Government agencies and non-governmental organizations in the United States have been targeted by a Chinese state threat known as Storm 2077.
The adversary, which is believed to be active since at least January 2024, has also carried out cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services around the world, Microsoft said.
The company added that the cluster of activity coincides with a group of threats that Recorded Future’s Insikt Group tracks as TEG-100.
The cybersecurity firm noted back in July that the attack chains are targeting various Internet-facing edge devices using publicly available exploits to gain initial access and denial of Cobalt Strike, as well as open-source malware such as Pantegana and Spark RAT.
“Over the past decade, following numerous government indictments and public disclosures of threat actors’ activities, tracking and attributing cyber operations originating from China has become increasingly difficult as attackers adjust their tactics,” Microsoft said.
Storm-2077 is said to conduct intelligence-gathering missions using phishing emails to collect valid credentials associated with eDiscovery programs to then steal emails that may contain sensitive information that could allow attackers to advance their operations.
“In other cases, Storm-2077 has been observed to gain access to cloud environments by harvesting credentials from compromised endpoints,” Microsoft said. “After gaining administrative access, Storm-2077 created their own application with read mail privileges.”
The disclosure comes as Google’s Threat Intelligence Team (TAG) shed light on a pro-China influence operation (IO) called GLASSBRIDGE, which uses a network of fake news sites and news services to push narratives that align with the country’s views and political agenda. agenda around the world. .
The tech giant said it has blocked more than a thousand websites operated by GLASSBRIDGE from its Google News and Google Discover products starting in 2022.
“These fake news sites are run by a small number of independent digital PR firms that offer news distribution, syndication and marketing services,” TAG Researcher Vanessa Molter said. “They pose as independent media outlets that republish articles from Chinese state media, press releases and other content likely commissioned by other PR agency clients.”
This includes companies known as Shanghai Haixun Technology (which includes HaiEnergy cluster), Times Newswire/Shenzhen Haimai Yunxiang Media (aka PAPER COVER company), Shenzhen Bowen Media and DURINBRIDGE, the latter of which is a commercial content distribution firm for Haixun and DRAGONBRIDGE.
Shenzhen Bowen Media, a Chinese marketing firm, also operates World Newswire, the same press release service that Haixun uses to host pro-Beijing content on subdomains of legitimate news outlets. revealed Mandiant by Google in July 2023.
Identified subdomains include markets.post-gazette(.)com, markets.buffalonews(.)com, business.ricentral(.)com, business.thepilotnews(.)com, and finance.azcentral(.)com, among others.
“The fake news sites operated by GLASSBRIDGE illustrate how news operations actors have used methods outside of social media in an attempt to spread their narratives,” Molter said. “By posing as independent and often local news outlets, IO members can tailor their content to specific regional audiences and present their stories as seemingly legitimate news and editorial content.”
