SUBSECRETARIAT OF ADVISORY SERVICES – SSA

INTERESTING NEWS FROM AROUND THE CYBER

DEFENSE COMMUNITY

22 de Marzo del 2024 Para difusión Hemisférica

CHINA-LINKED HACKERS TARGET GOVERNMENTS AND MORE IN

SOUTHEAST ASIA WITH NEW BACKDOORS

A China-linked espionage group has been observed targeting government

agencies, educational institutions and the communications industry with two
custom backdoors, according to the new research.
Since early 2022, the group — labeled Earth Krahang by researchers — has attacked
at least 70 victims across 23 countries, with the primary focus on Southeast Asia.
Some of its targets are also located in Europe, America and Africa, according to
analysts at the cybersecurity firm Trend Micro.
Earth Krahang appears to be related to another China-backed advanced persistent
threat (APT) group tracked as Earth Lusca or RedHotel, which is known for its
espionage campaigns against government and educational institutions, religious
movements, and pro-democracy and human rights organizations in Hong Kong, as
well as COVID-19 research organizations.
The notable thing about Earth Krahang, researchers said, is that it compromises
government agencies to attack other state entities, exploiting the trust between
them and evading detection.
For example, the group is abusing government infrastructure to host malicious
payloads, route proxy attack traffic and send spearphishing emails to state-related
targets using compromised government email accounts.
Some of the phishing email subjects used by the group include: “Malaysian defense
minister visits Hungary,” “ICJ public hearings — Guyana vs. Venezuela,” and “About
Guyana Procurement Proposal for Taiwan.”
Researchers also observed Earth Krahang setting up VPN servers on compromised
internet-facing servers to gain access to the private networks of victims and
conduct brute-force attacks to obtain email credentials. The credentials obtained
through these attacks were then used to exfiltrate victim emails.
(continued)

Know more: https://therecord.media/earth-krahang-china-linked-espionage-group-new-backdoors

RUSIA, AL FRENTE DE LOS ATAQUES CIBERNÉTICOS: LA OTRA GUERRA DE
VLADIMIR PUTIN

(ESPAÑA) Rusia ha estado muy centrada en los dos últimos años en atacar a
servicios e infraestructuras digitales en Ucrania
El propio Fondo Monetario Internacional ha comunicado que once cuentas de
correo electrónico habían sido vulneradas
La mitad de los bancos afirman que están preparados ante estos ataques pero
saben que cada vez hay más y más sofisticados
Vladimir Putin ha festejado su más que cuestionada victoria electoral a lo
grande, con un baño de masas en la Plaza Roja de Moscú. De esta manera, el
mandatario ruso reafirma su poder y agita el fantasma de la tercera guerra
mundial. Además, Rusia también ejerce un papel predominante en el frente de
los ataques cibernéticos, es junto a China, el país más sospechoso de patrocinar
ciber operaciones de espionaje. Rebeca Gimeno nos explica lo que se sabe de
estos ataques.
Desde el año 2005 cuatro países autoritarios han apoyado el 77% de los ataques
cibernéticos que se sospecha venían desde los propios Gobiernos. Estos países
son China, Rusia, Corea del Norte e Irán, según los datos de la organización
independiente CFR.
Rusia ha estado muy centrada en los dos últimos años en atacar a servicios e
infraestructuras digitales en Ucrania, pero también ha habido casos de ataques
cibernéticos a objetivos diplomáticos de la Unión Europea que transmitían
información sensible sobre la guerra. El ataque se realizó a través de correos
electrónicos.
Según explica Rebeca Gimeno, el propio Fondo Monetario Internacional ha sido
objeto de un ataque. El pasado viernes el organismo comunicó que once
cuentas de correo electrónico habían sido vulneradas. No conocemos el autor
de este último ataque, pero es cierto que tanto organismos internacionales
como el sector financiero son objetivos en esta guerra de espionaje porque
manejan datos relevantes como el cumplimiento de las sanciones a Rusia.

(continua)

Sepa más: https://www.cuatro.com/noticias/internacional/20240318/rusia-ataques-ciberneticos-vladimir-

putin_18_012005180.html
 NSA’S ADAMSKI CALLS CYBER COLLABORATION CENTER A ‘GAME
CHANGER’

(EUA) The National Security Agency’s (NSA) Cybersecurity Collaboration Center

(CCC) has been “game-changing” for the NSA in terms of gaining unique
insights from partners on specific adversaries, according to Morgan Adamski,
the chief of the CCC.
At Crowdstrike’s Gov Threat Summit on March 19 in Washington, D.C., Adamski
shared how the CCC is working to operationalize cyber intelligence and insights
with the private sector.
“We started with one partner about four years ago. As of today, we have over
1,000 different partners that we talk to 24/7 through 800 collaboration platforms
at any given time,” Adamski said.
“It has been game-changing for us from an NSA perspective because great
partners like those at CrowdStrike, who have unique insights and expertise on
specific adversaries or technology, they can bring that to bear what we’re seeing
from a classified perspective, and we create this comprehensive picture not only
of the adversary, but also how do we protect and defend against those threats,”
she added.
Last year alone, the CCC scaled its cybersecurity-as-a-service program to include
small-to-medium businesses within the defense industrial base (DIB) –
increasing enrollments in NSA’s no-cost cybersecurity services to Department of
Defense contractors by 400 percent.
Within the CCC, NSA also established the Artificial Intelligence Security Center
last year, which will promote the secure development, integration, and adoption
of AI technologies within National Security Systems (NSS) and the DIB.
Adamski said she defines success within the CCC if the NSA has intelligence
inside the classified level of a specific nation-state adversary with malicious
cyber intent, and it is then “able to sanitize that information” – or bring it down
to a lower classification level.
“That used to be around weeks and months that we would try to figure out how
to do that. We’ve now gotten into a process – even as it relates to say PRC
[People’s Republic of China] targeting critical infrastructure – we’ve been able to
do that now within hours,” she said.
(continued)

Know More: https://www.meritalk.com/articles/nsas-adamski-calls-cyber-collaboration-center-a-game-

changer/
 CYBER MERCENARIES – A GROWING THREAT PROMPTING COLLECTIVE
ACTION AT THE 2024 SUMMIT FOR DEMOCRACY

(INTERNATIONAL)The alarming growth of private cyber mercenary firms has

been a destabilizing force in the online ecosystem for some time, introducing
sophisticated cyber capabilities to a broad set of actors which have been used
to target and harm vulnerable populations like dissidents, journalists and
human rights defenders. Private companies that develop and provide offensive
cyber capabilities for a fee readily found a market among governments that all
too often use these capabilities to undermine the privacy and security of
civilians around the world. As scale of this challenge has become difficult to
ignore, it is encouraging to see recognition of this issue by responsible
governments and growing momentum for action, including at the 2024
Summit for Democracy this week.
The Cybersecurity Tech Accord welcomes the expanded set of countries that on
Monday, at the 2024 Summit for Democracy, joined the “Joint Statement on
Efforts to Counter the Proliferation and Misuse of Commercial Spyware.” This
first-of-its-kind international effort, launched at the 2023 Summit for
Democracy, the statement makes critical commitments to setting guardrails,
limiting exports, sharing information and working with like-minded
governments and industry partners to address the proliferation of commercial
spyware. The expanded set of countries endorsing these commitments
underscores their value and the persistent challenges posed by cyber
mercenaries. The joint statement now has the support of the following 17
nations: Australia, Canada, Costa Rica, Denmark, France, Finland, Germany,
Japan, New Zealand, Norway, Poland, Ireland, Republic of Korea, Sweden,
Switzerland, the United Kingdom, and the United States.
The government actions above are complemented by ongoing civil society and
industry initiatives. Organizations like Citizen Lab, Amnesty International, and
the CyberPeace Institute are highlighting how victims suffer as the result of
cyber mercenaries. Meanwhile, the Atlantic Council is mapping the cyber
mercenary market to help demystify the, often opaque, groups operating in this
space. Leading philanthropies have also recently announced over $4 million in
grants, through the Spyware Accountability Initiative, to highlight major harms
posed by the global spyware industry. This will support the growing number of
community researchers and advocacy groups working to hold cyber
mercenaries accountable for how their services are used.
(continued)
Know More: https://cybertechaccord.org/cyber-mercenaries-a-growing-threat-prompting-collective-
action-at-the-2024-summit-for-democracy/
 HACKERS CLAIM TO HAVE BREACHED ISRAELI NUCLEAR FACILITY’S
COMPUTER NETWORK

(ISRAEL) An Iran-linked hacking group claims to have breached the computer

network of a sensitive Israeli nuclear installation in an incident declared by the
‘Anonymous’ hackers as a protest against the war in Gaza.
The hackers claim to have stolen and published thousands of documents —
including PDFs, emails, and PowerPoint slides — from the Shimon Peres Negev
Nuclear Research Center. The secretive facility, which houses a nuclear reactor
linked to Israel’s unavowed nuclear weapons program, has historically been
targeted by Hamas rockets.
In a social media message explaining their intentions, the group claimed “as we
are not as like as the bloodthirsty Netanyahu and his terrorist army we carried
out the operation in such a way that no civilians were harmed.”
Despite this statement, in another a social media message the group said it did
“not intend to have a nuclear explosion but this operation is dangerous, and
anyhting might happen,” alongside an animated video depicting a nuclear
detonation and a call for the evacuations of the nearby city of Dimona and the
town of Yeruham.
While the documents that have been released potentially suggest the hackers
were able to compromise an IT network connected to the facility, there is no
evidence they have been able to breach its operational technology (OT)
network. Even in the case they did, nuclear facilities have numerous failsafe
systems in place to prevent dangerous incidents.
The Israeli embassy in London did not respond to a request for comment about
the incident.
Gil Messing, the chief of staff at Israeli cybersecurity company Checkpoint, told
Recorded Future News his company was aware of the Anonymous group which
was established with its own Twitter and Telegram accounts around the start of
the country’s war on Hamas in Gaza.
Checkpoint has mostly observed the hackers echoing attacks carried out by
Iranian groups, with Messing suggesting that these might all be the same
groups operating under different names.

(continued)

Know More: https://therecord.media/hackers-claim-attack-on-israeli-nuclear-research-facility

 SCRAMBLE TO FIND RUSSIAN CYBERHACKERS WHO UNLEASHED GPS
JAMMING ATTACK ON GRANT SHAPPS' RAF JET: NATO LAUNCHES MAJOR
RECONNAISSANCE OPERATION TO IDENTIFY SOURCE OF ELECTRONIC
WARFARE ATTACK

(UK) Britain launched a major operation today to identify Russian military

cyberhackers who targeted the UK Defence Secretary's RAF aircraft.
Just hours after the Kremlin's Electronic Warfare (EW) experts jammed signals
on Grant Shapps' jet, the UK and her allies struck back.
On March 14th, a British Rivet Joint surveillance aircraft took off from RAF
Waddington, Lincolnshire, bound for the Baltic.
Its departure came just over an hour after a US military Rivet Joint left its base in
Mildenhall, Suffolk, bound for the same airspace.
The high-tech aircraft then spent several hours flying loops close to the Russian
enclave of Kaliningrad, which borders Poland.
Mr Shapps' jet flew within 60 miles of Kaliningrad on its return journey from
Poland. Hundreds of commercial flights using the same airspace have reported
similar problems in recent months.
The attacks are understood to be part of the Kremlin's cyberwarfare
programme against the West. Alarmingly, the Mail has been told Russia is 'years
ahead' in this highly sophisticated area of conflict.
Without GPS pilots can lose their situational awareness which, in a worst case
scenario, could cause a fatal collision.
Typhoons, F-35 fighter jets and RAF transport aircraft have reported similar
attempts to jam their GPS systems.
Since Russia's invasion of Ukraine, Poland has strengthened its northern border
with Kaliningrad, an enclave sandwiched between the Baltic Sea, Poland and
Lithuania.
(continued)

Know more: https://www.dailymail.co.uk/news/article-13198141/Scramble-Russian-cyberhackers-

unleashed-GPS-jamming-attack-Grant-Shapps-RAF-jet-NATO-launches-major-reconnaissance-aircraft-
operation-identify-source-electronic-warfare-attack-Defence-Secretarys-Poland-flight.html
 EVENTS OF INTEREST

https://ctf.hackthebox.com/event/details/inter-american-cyber-
defense-challenge-30-1412

https://jornadas.ccn-cert.cni.es/es/ivjornada-panama

Aviso Legal: Este boletim é fornecido pela Junta Interamericana de Defesa (JID) "COMO ESTÁ", para fins informativos e sem garantias de qualquer tipo, expressas ou implícitas. A
JID não se responsabiliza pela precisão, conteúdo, ou disponibilidade das informações, incluindo links externos, nem por quaisquer perdas ou danos resultantes do uso dessas
informações. O usuário assume total responsabilidade pela verificação e uso das informações aqui contidas. A inclusão de links externos não implica endosso da JID.
Disclaimer: This newsletter is provided by the Inter-American Defense Board (IADB) "AS IS" for informational purposes only, without any express or implied warranties. The IADB is
not responsible for the accuracy, content, or availability of information, including external links, nor for any loss or damage resulting from the use of such information. Users
assume full responsibility for verifying and using the information contained herein. The inclusion of external links does not imply endorsement by the IADB.
Aviso Legal: Este boletín es proporcionado por la Junta Interamericana de Defensa (JID) "TAL CUAL" para fines informativos únicamente, sin garantías de ningún tipo, expresas o
implícitas. La JID no se responsabiliza por la exactitud, contenido o disponibilidad de la información, incluidos enlaces externos, ni por cualquier pérdida o daño resultante del uso
de dicha información. Los usuarios asumen toda la responsabilidad por verificar y utilizar la información contenida aquí. La inclusión de enlaces externos no implica el respaldo de
la JID.
 TECHNICAL INSIGHTS

https://cloudsec.cybr.com/

Aviso Legal: Este boletim é fornecido pela Junta Interamericana de Defesa (JID) "COMO ESTÁ", para fins informativos e sem garantias de qualquer tipo, expressas ou implícitas. A
JID não se responsabiliza pela precisão, conteúdo, ou disponibilidade das informações, incluindo links externos, nem por quaisquer perdas ou danos resultantes do uso dessas
informações. O usuário assume total responsabilidade pela verificação e uso das informações aqui contidas. A inclusão de links externos não implica endosso da JID.
Disclaimer: This newsletter is provided by the Inter-American Defense Board (IADB) "AS IS" for informational purposes only, without any express or implied warranties. The IADB is
not responsible for the accuracy, content, or availability of information, including external links, nor for any loss or damage resulting from the use of such information. Users
assume full responsibility for verifying and using the information contained herein. The inclusion of external links does not imply endorsement by the IADB.
Aviso Legal: Este boletín es proporcionado por la Junta Interamericana de Defensa (JID) "TAL CUAL" para fines informativos únicamente, sin garantías de ningún tipo, expresas o
implícitas. La JID no se responsabiliza por la exactitud, contenido o disponibilidad de la información, incluidos enlaces externos, ni por cualquier pérdida o daño resultante del uso
de dicha información. Los usuarios asumen toda la responsabilidad por verificar y utilizar la información contenida aquí. La inclusión de enlaces externos no implica el respaldo de
la JID.