FlagThis

The European Union has sanctioned three Russian nationals, identified as Nikolay Alexandrovich Korchagin, Vitaly Shevchenko, and Yuriy Fedorovich Denisov, for their involvement in cyber attacks targeting Estonia’s key ministries in 2020. These individuals are members of the GRU Unit 29155, a Russian military intelligence unit known for its cyber operations. These sanctions highlight the ongoing geopolitical tensions and the attribution of state-sponsored cyber activities. The EU’s action underscores the international effort to hold nation-state actors accountable for their malicious cyber activities, aiming to deter future attacks and ensure the security of digital infrastructure.

A newly discovered China-aligned APT group called PlushDaemon has been found conducting cyber espionage using a supply chain attack. The group is targeting a South Korean VPN provider and replacing legitimate software installers with malicious ones that deploy the SlowStepper malware. This malware has a large toolkit, programmed in C++, Python and Go, which can conduct espionage. The initial access vector is by hijacking legitimate software updates.

North Korean IT workers are increasingly using their access to company systems to steal source code and extort companies for ransom. These workers, often hired under false pretenses, are becoming more aggressive and are actively funneling funds back to the North Korean regime. The FBI and Mandiant have issued fresh warnings regarding this evolving threat, urging organizations to be vigilant. These North Korean IT workers are exploiting their remote access to extract sensitive data from companies and demand payment to prevent its release. Additionally, the US Department of Justice has charged several individuals involved in this scheme for conspiracy and money laundering. This highlights the severity and breadth of North Korean cybercrime activities.

The Silver Fox APT group is targeting organizations in Chinese-speaking regions using a multi-stage loader named PNGPlug to deliver the ValleyRAT malware. The attack begins with a phishing webpage that lures victims into downloading a malicious MSI package disguised as a legitimate application, using weaponized PNG files to deliver multi-stage malware.

The US Treasury Department sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe, and a Shanghai-based hacker, Yin Kecheng, for their involvement in the Salt Typhoon cyberattacks. These attacks targeted major US telecom companies, compromising sensitive data and the US Treasury’s network, including systems used for sanctions and foreign investment reviews, and even impacted the computer of the outgoing Treasury Secretary Janet Yellen. This highlights the ongoing sophisticated cyber espionage campaigns from China targeting critical infrastructure and government entities within the US and globally. The sanctioned entities are directly linked to the Chinese Ministry of State Security (MSS), and used a combination of zero-day exploits and other techniques for infiltrating networks and exfiltrating data. The compromise of the Department of the Treasury’s network is considered a major breach, potentially impacting national security due to access to sensitive information.

The Lazarus Group, a North Korean cyber threat actor, is using LinkedIn to target organizations across various sectors. The group uses social engineering to establish contact, then moves communications to other platforms, and tricks victims into downloading malware. This includes posing as recruiters with fake job offers, which ultimately lead to malware infection. This activity highlights the risk of using LinkedIn for business purposes without proper security protocols and employee training and also indicates how social media can be used to target unsuspecting users and bypass common network security measures.

The Chinese state-sponsored hacking group ‘Silk Typhoon’ has been linked to a significant breach of a US Treasury agency in December 2024, with further reports indicating they also compromised the Committee on Foreign Investment in the United States (CFIUS), which assesses national security risks associated with foreign investments. The attackers are suspected to have stolen sensitive information from both the Treasury and the CFIUS, which has raised significant concerns in the US government. This coordinated attack demonstrates a pattern of sophisticated cyber espionage activities by the Silk Typhoon group.

The Russia-linked APT group UAC-0063 is conducting a cyber espionage campaign targeting Kazakhstan and other Central Asian countries to gather economic and political intelligence. They are using spear-phishing tactics with weaponized Microsoft Office documents to deploy the HATVIBE malware and CHERRYSPY. The group has connections to APT28 and Russian GRU cyber activities.

The MirrorFace APT, linked to China, has been conducting extensive cyber espionage campaigns against Japan since 2019. The group uses malware delivered via email attachments, and exploits VPN vulnerabilities to steal sensitive information. Targets include the Japanese government, defense, aerospace, semiconductor, communications and research organizations. The group uses tools like ANEL and NOOPDOOR for its attacks. The campaign shows a deep focus on infiltrating Japanese national security and advanced technology sectors.