Security News

The federal government is fighting back against what it says are China-based cyberattacks against U.S. universities and companies with indictments and a "Naming-and-shaming" approach - but researchers aren't convinced the efforts will come to much in terms of deterring future activity. The U.S. Cybersecurity and Infrastructure Agency, the Federal Bureau of Investigation and the National Security Administration released multiple advisories providing details about cybersecurity threats from the Chinese government, and announced the indictments of four Chinese nationals alleged to have been operating on behalf of the Chinese Hanian State Security Department.

Chinese state-sponsored attackers have breached 13 US oil and natural gas pipeline companies between December 2011 to 2013 following a spear-phishing campaign targeting their employees. The end goal of the attacks was to help China develop cyberattack capabilities that would allow future intrusions to physically damage targeted pipelines or disrupt US pipeline operations.

The Microsoft Exchange Server attacks earlier this year were "Systemic cyber sabotage" carried out by Chinese state hacking crews including private contractors working for a spy agency, the British government has said. Foreign Secretary Dominic Raab said this morning in a statement: "The cyber attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behaviour. The Chinese Government must end this systematic cyber sabotage and can expect to be held to account if it does not."

Today, the US Department of Justice indicted four members of the Chinese state-sponsored hacking group known as APT40 for hacking various companies, universities, and government entities in the US and worldwide between 2011 and 2018. Wu Shurong, the fourth Chinese national indicted today by the DOJ, was hired through Hainan Xiandun to create malware, hack into foreign governments' computer systems, companies, and universities to steal trade secrets, intellectual property, and other high-value information, as well as to supervise other Hainan Xiandun hackers.

A newly uncovered advanced persistent threat campaign is targeting a large number of users in South Asia, including government entities, according to a new report from anti-malware vendor Kaspersky. Dubbed LuminousMoth, the activity involves cyberespionage attacks on governments since at least October 2020 but, unlike similar attacks that are highly targeted, this campaign stands out due to its size: roughly 100 victims in Myanmar and 1,400 in the Philippines.

Kaspersky researchers have revealed an ongoing and large-scale advanced persistent threat campaign with hundreds of victims from Southeast Asia, including Myanmar and the Philippines government entities. While analyzing LuminousMoth's cyberespionage attacks against several Asian government entities that started since at least October 2020, Kaspersky researchers discovered a total of 100 victims in Myanmar and 1,400 in the Philippines.

Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government and must not sell or give the knowledge to any third-party outside of China. The most obvious assumption is that Chinese found zero-days will be funneled into the Chinese APT groups, and will not be made available for purchase by the NSA or Russian state actors.

Microsoft on Tuesday disclosed that the latest string of attacks targeting SolarWinds Serv-U managed file transfer service with a now-patched remote code execution exploit is the handiwork of a Chinese threat actor dubbed "DEV-0322.". While it was previously revealed that the attacks were limited in scope, SolarWinds said it's "Unaware of the identity of the potentially affected customers."

Microsoft said on Tuesday that a recently patched SolarWinds Serv-U zero-day vulnerability has been exploited by a Chinese threat group. IT management solutions provider SolarWinds over the weekend informed customers that its Serv-U Managed File Transfer and Serv-U Secure FTP products are affected by a remote code execution vulnerability that has been exploited in targeted attacks.

Microsoft has attributed a new attack on SolarWinds to a group operating in China. The software giant on Tuesday posted details of the attack, which SolarWinds on Monday patched and revealed as a Return Oriented Programming attack that targets its Serv-U managed file transfer product and allows an attacker to run arbitrary code with privileges, install programs and alter data on cracked targets.