September 28-October 4, 2023 | Issue 34 - PACOM and CICYBER
Isaiah Johnson, Martina Sclaverano, and Nicholas Novak.
Alya Fathia Fitri, Editor; Evan Beachler, Senior Editor
China[1]
Date: September 29, 2023
Location: Beijing, China
Parties involved: China; Chinese government; USA; US government; technology company Apple
The event: Representatives of the Chinese government and Apple met in Beijing to discuss the Chinese ban on foreign apps. The recent ban on unregistered foreign apps restricts Apple services in China, as it only allows apps that have communicated their business details to the Chinese government. At the time of reporting, Apple has not completed the registration and is reportedly worried about having to remove thousands of apps from the Chinese market.[2]
Analysis & Implications:
Apple will unlikely submit its information to the Chinese government concerning espionage. Apple staff very likely hesitated to provide information about its business in the US and are very likely aware of potential cyber-attacks, such as Computer Network Exploitation (CNE) on Apple devices. The American government will very likely lobby against China having access to information about a key US tech company and urge Apple to remove itself from the Chinese market.
The absence of several Apple apps will very likely alter the cybercrime flows in China. Removing access to Apple apps will likely reduce the attack surface from foreign phishing attempts, online scams, and device hacking. Chinese users will very likely shift toward Chinese-created apps like WeChat and brands like Huawei, almost certainly increasing the Chinese government’s surveillance of their activity and personal data. Malicious actors will very likely invest more research in Chinese computing systems instead of Apple, almost certainly conducting penetration and capability testing on Chinese apps to plan future attacks.
Date: September 29, 2023
Location: North Korea; Spain
Parties involved: Spanish Aerospace company; North Korean hacking group Lazarus; LinkedIn
The event: North Korean hackers lured Spanish aerospace engineers with fake job offers and breached the company network. Hackers sent coding exams with hidden executables that the victims downloaded, expecting to land a job. The hidden executables deployed a payload called the NickelLoader, containing malware with two backdoors, BlindingCan and LightlessCan. These backdoors replicate Windows commands, evading many real-time monitoring tools and documented payloads with unique encryptions tied to a key dependent on the target's environment. Cybersecurity analysts confidently state that this attack is part of Operation DreamJob, a North Korean cyber campaign.[3]
Analysis & Implications:
Vulnerable industries to North Korean cyberattacks, like aerospace, will likely implement strict contact procedures for engineers and IT departments. HR departments will likely strengthen cooperation with cybersecurity teams, establishing baselines for high-risk employees to prevent network breaches from LinkedIn and ensure network safety. IT departments will likely apply additional firewalls and restrictions like limiting downloads from the internet on company devices. LinkedIn will likely improve its bot detection programs, preventing hackers from imitating hiring managers of prominent companies.
The Lazarus Group likely reverse engineers other commonly used corporate software applications, evading incident detection systems. Future Lazarus attacks will likely be dormant for several months, gaining insight into the company’s security posture. There is a roughly even chance that future payloads will execute packet sniffers and steal proprietary information. Unaware employees who downloaded files with installed backdoors will very likely spread this malware to a new company after they change jobs.
The Lazarus Group almost certainly targets underpaid or overworked employees of vulnerable industries. Lazarus will likely target overqualified employees in high-cost-of-living areas through Linkedin, almost certainly offering exorbitant wages. They will likely aim at large American tech firms after significant layoffs of engineers in the defense industry following a major ceasefire between conflicting countries, exploiting fears of unemployment. They will likely use former or unemployed cybersecurity and IT personnel with expertise in the company's security posture to breach network defenses.
[2] Apple, China met to discuss Beijing's crackdown on western apps, Wall Street Journal reports, Reuters, September 2023, https://www.reuters.com/technology/apple-china-met-discuss-beijings-crackdown-western-apps-wsj-2023-09-29/
[3] Lazarus hackers breach aerospace firm with new LightlessCan malware, Bleeping Computer, September 2023, https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/