China, Russia Continue Cyberattacks Unabated; Unclear What US Intends to do

Multiple Chinese hacking groups continue to go after US and other companies and agencies with, apparently, no consequences.

China’s Salt Typhoon, who hacked a dozen or more major US telecom and Internet providers including Verizon and AT&T, is now using vulnerabilities in Cisco firewalls worldwide. In December and January the Chinese government hackers successfully broke into at least seven networks according to Recorded Future.

The previous attacks gave China’s President real time access to American’s communications, including high level government officials. It is likely that this newly revealed compromise gave China similar access.

It is also possible that the Chinese government hackers targeted more than a dozen universities including UCLA to access research related to telecommunications, engineering and technology. Credit: The Register

Russian threat actor Seashell Blizzard has, according to Microsoft, tasked the group to gain “initial access” to Internet facing infrastructure. The threat actor also known as APT44, BlackEnergy Lite, Sandworm and others has been active for a decade and a half and is likely part of Russia’s military intelligence agency GRU unit 74455.

The group has been targeting critical infrastructure including energy, water, government, manufacturing, military, telecom and transportation and has leveraged this access in military operations, especially against Ukraine.

For the past four years, a subgroup within Seashell Blizzard has been engaged in a broad initial access operation referred to as the ‘BadPilot campaign’, with the purpose of establishing persistence within high-value targets, in support of tailored network operations.

“Initial access” means that they get in, usually with stolen credentials, but then hand that access off to another group. They do not steal anything or launch ransomware attacks – they leave that to the next team.

“Persistence” means that they attempt to figure out a way to stay inside of a network even if the target detects they are there. That usually means that they connect many different hooks into the victim company or agency’s network so that even if one hook is detected, the network is still compromised.

“Tailored network operations” refers to one-off high value attacks against a target. The NSA calls their version of this Tailored Access Operations or TAO. Same idea, different name. Typically TNO/TAO teams are given a specific target and specific mission, using the initial access and persistence that the other groups have created. Credit: Security Week, Dark Reading

by