Cyberwarfare Report. PHOTO: Cybercrime Magazine.

Cyberwarfare Report, Vol. 4, No. 4: Chinese And Iranian Hacking Spikes, Mobile App Spyware

John P. Mello, Jr.

Northport, N.Y. – Jan. 14, 2020

Chinese hackers were found circumventing two-factor authentication, breaking into the systems of the National Association of Manufacturers, and stealing SMS messages. Iranian hackers were busy, too, targeting industrial control systems and even the campaign of a U.S. presidential candidate. Meanwhile, it was revealed that popular mobile apps ToTok and WhatsApp were being exploited as spyware. 


Dec. 31. The Wall Street Journal reveals that the global hacking campaign known as “Cloud Hopper” attributed to government-sponsored Chinese hackers was far worse than originally reported. The Journal identified hundreds of companies that had relationships with breached cloud providers, including Rio Tinto, Philips, American Airlines Group, Deutsche Bank, Allianz, and GlaxoSmithKline.

Dec. 30. Microsoft announces it has taken down 50 domains being used by a North Korean hacker group it calls Thallium that has been using the domains to send phishing emails and host phishing pages, which were used to compromise the credentials of victims. Once compromised, the credentials were used to gain access to networks where attacks could be escalated. It adds that among the hackers’ targets were government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues.

Dec. 30. Ellen Lord, undersecretary of defense acquisition and sustainment, announces at Pentagon briefing that cybersecurity requirements will be part of all U.S. Defense Department contracts starting in June 2020. The DOD says the goal of the program is to make sure companies doing business with the department can defend their networks against intruders seeking to steal information about contracts and weapons systems.

Dec. 28. The Sunday Times of London reports that the U.K.’s Ministry of Defense is hiring psychologists and anthropologists to exploit human errors during cyberattacks. It notes the boffins are part of a new government-backed laboratory for cyber deception, which will focus on using military deception tradecraft in cyberspace to deceive an attacker into exposing their identity or sabotaging their own mission.

Dec. 25. Washington Post reports that U.S. military officials are developing information warfare tactics that could be used against senior Russian officials and oligarchs if the Kremlin tries to interfere with the 2020 U.S. elections via hacking election systems or spreading discord. It notes one tactic would be to threaten the release of sensitive information about a subject if the interference did not stop.

Dec. 23. South China Morning Post reports that a group of Vietnamese hackers it’s calling APT32 has ramped up its cyberespionage efforts in order to steal intellectual property to improve Vietnam’s competitive place in world markets. It notes that a key target has been the auto industry, where the group has set up fake domains for Toyota and Hyundai in order to gain access to those companies’ internal networks.

Dec. 23. Fox-IT, a Dutch cybersecurity company, reports APT20, a group of hackers linked to the Chinese government, has been bypassing two-factor authentication in a series of recent attacks. It theorizes the hackers are using a stolen RSA SecurID token to generate legitimate 2FA codes that they can send to themselves.

Dec. 22. The New York Times reports that popular mobile chat app ToTok is being used by the United Arab Emirates to attempt to track every conversation, movement, relationship, appointment, sound, and image of those who install it on their phones. It notes the app is the latest escalation in a digital arms race among wealthy authoritarian governments pursuing more effective and convenient methods to spy on foreign adversaries, criminal and terrorist networks, journalists, and critics.

Dec. 21. Singapore’s Ministry of Defense announces malware attack on two security force vendors has placed at risk sensitive information on some 100,000 defense personnel. Breaches at ST Logistics exposed personal data of 2,400 Ministry of Defense and armed forces personnel, and at the HMI Institute of Health Sciences exposed information of about 98,000 security force personnel.

Dec. 16. U.S. Coast Guard announces a ransomware incident [PDF] at a Maritime Transportation Security Act (MTSA) regulated facility. It says it’s believed the Ryuk ransomware entered the systems through an email phishing campaign. It adds operations at the facility had to be shut down for more than 30 hours while the problem was addressed.

Dec. 12. Content of Television Española, a state-owned broadcasting company in Spain, is replaced by programming from Russia Today after hackers break into a network feed. The RT content was an interview between former Ecuadorian President Rafael Correa and former Catalonian separatist leader Carles Puigdemont. RT, a government-owned media outlet, denies it or Moscow was behind the hijacking of air time. “We do not know who did it. But it has been beautiful, ” RT Editor-in-Chief Margarita Simonyan told ABC España.

Dec. 11. U.S. Air Force announces it will allow security enthusiasts attending DEFCON 2020 in Las Vegas to hack into an orbiting satellite or its ground station. According to the Air Force, the best way to test security is to attack it, and the best attacks come from people outside the system.

Dec. 10. SentinelLabs reports hackers linked to North Korean government are renting a botnet created TrickBot malware and a customized malicious framework for their operations, which includes compromising payment systems. It adds there’s a growing cooperation between nation-state backed hackers and cybercriminals, resulting in the sharing of data and profit.

Dec. 10. Kim Anh Vo, 20, pleads guilty in federal court in New York to conspiring to provide material support and resources to ISIS. Vo admitted in court that she joined and recruited for the United Cyber Caliphate, an online group allied with ISIS. Vo faces up to five years in prison and a $250,000 fine for her activities.

Dec. 10. The New York Times reports details of some 15 million bank debit cards belonging to Iranians are at risk after data breaches at Iran’s three largest banks. The Times notes that Iran says a disgruntled contractor is behind the breach, but outside experts contend that the magnitude of the compromise suggests an attack by a state entity seeking to create instability in the country.

Dec. 9. Social network Reddit discloses that sensitive trade documents about the United States and United Kingdom posted to the forum were likely part of an influence campaign by operatives located in Russia. It notes that it has banned one forum and 61 user accounts in response to the incident, which it says violates its policies against vote manipulation and misuse of the platform.

Dec. 7. MBKh Media, a Russian investigative media outlet, reports members of law enforcement and government bureaucrats are selling access to Moscow’s CCTV camera system in underground online forums and chat rooms. It notes that facial recognition look-up services are also on sale at the watering holes for illicit sales.

Dec. 4. Colonel Jaak Tarien, chief of the NATO Cooperative Cyber Defense Center, says the organization was slow to take the threat of cyberattacks seriously. Speaking ahead of a gathering of NATO leaders to discuss space and cybersecurity, he notes, “It took a good decade for NATO to really start taking cyber seriously. Unless it’s a real war, NATO moves at NATO’s pace.”


Nov. 27. Google’s Threat Analysis Group releases data showing that from July to September the company distributed 12,000 notices to people warning them they may be being targeted by a government-backed entity. The warnings went to users in 149 countries, although most went to Americans, and 90 percent involved phishing emails attempting to steal credentials.

Nov. 27. Netscout, a network security company in Westford, Mass., reports increased cyberwarfare between India and Pakistan. It notes the number of individual campaigns and associated malware samples generated by the six Indian and three Pakistani APT groups tracked by the firm has spiked dramatically in recent months.

Nov. 26. Ohio Secretary of State Frank LaRose reveals a cyberattack was launched on his office on election day earlier in the month. He explains the SQL injection attack attempted, but failed, to plant malware on his office’s website. He adds the attack originated in Panama but was traced to a Russian-owned company.

Nov. 18. At the Tianfu Cup, an ethical hacking competition in Chengdu, China, Chrome, Safari, and Edge browsers were compromised over the two-day competition. Vulnerabilities were also discovered in Office 365, Adobe’s PDF reader, the D-Link DIR-878 router, and VMware workstation. The winning team, 360Vulcan, walked off with a cash prize of $382,500.

Nov. 22. U.S. Federal Communications Commission, by unanimous vote, bars telecommunication companies in the United States from using money from the Universal Service Fund to make purchases from companies that have been determined to be national security threats, including Chinese tech vendors Huawei and ZTE. The USF fund gives telcos billions of dollars to offer wireless service in underserved areas of the country.

Nov. 22. Finland launches program of cyberattack drills after a hacker group calling itself #Tietovuoto321 threatens ransomware attacks on 235 public organizations in the country. More than 200 entities are taking part in the program, which involves a hypothetical ransomware attack on an organization’s information systems.

Nov. 22. Microsoft security researcher Ned Moran reveals research showing a hacker group linked to the Iranian government has begun targeting industrial control systems — the systems used to control industrial processes in everything from power plants to factories. He notes that in the last two months, the hackers, known as APT33, have been targeting ICS vendors, suppliers, and consulting companies working in the sector.

Nov. 18. Australian Senate President Scott Ryan reveals to legislative committee that data breach in January of Parliament’s information systems stemmed from members visiting a legitimate website that was compromised. In September it was reported by Reuters that Australia’s intelligence agencies concluded that China was behind the attack, which resulted in the theft of a small amount of non-sensitive data.

Nov. 17. NetBlocks, an NGO that monitors cybersecurity and Internet governance around the world, reports that Iran has shut down nearly all Internet access in the country in retaliation for demonstrations against hikes in fuel prices. It adds that data connectivity is also down for the country’s largest mobile operators — MCI, Rightel and Irancell.

Nov. 13, CNBC reports the National Association of Manufacturers was attacked by Chinese hackers as trade talks between Washington and Beijing intensified earlier this year. It asserts the hack illustrates how China has tried to gain an edge over the U.S. during the discussions. It adds it’s unclear what data was stolen by the intruders.

Nov. 13. Facebook releases transparency report revealing it shut down 5.4 billion fake accounts in 2019. That compares to 3.3 billion eliminated in 2018. It also reports that as much as five percent of its monthly user base of 2.5 billion are fake accounts

Nov. 12. Issue Maker Lab, a South Korean cybersecurity firm, reports North Korean hackers were behind an attack on the Kudankulam Nuclear Power Plant in India. It’s been reported that the attackers were trying to access information about India’s nuclear fuel yields. Such information could be used by an adversary to build a picture of the country’s strategic weapons force posture, as well as civilian command and control of its nuclear power generation facilities.

Nov. 8. The Washington Post reports that county election websites in Wisconsin and Michigan, two key states in the 2020 presidential election, are highly vulnerable to hackers seeking to mislead voters about polling locations or spread other false information. It explains that about 55 percent of county election websites in Wisconsin and 45 percent in Michigan aren’t protected with the HTTPS protocol, which is used to protect websites from being hijacked by attackers. It adds it’s far easier to manipulate dozens of underprotected websites than to hack a single voting machine, which typically requires physical access

Nov. 8. WTAE News reports that dozens of surveillance cameras deployed in Pittsburgh are made by Chinese companies banned from doing business with the federal government due to security concerns. It notes that one of the cameras is stationed where it can record activity at Carnegie Mellon’s Software Engineering Institute, which has a $731 million contract with the Air Force, and the Rand Corporation, which last year had $141 million in contracts with departments of Defense and Homeland Security.

Nov. 7. U.S. Justice Department unseals indictment against Aventura Technologies, of Commack, New York. It alleges company sold surveillance equipment to the U.S. government and private customers with known vulnerabilities in it, and also claimed the hardware was made in the United States when it was made and covertly imported from China.

Nov. 5. U.S. Departments of Justice, Defense, and Homeland Security, as well as the Director of National Intelligence, FBI, National Security Agency, and the Cybersecurity and Infrastructure Security Agency release joint statement on 2020 election security. It warns that “Russia, China, Iran, and other foreign malicious actors all will seek to interfere in the voting process or influence voter perceptions.”


Oct. 31. Reuters reports that senior government officials in multiple countries allied with the United States were targeted with hacking software that uses Facebook’s WhatsApp program to hijack the targets’ mobile phones. It explains that an Israeli firm, the NSO Group, created and sold a hacking platform that enabled snoops to exploit a flaw in WhatsApp’s servers to monitor activity on the cellphones of at least 1,400 users — many of them high-profile government and military officials — from April 29 to May 10, 2019.

Oct. 31. FireEye Mandiant reports discovery of malware tied to the Chinese hacker group known as APT41 that’s infecting telecommunications networks to steal SMS messages. It explains the bad app screens messages using two lists — one contains the phone number and International Subscriber Identity number of possible targets, the other is a list of keywords of geopolitical interest to Chinese intelligence.

Oct. 30. Pennsylvania National Guard holds Cyber Wi-Fi Hacking challenge at Penn State’s College of Information Sciences and Technology. The three-hour event introduced students to STEM occupations in the National Guard and promoted military and civilian partnerships to advance the state’s overall cybersecurity position. Eight teams composed of 36 Penn State students competed against each other to hack into a wireless access point and laterally move through a network to exploit an industrial control system.

Oct. 21. The U.K.’s National Cyber Security Center and the U.S. National Security Agency issue advisory revealing that the Russian hacking group known as Turla has been using Iranian tools and frameworks to conduct attacks on dozens of countries. They note that to obtain the tools, the Russians had to steal them from the Iranian hacker groups. “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” the agencies state in their advisory.

Oct. 18. Two Hebrew language investigative reports reveal a private intelligence firm based in the United Arab Emirates is recruiting graduates of the Israeli military’s elite cyber Unit 8200 with promises of million-dollar bonuses and lavish beachfront properties. In one of the reports, one Israeli defense official characterized what the firm, DarkMatter, is doing to “de facto smuggling of Israeli intellectual property.”

Oct. 18. U.S. military announces it’s retiring the eight-inch floppy disks used to receive a presidential order to fire nuclear missiles. The disks are being replaced with a solid-state storage solution. The 1970s computer that uses the floppy disks will continue to be used, however, since it’s so old it’s considered unhackable.

Oct. 11. U.S. Air Force announces the creation of the 16th Air Force to integrate intelligence, surveillance, and reconnaissance along with cyber and electronic warfare and information operations in ways that have marked joint operations for decades, but now it can be done faster. The unit will replace the 24th and 25th Air Forces and be located at Joint Base San Antonio-Lackland in Texas.

Oct. 4. Microsoft reports an Iranian hacker group called Phosphorus made more than 2,700 attempts to identify email accounts belonging to its customers between August and September. It says the group attacked 241 accounts, including accounts associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics, and prominent Iranians living outside Iran. It adds that only four accounts were compromised.

Oct. 3. Check Point Software Technologies, a cybersecurity company, reports a series of cyberattacks emanating from Egyptian government offices and using a number of legitimate-looking mobile applications is targeting journalists, academics, lawyers, opposition politicians and human rights activists. It says the information it gathered from its investigation suggests that the perpetrators are Arabic speakers and familiar with the Egyptian ecosystem.

Oct. 1. U.S. Attorney for the Southern District of West Virginia Mike Stuart reveals at a news conference that the FBI is investigating an unsuccessful attempt to hack a voting app used by the state since 2018 to allow overseas and military voters to vote via smartphone. He says no legal conclusions have been made regarding the conduct of the activity or whether any federal laws were violated.

Cyberwarfare Report Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.