Tag Archives: Cyber Espionage

image_pdfimage_print

Chinese cyber espionage: a data leak reveals the secrets of their hackers

Unprecedented Data Leaks Expose Chinese Cyber Espionage Programs

Following an unprecedented data leak from a Beijing regime hacking service provider, the secrets of Chinese cyberespionage are revealed. The I-Soon company is said to have infiltrated dozens of strategic targets around the world. This is what you will discover here by reading this brief cyberculture. Unprecedented data leaks reveal China’s cyberespionage program.
Following an unprecedented data leak from a Beijing regime hacking service provider, the secrets of Chinese cyberespionage are revealed. Based on the analysis of this data, it appears that the I-Soon company has infiltrated dozens of strategic targets around the world. This is what you will discover here by reading this brief Cyberculture.

2024 Digital Security

Europol Data Breach: A Detailed Analysis

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense

2024 Digital Security

Apple M chip vulnerability: A Breach in Data Security

2024 Digital Security

Cybersecurity Breach at IMF: A Detailed Investigation

2024 DataShielder Digital Security PassCypher Phishing

Midnight Blizzard Cyberattack Against Microsoft and HPE: What are the consequences?

2024 Digital Security

PrintListener: How to Betray Fingerprints

Stay informed with our posts dedicated to Cyberculture to track its evolution through our regularly updated topics.

Read the secrets of Chinese cyber espionage revealed by an unprecedented data leak, written by Jacques Gascuel, a pioneer of contactless, serverless and databaseless sensitive data security solutions. Stay up to date and secure with our frequent updates..

Chinese cyber espionage I-Soon: A data leak reveals the secrets of their hackers

Chinese cyber espionage poses a serious threat to the security and stability of the world. Many countries and organizations face hackers who try to steal sensitive information, disrupt critical infrastructure, or influence political outcomes. One of the most active and sophisticated cyber espionage actors is China, which has a large and diverse hacking program. But how does China conduct its cyber operations? What methods, targets, and objectives does it have? And how can we protect ourselves from its attacks?

In this brief, we will explore these questions of Chinese cyber espionage, based on a recent data leak that revealed the inner workings of a Chinese cybersecurity vendor working for the Chinese government. The vendor, I-Soon, is a private contractor that operates as an advanced persistent threat (APT) for hire, serving the Chinese Ministry of Public Security (MPS). The leaked data, published on GitHub, contains hundreds of documents that document I-Soon’s Chinese cyber espionage activities, from staff complaints to hacking tools and services.

We will also look at some of the solutions that exist to counter the cyber espionage threat, both from a technical and a strategic perspective. We will focus on the solutions developed by Freemindtronic, an Andorran company that specializes in security and encryption technologies, based on the NFC HSM (Near Field Communication and Hardware Security Module) technology. We will also examine the means of counter espionage against the methods of I-Soon, which are varied and sophisticated.

I-Soon data leak reveals insight into Chinese cyber espionage hacking program

The I-Soon data leak is a significant revelation in Chinese cyber espionage, as it offers a rare glimpse into the inner workings of a major spyware and APT-for-hire provider. The leak exposes I-Soon’s methods, tools and goals, as well as the challenges and frustrations of its staff.

According to the leaked data, I-Soon infiltrated several government agencies, including those from India, Thailand, Vietnam, South Korea, and NATO. Some of the tools that I-Soon used are impressive. For example, they had a tool that could steal the user’s Twitter email and phone number, read personal messages, and publish tweets on the user’s behalf. They also had custom Remote Access Trojans (RATs) for Windows, iOS, and Android, that could perform various malicious actions, such as keylogging, file access logging, process management, and remote shell. They also had portable devices for attacking networks from the inside, and special equipment for operatives working abroad to establish safe communication.

The leak also reveals some of the challenges and difficulties that I-Soon faced, such as losing access to some of their data seized from government agencies, dealing with corrupt officials, and working in sensitive regions like Xinjiang. The leak also shows some of the internal complaints and grievances of I-Soon’s staff, such as low pay, poor management, and lack of recognition.

The leak is a treasure trove of intel for cybersecurity researchers and analysts, as it provides a rare insight into the day-to-day operations of China’s hacking program, which the FBI says is the biggest of any country. The leak also raises serious concerns for the security and sovereignty of the countries and organizations targeted by I-Soon, as it exposes the extent and the impact of China’s cyber espionage activities.

In summary, the I-Soon data leak exposed the secrets of Chinese cyber espionage, which poses a major challenge to world security and stability. Faced with this threat, it is necessary to strengthen cooperation and defense in cybersecurity, while respecting the principles of freedom and transparency on the internet. It is also important to understand China’s motivations and objectives, in order to find peaceful and lasting solutions.

Reactions and challenges to the Chinese cyber espionage threat

The revelation of the I-Soon data leak comes amid growing tensions between China and its rivals, notably the United States, which regularly accuses it of carrying out cyberattacks against their interests. China, for its part, denies any involvement and presents itself as a victim of cyberwar. Faced with this threat, the countries targeted by I-Soon are calling for strengthening their cooperation and defense in cybersecurity.

For example, the European Union adopted a legal framework in 2023 to impose sanctions on perpetrators of cyberattacks, including China. Likewise, NATO has recognized cyberspace as a domain of operation, and affirmed its willingness to retaliate in the event of an attack. Finally, democratic countries have launched initiatives to promote the values ​​of freedom and transparency on the internet, such as the Partnership for an Open and Secure Cyberspace.

However, these efforts remain insufficient to confront the Chinese threat, which has considerable resources and sophisticated strategies. It is therefore necessary to develop a global and coordinated approach, which involves governments, businesses, organizations and citizens. This would involve strengthening the resilience of information systems, sharing information and good practices, raising users’ awareness of the risks and opportunities of cyberspace, and promoting constructive dialogue with China.

The solutions of Freemindtronic against the cyber espionage threat

Facing the cyber espionage threat, especially from China, requires effective and adapted solutions, both from a technical and a strategic perspective. One of the companies that offers such solutions is Freemindtronic, an Andorran company that develops security and encryption technologies, based on the NFC HSM (Near Field Communication and Hardware Security Module) technology. The NFC HSM technology allows to create hardware security modules on any type of device, that ensure the encryption and the signature of any data, without contact, without energy source, and without internet connection.

Freemindtronic offers several solutions against the cyber espionage DataShielder Defense NFC HSM: a solution for sovereign communications, that allows to encrypt and sign any data on any type of device, with an unmatched level of confidentiality and trust. DataShielder uses the EviCore HSM OpenPGP technology, which is interoperable, retrocompatible, and versatile. DataShielder allows to customize the security of secrets, and to meet various specific needs.

  • PassCypher NFC HSM: a solution for the management and storage of passwords, that allows to create, store, and use complex and secure passwords, without having to remember or enter them. PassCypher uses the EviPass NFC HSM technology, as well as the NFC HSM devices of Freemindtronic, EviTag and EviCard. PassCypher offers a maximum security and a simplicity of use.
  • PassCypher HSM PGP: a solution for the management and storage of PGP keys, that allows to create, store, and use PGP keys, certificates, and signatures, without having to remember or enter them. PassCypher uses the EviCore HSM OpenPGP technology, as well as a hybrid solution via a web extension. PassCypher works without server and without database, and stores the encrypted containers on any storage device, protected by a post-quantum AES-256 encryption.

These solutions of Freemindtronic allow to protect oneself from the cyber espionage threat, by encrypting and signing the data, by managing and storing the passwords and the keys, and by communicating in a confidential and sovereign way. They are based on the NFC HSM technology, which guarantees a hardware and software security, without contact, without energy source, and without internet connection.

The means of counter espionage against the methods of I-Soon

Against the methods of cyber espionage of I-Soon, which are varied and sophisticated, the countries and organizations targeted must implement effective and adapted means of counter espionage. These means can be of several types:

  • Preventive: they consist of strengthening the security of the information systems, by using up-to-date software, antivirus, firewall, complex passwords, encryption protocols, etc. They also consist of training the users to good practices, such as not opening suspicious attachments or links, not disclosing confidential information, not using public or unsecured networks, etc.
  • Defensive: they consist of detecting and blocking the intrusion attempts, by using tools of surveillance, analysis, tracing, filtering, neutralization, etc. They also consist of reacting quickly and limiting the damage, by isolating the compromised systems, backing up the data, alerting the competent authorities, communicating transparently, etc.
  • Offensive: they consist of retaliating and deterring the attackers, by using tools of counter-attack, disinformation, sabotage, sanction, etc. They also consist of cooperating with the allies and partners, by sharing the information, the evidence, the strategies, the resources, etc.

These means of counter espionage must be adapted to the specificities of the methods of I-Soon, which are varied and sophisticated. For example, to face the security flaws, it is necessary to use trustworthy software, verify their integrity, and update them regularly. To face the malware, it is necessary to use efficient antivirus, scan the systems regularly, and clean them in case of infection. To face the social engineering techniques, it is necessary to raise the awareness of the users, verify the identity and the credibility of the interlocutors, and not let oneself be influenced or corrupted.

Chinese cyberespionage statistics

The I-Soon data leak constitutes unprecedented testimony to the scale and impact of Chinese cyberespionage, which is based on close collaboration between the authorities and the private sector. Here are some statistics that illustrate the phenomenon:

China spent at least US$6.6 billion on cyber censorship in 2020, according to the Jamestown Foundation.

According to official sources, at least 2 million people were working for China’s cyberespionage system in 2013, a number that has almost certainly increased over the past eight years.
GreatFire, a censorship monitoring organization in China, estimates that 16% of the world’s 1,000 most visited websites are currently blocked in China.
In 2022, ANSSI handled 19 cyber defense operations and major incidents, compared to 17 in 2021. Nine of them were intrusions attributed to Chinese actors.

In conclusion, the means of counter espionage against the methods of I-Soon are essential to protect the interests and the sovereignty of the countries and organizations targeted. They must be implemented in a coordinated and proportionate way, respecting the principles of legality and legitimacy.

LitterDrifter: A USB Worm for Cyberespionage

LitterDrifter A USB Worm for Cyberespionage
LitterDrifter by Jacques Gascuel: This article will be updated with any new information on the topic.

LitterDrifter: USB Worm Threat and Safeguarding

Explore the LitterDrifter USB worm threat and effective safeguards. Learn to protect against this cyber threat and enhance data security.

2024 Digital Security

Europol Data Breach: A Detailed Analysis

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense

2024 Digital Security

Apple M chip vulnerability: A Breach in Data Security

2024 Digital Security

Cybersecurity Breach at IMF: A Detailed Investigation

2024 DataShielder Digital Security PassCypher Phishing

Midnight Blizzard Cyberattack Against Microsoft and HPE: What are the consequences?

2024 Digital Security

PrintListener: How to Betray Fingerprints

LitterDrifter: A USB Worm for Cyberespionage and Its Threats to Data Security

LitterDrifter is a computer worm that spreads through USB drives and is utilized by a Russian cyber espionage group known as Gamaredon. This group, active since at least 2013, primarily targets Ukraine but has also infected systems in other countries. LitterDrifter enables Gamaredon to gather sensitive information, execute remote commands, and download other malicious software. In this article, we will explore how this worm functions, methods to safeguard against it, and the motivations behind its creators.

Understanding Gamaredon

Gamaredon is a cyber espionage group suspected to have ties to Russia’s Federal Security Service (FSB). It conducts intelligence and sabotage operations against strategic targets in Ukraine, including government institutions, law enforcement, media, political organizations, and dissidents. Gamaredon plays a part in the hybrid warfare between Russia and Ukraine that emerged in 2014 following the annexation of Crimea and the armed conflict in Donbass.

Gamaredon employs a diverse range of cyberattack techniques, including phishing, disinformation, sabotage, and espionage. The group possesses several malicious tools such as Pterodo, Outlook Forms, VBA Macros, LNK Spreader, and, of course, LitterDrifter. Gamaredon is considered a group that learns from its experiences and adapts its tactics based on responses from its adversaries. It also serves as a training ground for Russia, observing the potential of cyber warfare in contemporary conflicts.

How LitterDrifter Works

LitterDrifter is a computer worm initially discovered in October 2021 by cybersecurity company Check Point Research. It is written in VBS and consists of two main modules: a propagation module and a communication module.

LitterDrifter’s Propagation

The propagation module is responsible for copying the worm to USB drives connected to the infected computer. It creates an autorun.inf file that allows the worm to launch automatically upon inserting an infected drive. Additionally, it generates an LNK file that serves as bait, featuring a random name to entice the user to click on it. The worm’s name is derived from the initial file name, “trash.dll,” which means “garbage” in English.

LitterDrifter’s Communication

The communication module establishes contact with the worm’s authors’ command and control (C2) server. It uses domains as markers for the actual IP addresses of the C2 servers. It can also connect to a C2 server extracted from a Telegram channel, a technique employed by Gamaredon since early 2021. The communication module allows the worm to collect information about the infected system, such as the computer name, username, IP address, operating system, process list, files on the hard drive, and USB drives. It can also execute remote commands, download and install other malicious software, and delete files or partitions.

How LitterDrifter Propagates

LitterDrifter is primarily intended to target Ukraine but has also been detected in other countries, including Latvia, Lithuania, Poland, Romania, Turkey, Germany, France, the United Kingdom, the United States, Canada, India, Japan, and Australia. The worm appears to spread opportunistically, taking advantage of USB exchanges and movements among individuals and organizations. Some of the victims may be secondary targets infected inadvertently, while others could be potential targets awaiting activation.

LitterDrifter Statistics

LitterDrifter is a rapidly spreading worm that affects a large number of systems. According to data from Check Point Research, the worm has been submitted to VirusTotal more than 1,000 times since October 2021, originating from 14 different countries. The majority of submissions come from Ukraine (58%), followed by the United States (12%) and Vietnam (7%). Other countries each represent less than 5% of submissions.

The worm also uses a large number of domains as markers for C2 servers. Check Point Research has identified over 200 different domains used by the worm, with most being free or expired domains. Some domains have been used by Gamaredon for a long time, while others are created or modified recently. The worm also uses Telegram channels to extract C2 server IP addresses, making their blocking or tracking more challenging.

The worm is capable of downloading and installing other malicious software on infected systems. Among the malicious software detected by Check Point Research are remote control tools, spyware, screen capture software, password stealers, file encryption software, and data destruction software. Some of these malicious software are specific to Gamaredon, while others are generic or open-source tools.

Uncontrolled Expansion and Real Consequences of LitterDrifter

LitterDrifter is a worm with uncontrolled expansion, meaning it spreads opportunistically by taking advantage of the movement and exchange of USB drives among individuals and organizations. It doesn’t have a specific target but can infect systems in various countries, without regard to the industry sector or security level. Consequently, it can affect critical systems, including infrastructure, public services, or government institutions.

The real consequences of LitterDrifter are manifold and severe. It can compromise the confidentiality, integrity, and availability of data. Moreover, it can serve as a gateway for more sophisticated attacks, such as deploying ransomware, spyware, or destructive software. Additionally, it can enable the worm’s authors to access sensitive information, including confidential documents, passwords, personal data, or industrial secrets.

LitterDrifter can have serious repercussions for victims, including damage to reputation, financial costs, data loss, disruption of operations, or legal liability. It can also impact national security, political stability, or the sovereignty of targeted countries. It is part of the context of a hybrid war waged by Russia against Ukraine, aiming to weaken and destabilize its neighbor through military, political, economic, media, and cyber means.

LitterDrifter’s Attack Methods

Understanding the attack methods employed by LitterDrifter is crucial in safeguarding your systems. This USB worm leverages various techniques to infiltrate systems and establish contact with its command and control (C2) servers. Below, we delve into the primary attack methods used by LitterDrifter:

Attack Method Description Example
Vulnerability Exploitation Exploiting known vulnerabilities in software and network protocols, such as SMB, RDP, FTP, HTTP, SSH, etc. It employs tools like Metasploit, Nmap, and Mimikatz to scan systems, execute malicious code, steal credentials, and propagate. Utilizing the EternalBlue vulnerability to infect Windows systems via the SMB protocol and install a backdoor.
Phishing Sending fraudulent emails containing malicious attachments or links that entice users to open or click. Attachments or links trigger the download and execution of LitterDrifter. Sending an email pretending to be an invoice from a supplier but containing a malicious Word file that exploits the CVE-2017-0199 vulnerability to execute LitterDrifter.
Identity Spoofing Impersonating legitimate services or applications through similar names, icons, or interfaces. This deceives users or administrators into granting privileges, access, or sensitive information. Using the name and icon of TeamViewer, a remote control software, to blend into the process list and establish a connection with C2 servers.
USB Propagation Copying itself to USB drives connected to infected computers, automatically running upon insertion. It also creates random-named LNK files as bait, encouraging users to click. When a user inserts an infected USB drive into their computer, the worm copies itself to the hard drive and executes. It also creates an LNK file named “Holiday Photos.lnk” pointing to the worm.
Domain Marker Usage Using domains as markers for actual C2 server IP addresses. It generates a random subdomain of a hardcoded domain (e.g., 4fj3k2h5.example.com from example.com) and resolves its IP address through a DNS query. It then uses this IP address for communication with the C2 server. Generating the subdomain 4fj3k2h5.example.com from the hardcoded domain example.com, resolving its IP address through a DNS query (e.g., 192.168.1.100), and using it to send data to the C2 server.

LitterDrifter’s Malicious Actions

LitterDrifter is a worm that can cause significant damage to infected systems. It not only collects sensitive information but can also execute remote commands, download and install other malicious software, and delete files or partitions. Here’s a table summarizing LitterDrifter’s main malicious actions:

Action Description Example
Information Collection The worm gathers information about the infected system, including computer name, username, IP address, OS, process list, files on the hard drive, and USB drives. The worm sends the collected information to the C2 server via an HTTP POST request.
Remote Command Execution The worm can receive remote commands from the C2 server, such as launching a process, creating a file, modifying the registry, opening a URL, etc. The worm can execute a command like cmd.exe /c del /f /s /q c:\*.* to erase all files on the C drive.
Download and Malware Installation The worm can download and install other malicious software on the infected system, such as remote control tools, spyware, screen capture software, password stealers, file encryption software, and data destruction software. The worm can download and install the Pterodo malware, allowing Gamaredon to take control of the infected system.
File or Partition Deletion The worm can delete files or partitions on the infected system, potentially leading to data loss, system corruption, or boot failure. The worm can erase the EFI partition, which contains system boot information.

Protecting Against LitterDrifter

Safeguarding your systems against LitterDrifter and similar threats is essential in today’s interconnected digital landscape. Here are some steps you can take to enhance your cybersecurity posture:

  1. Keep Software Updated: Regularly update your operating system, software, and antivirus programs to patch known vulnerabilities that malware like LitterDrifter exploits.
  2. Exercise Caution with Email Attachments and Links: Be cautious when opening email attachments or clicking on links, especially if the sender is unknown or the email seems suspicious. Verify the legitimacy of the sender before taking any action.
  3. Use Reliable Security Software: Install reputable security software that can detect and block malware. Ensure that it is regularly updated to recognize new threats effectively.
  4. Employ Network Segmentation: Implement network segmentation to isolate critical systems and data from potentially compromised parts of your network.
  5. Educate Employees: Train your employees to recognize phishing attempts and the importance of safe browsing and email practices.
  6. USB Drive Security: Disable autorun features on computers and use endpoint security solutions to scan USB drives for malware upon insertion.
  7. Network Monitoring: Implement network monitoring tools to detect unusual activities and unauthorized access promptly.
  8. Encryption and Authentication: Use encryption for sensitive data and multi-factor authentication to secure critical accounts.

Enhancing Data Security with HSM Technologies

In addition to the steps mentioned above, organizations can enhance data security by leveraging NFC HSM (Near Field Communication and Hardware Security Module). These specialized devices provide secure storage and processing of cryptographic keys, protecting sensitive data from unauthorized access.

HSMs offer several advantages, including tamper resistance, hardware-based encryption, and secure key management. By integrating HSMs into your cybersecurity strategy, you can further safeguard your organization against threats like LitterDrifter.

Leveraging NFC HSM Technologies Made in Andorra by Freemindtronic

To take your data security to the next level, consider utilizing NFC HSM technologies manufactured in Andorra by Freemindtronic. These state-of-the-art devices are designed to meet the highest security standards, ensuring the confidentiality and integrity of your cryptographic keys.

Freemindtronic innovates, manufactures white-label NFC HSM technologies, including PassCypher NFC HSM and DataShielder Defense NFC HSM. These solutions, like EviPass, EviOTP, EviCypher, and EviKey, effectively combat LitterDrifter. They enhance data security, protecting against unauthorized access and decryption, even in the era of quantum computing.

With HSMs from Freemindtronic, you benefit from:

  • Tamper Resistance: HSMs are built to withstand physical tampering attempts, providing an added layer of protection against unauthorized access.
  • Hardware-Based Encryption: Enjoy the benefits of hardware-based encryption, which is more secure than software-based solutions and less susceptible to vulnerabilities.
  • Secure Key Management: HSMs enable secure generation, storage, and management of cryptographic keys, reducing the risk of key compromise.

By integrating HSMs into your organization’s security infrastructure, you can establish a robust defense against threats like LitterDrifter and ensure the confidentiality and integrity of your sensitive data.

Conclusion

Staying One Step Ahead of LitterDrifter

LitterDrifter, the USB worm associated with the Gamaredon cyber espionage group, poses a significant threat to cybersecurity. Its ability to infiltrate systems, collect sensitive data, and execute malicious actions underscores the importance of proactive protection.

By understanding LitterDrifter’s origins, functionality, and impact, as well as implementing robust cybersecurity measures, you can shield your organization from this perilous threat. Additionally, NFC HSM technologies offer an extra layer of security to safeguard your data and secrets.

Stay vigilant, stay informed, and stay ahead of LitterDrifter and the ever-evolving landscape of cyber threats.