Microsoft: Same Targets, New Playbooks - East Asia Threat Actors Employ Unique Methods




Plain Text Version

Microsoft has observed several notable cyber and influence trends from China and North Korea since June 2023 that demonstrate not only doubling down on familiar targets but also attempts to use more sophisticated influence techniques to achieve their goals.

Chinese cyber actors broadly selected three target areas over the last seven months:

  • One set of Chinese actors extensively targeted entities across the South Pacific Islands.
  • A second set of Chinese activity continued a streak of cyberattacks against regional adversaries in the South China Sea region.
  • A third set of Chinese actors compromised the US defense industrial base.

Chinese influence actors—rather than broadening the geographic scope of their targets—honed their techniques and experimented with new media. Chinese influence campaigns continued to refine AI-generated or AI-enhanced content. These campaigns stoked divisions within the United States and exacerbated rifts in the Asia-Pacific region, including Taiwan, Japan, and South Korea. However, these campaigns achieved varying levels of resonance with no singular formula producing consistent audience engagement.

North Korean cyber actors made headlines for increasing software supply chain attacks and cryptocurrency heists over the past year. Strategic spear-phishing campaigns targeting researchers studying the Korean Peninsula remained a constant trend, while North Korean threat actors appeared to make greater use of legitimate software to compromise even more victims.

Chinese cyber operations target strategic partners and rivals

Gingham Typhoon targets government, IT, and multinational entities across the South Pacific Islands

During the summer of 2023, Microsoft Threat Intelligence observed extensive activity from China-based espionage group Gingham Typhoon targeting nearly every South Pacific Island country. Victims included international organizations, government entities, and the IT sector with complex phishing campaigns. Heightened geopolitical and diplomatic competition in the region may motivate these offensive cyber activities.

Diplomatic allies of China who were victims of recent Gingham Typhoon activity include executive offices in government, trade-related departments, internet service providers, as well as a transportation entity.

Heightened geopolitical and diplomatic competition in the region may be motivations for these offensive cyber activities. China pursues strategic partnerships with South Pacific Island nations to expand economic ties and broker diplomatic and security agreements.

For example, Chinese actors engaged in large-scale targeting of multinational organizations in Papua New Guinea, a longtime diplomatic partner benefiting from multiple Belt and Road Initiative (BRI) projects, including constructing a major highway linking a Papua New Guinea government building to the capital city’s main road.

Chinese threat actors retain focus on South China Sea amid Western military exercises

China-based threat actors continued to target entities related to China’s economic and military interests in and around the South China Sea. These actors opportunistically compromised government and telecommunications victims in the Association of Southeast Asian Nations (ASEAN). Chinese state-affiliated cyber actors appeared particularly interested in targets related to the numerous US military drills conducted in the region.

In June 2023, Raspberry Typhoon, a nation-state activity group based out of China, successfully targeted military and executive entities in Indonesia and a Malaysian maritime system in the weeks before a rare multilateral naval exercise involving Indonesia, China, and the United States.

Similarly, entities related to US-Philippines military exercises were targeted by another Chinese cyber actor, Flax Typhoon. Meanwhile, Granite Typhoon, yet another China-based threat actor, primarily compromised telecommunication entities in the region during this period, with victims in Indonesia, Malaysia, the Philippines, Cambodia, and Taiwan.

Nylon Typhoon compromises foreign affair entities worldwide

China-based threat actor Nylon Typhoon has continued its long-running practice of targeting foreign affairs entities in countries worldwide. Between June and December 2023, Microsoft observed Nylon Typhoon at government entities in South America, including Brazil, Guatemala, Costa Rica, and Peru.

The threat actor was also observed in Europe, compromising government entities in Portugal, France, Spain, Italy, and the United Kingdom. While most of the European targets were government entities, some IT companies were also compromised. The purpose of this targeting is intelligence collection.

Chinese threat group targets military entities and critical infrastructure in the United States

Finally, Storm-0062 surged in activity over the fall and winter of 2023. Much of this activity compromised US defense-related government entities, including contractors who provide technical engineering services around aerospace, defense, and natural resources critical to US national security. Additionally, Storm-0062 repeatedly targeted military entities in the United States; however, it is unclear whether the group was successful in its attempted compromises.

The US defense industrial base also remains a continued target of Volt Typhoon. In May 2023, Microsoft attributed attacks on US critical infrastructure organizations to Volt Typhoon, a state-sponsored actor based in China. Volt Typhoon gained access to organizations’ networks with living-off-the-land techniques and hands-on-keyboard activity. These tactics allowed Volt Typhoon to stealthily maintain unauthorized access to target networks. From June 2023 to December 2023, Volt Typhoon continued targeting critical infrastructure but also pursued resource development by compromising small office and home office (SOHO) devices across the United States.

Looking Ahead

China will celebrate the 75th anniversary of the founding of the People’s Republic of China in October, and North Korea will continue to push forward key advanced weapons programs. Meanwhile, as populations in India, South Korea, and the United States head to the polls, we are likely to see Chinese cyber and influence actors, and to some extent North Korean cyber actors, work toward targeting these elections.

Finally, as North Korea embarks upon new government policies and pursues ambitious plans for weapons testing, we can expect increasingly sophisticated cryptocurrency heists and supply chain attacks targeted at the defense sector, serving to both funnel money into the regime and facilitate the development of new military capabilities.