Since June 2023, Microsoft has observed several notable cyber and influence trends from China and North Korea that indicate nation-state threat groups are doubling down on familiar targets by using more sophisticated influence techniques to achieve their goals. To protect their organizations against the latest attack vectors and nation-state threats, security teams must remain abreast of these trends.

Chinese Influence Actors Hone Techniques, Experiment With AI

In recent months, Chinese cyber actors have broadly targeted three core areas: entities across the South Pacific islands, regional adversaries in the South China Sea, and the US defense industrial base. Meanwhile, Chinese influence actors have been able to refine their use of AI-generated and AI-enhanced content while also experimenting with new media in an attempt to stoke divisions within the US and exacerbate rifts in the Asia-Pacific region.

For example, in a September 2023 report, we explored the use of generative artificial intelligence by Chinese influence operation (IO) assets to create engaging visual content, including AI-generated memes that targeted the US to amplify controversial domestic issues and criticize the Biden administration. 

Storm-1376 is one of the most prolific Chinese threat actors using AI content, with IO campaigns that span over 175 websites and 58 different languages. Recently, Storm-1376’s campaigns have begun using AI-generated photos to mislead audiences, stoke conspiratorial content — particularly against the US government — and target new populations with localized content. 

Last August, Storm-1376 spread a number of conspiratorial social media posts claiming that the US government deliberately set fires on the island of Maui in Hawaii, to test a military-grade “weather weapon.” In addition to posting the text in at least 31 languages across dozens of websites and platforms, Storm-1376 used AI-generated images of burning coastal roads and residences to make the content more eye-catching. As we approach the 2024 election cycle in the US, we expect China to continue creating and amplifying AI-generated content targeted at the American public.

North Koreans Increase Software Supply Chain Attacks, Crypto Heists

On the North Korean side, cyber threat actors stole hundreds of millions of dollars in cryptocurrency, conducted software supply chain attacks, and targeted their perceived national security adversaries in 2023. These operations are used to generate revenue for the North Korean government — particularly its weapons program — and collect intelligence on the US, South Korea, and Japan. The United Nations estimates that North Korean cyber actors have stolen over $3 billion in cryptocurrency since 2017, with multiple heists totaling between $600 million and $1 billion in 2023 alone.

One threat actor tracked by Microsoft, named Sapphire Sleet, conducted a number of small yet frequent cryptocurrency theft operations. The group developed new techniques to carry out these operations, such as sending fake virtual meeting invitations containing links to an attacker domain and registering fake job-recruiting websites. Sapphire Sleet is known to target executives and developers at cryptocurrency, venture capital, and other financial organizations.

We’ve also seen North Korean threat actors conduct software supply chain attacks on IT firms, resulting in access to downstream customers. One group, known as Jade Sleet, used GitHub repos and weaponized npm packages in a social engineering spear-phishing campaign that targeted employees of cryptocurrency and technology organizations. The attackers impersonated developers or recruiters, invited targets to collaborate on a GitHub repository, and convinced them to clone and execute its contents, which contained malicious npm packages. 

Another group, known as Onyx Sleet, exploited the TeamCity CVE-2023-42793 vulnerability to perform a remote code execution attack and gain administrative control of servers. The group has been tied to software supply chain attacks on at least 10 victims — including a software provider in Australia and a government agency in Norway — and used post-compromise tooling to execute additional payloads. 

As North Korea embarks upon new government policies and pursues ambitious plans for weapons testing, we can expect increasingly sophisticated cryptocurrency heists and supply chain attacks targeted at the defense sector. Security teams for defense and related industries must remain vigilant against these threats. 

Source: www.darkreading.com