The 2024 state-sponsored campaigns

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis in cyber threat intelligence at the global level.

The information reported is the outcome of the collection and analysis work done by TS-WAY specialists for the TS-Intelligence platform.

This article presents a review of some of the most significant 2024 state-sponsored campaigns associated with Russia, China, North Korea, and Iran.

Overall, each of these geopolitical powers has developed a specific and characterizing cyber strategy.

Russia has promoted large-scale espionage activities, influence operations, DDoS offensives, and targeted campaigns for destructive purposes. All, embedded in a hybrid system in which structured forces operate together with hacktivist collectives and externally supported crime formations.

China – of which large portions of a complex and dynamic ecosystem composed of APTs, front companies, and training and research centers have recently come into focus – appears to have focused its attention on the telecommunications sector for much of its espionage activities.

North Korea continues on the traditional two-pronged course of espionage and self-financing, introducing progressive variations in its modus operandi.

Iran has developed a multifaceted strategy based on espionage and counter-espionage, demonstration attacks against critical infrastructure, Hack-and-Leak offensives, and InfoOps.

For each of these we will provide only illustrative and partial cases that, however, can help provide a picture of their role in global dynamics during 2024.

 

Russia against Big Tech and political-government realities

RUSSIAIn January 2024, Microsoft detected an attack against its corporate systems. Initiated at least in May of the previous year, the attack targeted corporate email accounts in an allegedly successful attempt to steal systems access and secrets of various kinds. Reconstruction of the case took place in the following months and was enriched with new elements. Overall, APT29 targeted other organizations, including Big Tech Hewlett Packard Enterprise (HPE) and TeamViewer.

Sofacy whose Moobot attack infrastructure was dismantled in February this year, nevertheless continued to operate on a global scale. In particular, on the eve of the European Parliament elections in June, attacks were reported against the German Christian Democratic (CDU) and Social Democratic (SPD) parties. Also, in September, the German state company responsible for air traffic control, Deutsche Flugsicherung, suffered an offensive traced by some media to this opponent.

Meanwhile, Estonia has officially accused Russia of being responsible for the attacks the country suffered in 2020. Authorities have identified the perpetrators in three officers of GRU Unit 29155, which has also recently been dedicated to cyber attacks. According to investigative agencies in the U.S., U.K., Ukraine, Australia, Canada and other European countries, Moscow-based APT Cadet Blizzard (Lorec53) is allegedly part of Unit 29155.

 

China’s state-sponsored ecosystem and focus on telecommunications

In February 2024, a user on the GitHub platform released files belonging to I-Soon (Anxun), a cybersecurity and technology services company that is reported to be a major contractor for various Chinese government agencies, such as the Ministry of Public Security, the Ministry of State Security, and the People’s Liberation Army.

I-Soon, to which the APT Axiom galaxy has been linked, allegedly supported espionage activities in all areas of Beijing’s strategic interest by hitting multiple targets in Taiwan and Hong Kong, among Tibetan and Uyghur ethnic minorities, and in the government sectors of European, Asian and African countries.

CINAThe information gleaned from the leak confirmed and expanded on analyses conducted in recent years by the Intrusion Truth portal, which had meticulously detailed front company names, locations, names of alleged operators, and names of alleged APTs involved.

In addition, in November 2024, an extensive and sustained espionage campaign-associated with APT Salt Typhoon (GhostEmperor)-began to emerge, targeting U.S. telcos Verizon, AT&T, Lumen Technologies, and T-Mobile. Early reports from U.S. intelligence agencies reported that the adversary had managed to gain access to the network infrastructure used by the U.S. federal government to cooperate with court-authorized network eavesdropping requests. It also allegedly gained access to other tranches of more general Internet traffic.

Subsequently, authoritative news sources revealed that Salt Typhoon had also targeted the U.S. presidential election in an attempt to extract information from the telephone communications of Donald Trump and some of his family members, Vice President-elect J.D. Vance, as well as members of former Vice President Kamala Harris’ campaign staff. In particular, it allegedly tapped the phone of Todd Blanche, one of Trump’s top lawyers, but failed to pick up anything traceable to the campaign.

In parallel, a U.S. news agency revealed the breach against Singaporean mobile operator Singtel by another Chinese APT, identified as Volt Typhoon. The attack, dating back to June of this year, would be part of a larger campaign that would impact telecommunications companies and other critical infrastructure operators around the world. Analysts speculated that the adversary was either testing a new hacking capability or planning to create a strategic access point for future offensives.

The second hypothesis seems in line with reconstructions of previous Volt Typhoon campaigns. Indeed, this APT is known for another campaign, reported in May 2023, targeted against the telecommunications sector. Then the targets were the U.S. and the strategic island of Guam, a U.S. territory located in Micronesia that hosts several military bases. In that case, analysts speculated that the entire operation was aimed at developing new skills useful for carrying out destructive attacks on the communications infrastructure that the U.S. and entities located in Asia could use during future crisis scenarios.

 

North Korea between cyberespionage and self-financing

COREAThe PyongYang government is running two strategic projects of global significance for the purpose of espionage and self-financing: Operation Dream Job and the so-called “laptop farm.”

Operation Dream Job is an espionage campaign based on sophisticated social engineering techniques that the APT Lazarus Group has been running for at least a couple of years. The adversary began by targeting companies related to the cryptocurrency industry, then turned against IT and defense companies in Europe, Latin America, South Korea, and Africa. To access the information of target companies, Lazarus operatives pretend to be referrals from recruitment companies and contact employees of those companies. During the interviews, they induce them to download threats such as RATs and infostealers.

The “laptop farms,” on the other hand, are part of an operation that has aimed to remotely place North Korean engineers and employees in hundreds of companies around the world. The DPRK created fake personal and professional identities for its infiltrators and then exploited accomplices in the destination countries. The salaries of these people would be managed directly by Pyongyang.

 

Iran exploits new strategies and a well-trodden formation

Iran is exploiting Emennet Pasargad, an entity controlled by the Revolutionary Guard Corps (the Pasdaran), devoted to influence and Hack-and-Leak campaigns and equipped with relevant intrusive and camouflage capabilities. In addition, Tehran seems interested in experimenting with sophisticated disinformation techniques.

IRANOn the cyber espionage side, an adversary TA455 (Tortoiseshell) operation orchestrated to appear quite similar to the North Koreans’ very own Operation Dream Job was detected. Targeted in the campaign were aerospace, aviation, and defense industries in the Middle East, particularly in Israel and the Emirates, as well as possibly in Turkey, Albania (where the headquarters of Mojahedin opponents are located), and India.

To evade detection, TA455 employed numerous solutions. In particular, it has mimicked Lazarus Group’s TTPs (techniques, tactics, and procedures) in detail, exploiting similar decoys and even malicious files that overlap with those used by the North Korean adversary. At present, it cannot be determined with certainty whether Iran’s Operation Dream Job was a “false flag” campaign, and the assumption of actual cooperation between the two countries also remains valid.

In addition, intense activities of Emennet Pasargard, engaged in information manipulation operations that often result in PsyOp, have been traced.

The technology front company used in these campaigns by Emennet – Aria Sepehr Ayandehsazan (ASA) – allegedly procured server space from vendors based in Lithuania, the United Kingdom, and Moldova, and exploited front dealers to provide technical support to individuals based in Lebanon. There is speculation that ASA also provided support for hosting Hamas-affiliated websites.

After the Oct. 7 attack on Israel, ASA initiated Operation Contact-HSTG, in the course of which various front persons attempted to contact family members of Israeli hostages, probably in an attempt to provoke further traumatic psychological effects. In parallel, he would enumerate numerous IP cameras in Israel, from which he would obtain content. In mid-2024, he launched smear campaigns in connection with the Paris Olympics.

Over the past two years, ASA allegedly promoted the activities of several alleged hacktivist groups protesting the conflict between Israel and Hamas in Gaza, using fictitious online personas.

 

Telsy and TS-WAY

Telsy_TS WAYTS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.

Is configured as an effective extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.

TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, and technology, and by government and military organizations that have used the services of this Italian company over time.

 

TS-WAY’s Services and Solutions

With several vertical teams of security analysts and researchers with technical and investigative expertise, and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.

Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.

Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.

 

TS-Intelligence

TS-Intelligence_Telsy_Platform-2TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.

Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.

 

Learn more about TS-WAY’s services.