Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
In a September 16 press release, the U.S. Department of the Treasury announced the sanctioning of five individuals and one entity linked to the Intellexa Consortium for the development of Predator spyware. Intellexa Consortium is a network of decentralized companies responsible for creating highly invasive spyware products that have been marketed under the “Predator” brand. Predator spyware is notably used by state-sponsored actors and governments to gain access to sensitive information on victim’s devices. As highlighted in the press release, previous targets of the spyware have included “government officials, journalists, policy experts, and opposition politicians.” Full article here.
Chinese State linked actors are reportedly running an influence operation, known as Operation Spamouflage, in which they are claiming to be US soldiers or American voters and commenting on controversial topics on social media. Topics have included reproductive rights, America’s policy towards Israel and support for Ukraine as well as criticizing both candidates. They are reported to have used AI to create some of this content. Read more.
Insikt Group researchers have identified a new network infrastructure associated with GreenCharlie, an Iranian threat actor that overlaps with APT42, Mint Sandstorm, Charming Kitten, Damselfly, TA453, and Yellow Garuda. GreenCharlie is linked to malware that reportedly aims to target U.S. political campaigns and government entities. According to Insikt Group, GreenCharlie has been linked to POWERSTAR and GORBLE malware, both of which are used in phishing campaigns for cyber espionage. Article here.
On September 23, the CEO of Telegram, Pavel Durov, announced a change to the platform’s privacy policy. According to the new policy, Telegram will comply with requests for user data as part of criminal investigations if it receives a valid court order confirming that the user is a “suspect in a case involving criminal activities that violate the Telegram Terms of Service.” Specifically, IP addresses and phone numbers of suspects will be shared with authorities. Additionally, the app is reportedly altering its search feature by removing problematic content from search results. Read article.
Cybersecurity analysts have identified a new malware campaign spreading a backdoor dubbed “Voldemort.” The campaign—which first began on August 5—has disseminated over 20,000 emails and targeted more than 70 organizations worldwide. The campaign notably impersonated tax agencies from the U.S., Europe, and Asia, claiming that changes had been made to tax filings. At this time, the threat actor behind the malware campaign remains unidentified, however, based on the targeted sectors—notably insurance, aerospace, and transportation—Proofpoint assesses that the purpose is likely cyber espionage. Full article here.
The DOJ announced the indictment of five Russian GRU offices and one civilian for conspiring to hack the Ukrainian government. The GRU officers are part of Unit 29155 of the Russian Main Intelligence Directorate, a military intelligence agency of the General Staff of the Armed Forces. They are accused of conspiracy to hack into, exfiltrate data from, leak information from and destroy computer systems associated with the Ukraine Government in advance of the Russian invasion of Ukraine. “The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” said Assistant Attorney General Matthew G. Olsen of the National Security Division. Full article.
The Federal Bureau of Investigation (FBI) has disrupted a Chinese state-sponsored botnet dubbed Raptor Train. The botnet—“a network of computers infected by malware”—had infected more than 260,000 devices to target critical infrastructure in the U.S. and abroad and steal data. The botnet notably targeted victims in the “military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors.” Read more.
According to BleepingComputer, the Iranian government-backed hacking group APT33 (also known as Peach Sandstorm and Refined Kitten) has been observed using a new malware dubbed “Tickler” to backdoor U.S. government and United Arab Emirates networks between April and July of this year. The group is assessed to be working on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) and has been carrying out cyber espionage operations since at least 2013. In the group’s most recent intelligence collection campaign, the new Tickler malware is being used to target organizations in the “government, defense, satellite, oil and gas sectors,” and functions by leveraging Microsoft Azure infrastructure. Read article.
In a September 19 press release, the Federal Criminal Police Office of Germany (BKA) announced that it had seized 47 cryptocurrency exchange services hosted in Germany that were facilitating cybercriminal activity and were used for money laundering. The exchange services in question allowed cybercriminals to exchange cryptocurrencies while remaining anonymous, thereby creating a “low risk-environment for cybercriminals.” The press release lists ransomware groups, darknet traders, and botnet operators as examples of threat actors who utilized these exchange services, often to exchange ransom payments. Read more.
Products
Services
Use Cases