committee on Procedure and House Affairs on the matter on Sept. 26.

He told the committee of the possibility that APT31 hackers obtained the IPAC email distribution list through IPAC volunteer Andy Li. Li, a computer programmer, played a key role in a crowdfunding campaign to rally support for the 2019 pro-democracy movement in Hong Kong. He was later arrested while attempting to flee to Taiwan by speedboat, and reportedly faced torture while imprisoned in China.

[kyonides]

NSA Investigating CCP-Backed Hack of Major US Telecommunications Companies

National Security Agency Director Gen. Timothy Haugh said the Chinese communist regime-backed hack on major American telecommunications companies is under investigation.

The hack was first reported by The Wall Street Journal on Oct. 5.

Haugh told a small group of reporters on Oct. 6 at The Cipher Brief conference that details about the investigation could not yet be made public. According to The Wall Street Journal, hackers had access to several broadband providers, including AT&T, Verizon, and Lumen Technologies, for months or longer, amounting to a major national security risk.

“We’re really at an initial stage,” he said, according to The Cipher Brief, noting that the intelligence agencies have seen that the Chinese Communist Party (CCP) is “going to be very aggressive” in targeting critical infrastructure.

During the conference, Haugh outlined the threat from the CCP.

“The scope and sophistication at which the [People’s Republic of China (PRC)] continues to grow its capabilities and extend its global reach is matched only by the sheer scale and speed of which it acts,” Haugh said. “It has enhanced its actions in cyberspace, where the PRC represents the most daunting of our threats.”

Lumen Technologies disclosed in a blog post in August that hackers took advantage of vulnerabilities in the Versa Director software platform. Four U.S. targets and one Indian firm were targeted, but the companies were not named at the time. Versa Networks confirmed three unnamed victims, including an internet service provider.

At the time, Lumen researchers said they were moderately confident that the hack was related to the CCP-backed, ongoing hacking campaign “Volt Typhoon” and that internet companies were targeted so that the regime could surveil the customers.

Haugh said he was “incredibly confident” in the United States’ ability to counter the CCP cyber threat because we value transparency.

When intelligence officials disclosed the Volt Typhoon threat last year, it had a ripple effect among lawmakers, the private sector, and even other countries, which took action to close vulnerabilities.

“We’ve now seen all of them be successful,” Haugh said. “That’s an exemplar of what we can be doing. ... We’ve done over 70 advisories about these threats and in many cases those advisories are at the keystroke level of what is an adversary doing, how are they doing it, and how can we counter it.”

CCP is Stifling Chinese Potential: Haugh

The CCP has strengths in areas such as scale and control-enabling technologies, but according to Haugh, its heavy-handed approach to expanding aggressively on foreign soil may now be a setback.

China currently faces several domestic crises caused by CCP policy: a collapsed real estate industry that had propped up the Chinese economy, evaporating foreign investment, and a shrinking workforce and population.

Now, global trade partners are putting up barriers, and the CCP will find it increasingly difficult to offset these domestic issues financially, Haugh said.

“Addressing these challenges will require innovative thinking by PRC leaders. However, the Chinese Communist Party’s tighter, authoritarian grip could very well stifle the ability of the PRC and will to navigate its most pressing challenges,” he said.

American principles of freedom of belief and private ownership give the United States a competitive advantage in countering the CCP, he said. These principles have given rise to diverse innovation and dynamic public-private partnerships.

The more the National Security Agency has shared about the CCP cyber threat with agencies and companies, the more these entities collaborate, Haugh said.

“Truly, the cyber domain is created by industry. And it is industry who will most directly impact our collective ability to defend U.S. interests and those of our allies,” he said. “The value that we place on freedom of thought allows us to innovate and partner quickly, contradicting the PRC’s mindset of centralized control.”

According to Haugh, collaboration is critical because the CCP, as an authoritarian entity, can leverage a whole-of-state approach to achieve its goals.

“The relationships we are building today allow us to achieve agility, scale, and capabilities that would not otherwise be available to us. It’s the competitive advantage our nation has over the PRC,” he said.

[kyonides]

Russia, China collaborating with criminal networks in cyberattacks against adversaries: Microsoft

Russia, China and Iran are increasingly collaborating with cybercrime networks to launch a variety of attacks against their adversaries, including the U.S., Microsoft said in a Tuesday report.

The attacks, ranging from ransomware to phishing, were carried out for “espionage, destruction or influence” and involved cybercrime gangs working with these nations to share hacking tools and tactics, Microsoft said in its new Digital Defense Report. Published Tuesday, the report looked at cyber threats from July 2023 through June. 

In one influence operation, an Islamic Revolutionary Guard Corps (IRGC) group used cyber personas starting last year to sell stolen Israeli dating website data, Microsoft found. 

And in another case, Russian threat actors used new malware and appeared to outsource some cyberespionage operations to criminal groups, the report stated. Last June, one operation compromised at least 50 Ukrainian military devices in an apparent attempt to access information for the Russian government.

Microsoft said these cyberattacks also included attempts to influence the U.S. election ahead of November. Russia has continued various operations intended to undermine trust in democratic institutions, while Iran and China have escalated their influence campaigns in the past year.

Iran, in one case, likely operated a network of websites posing as news outlets for U.S. voter groups to engage with, according to Microsoft. These websites featured “polarizing messages” on the U.S. presidential candidates, the Israel-Hamas war and LGBTQ rights. These sites used artificial intelligence tools to copy work from real publications in the U.S., the report said. 

The tech company pointed to China’s use of “covert social media networks,” to create discord and influence the presidential race. In one instance, an actor linked to the Chinese Communist Party carried out an influence campaign on social media amid the uptick in college campus protests related to the Israel-Hamas war. 

The actor allegedly had multiple accounts on Telegram pretending to be students or parents involved in the protests in a likely attempt to prompt conflict about the protests, Microsoft said. 

As for Russia, the country’s influence operations were at a “slower pace” than past elections, though attempts were still observed, Microsoft noted. 

“The convergence and parallel nature of nation-state operations throughout 2024 underscores just how persistent adversarial states are in their attempts to exert influence over US elections and outcomes,” the report stated. “Left unchecked, this poses a critical challenge to US national security and democratic resilience.”
...
The Justice Department handed down an indictment last month accusing two RT employees of leading a covert influence campaign by partnering with conservative company Tenet Media to hire various right-wing influencers. The agency also seized more than 30 web domains used by Russia for covert campaigns.
...

[kyonides]

Trump and Vance possible targets of China-backed cyber attack

US authorities say cybercriminals linked to China may have attempted to tap into the phones or networks used by former President Donald Trump and his running mate, Senator JD Vance, a number of sources familiar with the matter confirmed to the BBC's US news partner, CBS News.

The sources said the Trump-Vance campaign had been alerted to the fact that phones used by Trump and Vance may have been among the targets of a broader cyber attack.

People affiliated with the Harris-Walz campaign were also targeted, a person familiar told BBC News.

It is unclear how much information, if any, may have been compromised.

The Department of Justice and the FBI declined to comment on whether candidates were targeted.

A joint statement from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said the US government was investigating the "unauthorised access to commercial telecommunications infrastructure by actors affiliated with the People's Republic of China".

They said after the "malicious activity" was identified, the agencies "immediately notified affected companies, rendered technical assistance, and rapidly shared information to assist other potential victims", adding that the investigation was ongoing.

"Agencies across the US government are collaborating to aggressively mitigate this threat and are coordinating with our industry partners to strengthen cyber defences across the commercial communications sector," they added.

Law enforcement is currently treating the hack as an act of espionage, not as an attempt at campaign influence, one source told CBS.

Earlier this month it emerged that US telecommunications companies had been targeted in a hack.

One of the companies affected is said to be Verizon, through which the hackers are thought to have potentially targeted Trump and Vance's data, according to the New York Times, who first reported the story.

In a statement, Verizon spokesman Rich Young said the company was “aware that a highly sophisticated nation-state actor has reportedly targeted several US telecommunications providers to gather intelligence.”

He said Verizon is assisting law enforcement agencies in the investigation and working to address any further problems.

The Trump campaign has already been the target of one hack earlier this year.

Three Iranians nationals linked to the country's Islamic Revolutionary Guard Corps were charged in September with deliberately attempting to undermine a presidential campaign.

US government agencies and officials have long warned of the threat of foreign interference in the US, including US elections.

“Our adversaries do look at American elections as points to try to influence, to try to undermine confidence in our democracy, to try to put their thumb on the scale,” National Security Adviser Jake Sullivan said in the summer. “We are clear eyed about that. And we are doing a lot to push back against it".

Chinese hackers targeted phones affiliated with Harris campaign, source says

Chinese hackers who tapped into Verizon's system targeted phones used by people affiliated with the campaign of Democratic presidential candidate Kamala Harris, a person familiar with the situation said on Friday.

Republican presidential candidate Donald Trump and his running mate, JD Vance, were also targeted, according to media reports. Reuters could not confirm those reports.

The New York Times reported investigators were working to determine what communications, if any, were taken from Trump and Vance.

The Trump campaign was made aware this week that Trump and Vance were among a number of people inside and outside of government whose phone numbers were targeted through the infiltration of Verizon (VZ.N), opens new tab phone systems, the Times report added.

The Trump campaign did not confirm that Trump's and Vance's phones were targeted.

Steven Cheung, the campaign's communications director, said Vice President Harris has emboldened China and Iran to attack U.S. infrastructure to prevent Trump from returning to office.

While noting that it was not aware of the specific situation, the Chinese embassy in Washington said China opposes and combat cyber attacks and cyber thefts in all forms.

"The presidential elections are the United States' domestic affairs. China has no intention and will not interfere in the U.S. election," an embassy spokesperson said when reached for comment.

The Harris campaign did not immediately respond to requests for comment.

The Trump campaign was hacked earlier this year. The U.S. Justice Department charged three members of Iran's Revolutionary Guard Corps with the hack, accusing them of trying to disrupt the Nov. 5 election.

The FBI and the U.S. Cybersecurity and Infrastructure Security Agency said on Friday they were investigating unauthorized access to commercial telecommunications infrastructure by people associated with China.

The joint statement by the agencies did not name the targets of the incident.

Verizon said it was aware of a sophisticated attempt to reportedly target U.S. telecoms and gather intelligence.

The largest U.S. telecom company added it was working with law enforcement.