Repository of Cases

In 2013, Mandiant/Fireye discovered that APT1 has been conducting cyberespionage operations since 2006. The cyberespionage operation affected or targeted at least 141 organizations across 20 major industries – ranging from IT and Transporation to Engineering Services and Chemicals – primarily in English-speaking countries, including the U.S. (115 multinationals), India (3), Singapore (2). Possibly linked to the ShadyRAT campaign, which McAfee discovered in 2011, the campaign may have also affected India, Indonesia, Vietnam, Japan, Denmark, and Germany. Given that the largest targets of cyberespionage were private entities, it is very much possible that the APT has stolen vast amounts of commercial secrets that relate to multiple sets of economic sectors and industries.

The perpetrator was suspected to be APT1 and ShadyRAT, two possible sets of hacking groups that may have some affiliations with the Second Bureau of the Third Department of PLA’s General Staff Department.
‍
There was a rise in attacks after 2010. Of note, 13 out of 16 IT organizations attacked are from 2010-2012. Most incidents across the board also seem to occur after 2010. It may be closely tied to the 12th Five-Year Plan (2011-2015), which is a cyclical strategy document by the CPC leadership that steers the general direction of economic initiatives: namely next-generation information technology, high-end equipment manufacturing, alternative energy, and new materials. Fundamentally, in launch occurred not long after the 2006 National Medium- and Long-Term Plan For the Development of Science and Technology, China laid out its goals to reduce its dependence on the West for advanced technologies, and on the U.S. and Japan in particular.

Mandiant; McAffee

The U.S. Department of Justice indicted five Chinese military officers associated with this hack.

High Confidence (9 out of 12)

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor has some history of stealing IP and other commercially valuable data (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)

Prior to the February 2021 coup, Myanmar had rapidly emerged as an attractive destination for foreign investment. With immense natural resources, a young population, and a risky, though somewhat positive, political outlook after its democratization process, increasing numbers of investors had come to Myanmar. Special economic zones (SEZ) emerged as one of the ways in which the government had hoped to facilitate imports, exports, and foreign direct investment. Competition over securing access to lucrative spots in SEZs

In 2016, Fox IT, an American cybersecurity firm, discovered a cyberespionage campaign that targeted government agencies and investment firms tied to the strategically-located Kyaukphyu Special Economic Zone (SEZ) in Myanmar’s Rakhine state

The Kyaukphyu SEZ was known to be of particular interest to the China National Petroleum Corporation, which had invested in Kyaukphyu since 2009. The company had signed an agreement to build a seaport and develop, operate, and manage oil and gas pipelines connecting Myanmar to China. Thus, when in 2014, the Myanmar government announced that they, supported by the CPG Corporation, initiated a consulting tender to choose an advisor for the Kyaukphyu SEZ, which would allow them to oversee operations and make decisions on certain investments.
‍
The perpetrators were named the “Mofang Group,” and they had targeted a Myanmar government entity and a Singapore-based company called the CPG Corporation, both of whom had made decisions about foreign investments in the Kyaukphyu SEZ. While the Mofang Group had no known direct affiliation to the Chinese state, it was known to be China-based.

Fox IT

None

High Confidence (10 out of 12)

• Private entities are either the sole or the primary targets of intrusion (3 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor has some history of stealing IP and other commercially valuable data (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

Operation Cloud Hopper is one of the largest sustained global cyber espionage campaigns. The operation has been traced back to at least 2016 and has targeted managed IT service providers, thus acquiring potentially unprecedented access to IP and sensitive data of those MSPs as well as their clients across the globe. Some of these targets compromised include Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, DXC Technology, Ericsson, and IBM (see Operation Cloud Hopper). A wide range of sectors were affected, ranging from telecommunications to mining. The suspected targets of these operations were those that aligned with China’s national security and “Made in China” goals, focused primarily on valuable military and intelligence information as well as confidential business data. PwC, in cooperation with BAE Systems and the UK’s National Cyber Security Centre, attributed the attacks to APT10, a China-based hacking group. Symantec, similarly, found an advanced persistent threat campaign targeting companies in multiple sectors across 17 regions in Japan. This campaign was also attributed to Cloud Hopper (which they called Cicada).

Several countries, including the US and Australia, attributed Operation Cloud Hopper to a hacking group that has backing from the Chinese state.

PwC, Symantec, Governments of US, UK, New Zealand, and Australia

The U.S. Government held the Chinese government accountable for these campaigns, including indicting suspected hackers. Britain, Australia, and New Zealand also made formal statements indicating that APT10 was acting on behalf of the Chinese government. However, Chinese authorities have denied supporting or directing APT10

High Confidence (10 out of 12

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives. (3 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

In March 2021, Reuters published a report citing data and officials from cyber-intelligence firm Cyfirma that two major Indian vaccine and pharmaceutical manufacturers, Serum Institute of India and Bharat Biotech, experienced hacking attempts against their IT systems from China-based APT ‘Stone Panda’, also known as APT10. Cyfirma’s CEO, Kumar Ritesh, told Reuters that ‘The real motivation here is actually exfiltrating intellectual property and getting competitive advantage over Indian pharmaceutical companies.’ Citing SII’s weak web server capacity, weak web application and content management system, Ritesh pointed out the threat faced by the lax security of these manufacturers.

‍

Given that tensions between India and China have been simmering in the aftermath of the Galwan Valley clash of June 2020, China-based and state-affiliated APTs has been launching repeated cyberattacks in key sectors of India, and the 2021 incident indicates that the attack on India’s health sector is strategic. This is a clear case of cyber-espionage as India, which supplies 60% of the world’s vaccine demand and is known as the “pharmacy of the world,” maintains access to IP pertaining to vaccines such as AstraZeneca, Novavax and COVIN.

‍

In 2018, the US Department of Justice announced that APT10 has, in the past, worked in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.

Cyfirma (published in a report by Reuters)

Cyfirma reported through Reuters that they informed the Indian Computer Emergency Response Team (CERT-In) of the threat and the CERT “acknowledged it;” No comment from SII and Bharat Biotech; SS Sarma of CERT-In

Very High Confidence (11 out of 12)

• Private entities are either the sole or the primary targets of intrusion. (3
• Commercial data are known to be the dominant targets of intrusion. (3
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives. (3)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2)

Dubbed “Operation Pzchao” by Romanian cybersecurity firm Bitdefender, this cyber campaign targeted government institutions, as well as private firms in the technology, education, and telecommunications sector that are primarily based in the U.S., though with also some cases in several other countries. Bitdefender attributed the attack to Emmisary Panda, a China-based threat group active since 2010. The group has been suspected of conducting espionage operations on civil society organisations and governments deemed critical of the PRC, including advocacy organisations on Taiwan and Tibetan independence. While this threat group’s focus has traditionally been on political espionage, we suspect – with moderate confidence¬ – that this attack had possible economic objectives as well. Initiated in July 2017, this cyber incident came against the backdrop of developments in China’s technology and telecommunications sector, including Beijing laying out a development plan to become the world leader in AI by 2030. The Iron Tiger APT (aka Panda Emissary or TG-3390) is active at least since 2010 and targeted organization in APAC, but since 2013 it is attacking high-technology targets in the US.

Bitdefender

None

Moderate Confidence (7 out of 12)

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• No clear information if commercial data is targeted (1 point)
• APT actor has some history of stealing IP and other commercially valuable data (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

In 2017, FireEye announced that they have observed APT32 conducting cyberespionage operations targeting foreign companies with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The campaign has gone about since 2013. There are indicators that APT32 actors are targeting peripheral network security and technological infrastructure corporations. Some of the targets have included government agencies in Cambodia, oil companies from China, and maritime construction firms. The affected economies have included Australia, Brunei, Cambodia, China, Germany, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, USA and Vietnam. The objectives are likely to be diverse, ranging from political objectives to stealing sensitive business information.

In 2017, FireEye announced that they have observed APT32 conducting cyberespionage operations targeting foreign companies with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The campaign has gone about since 2013. There are indicators that APT32 actors are targeting peripheral network security and technological infrastructure corporations. Some of the targets have included government agencies in Cambodia, oil companies from China, and maritime construction firms. The affected economies have included Australia, Brunei, Cambodia, China, Germany, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, USA and Vietnam. The objectives are likely to be diverse, ranging from political objectives to stealing sensitive business information

FireEye(Mandiant), Volexity, ESET

None

‍

High Confidence (10 out of 12)

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

Nine officials belonging to the Iranian company, Mabna Institute, were indicted by the U.S. Department of Justice for conducting state-sponsored cyber operations on behalf of the Iranian Revolutionary Guards from at least 2013 to 2018. The campaign had targeted 4,230 academics and researchers in 176 universities in 21 countries, with an additional set (3,768 academics in 144 universities) targeted against the U.S. They had also targeted 36 private companies in the U.S., 11 foreign companies, 5 U.S. government agencies (energy, state governments), United Nations, and UNICEF. The campaign had sought to obtain usernames and password for the accounts of academics and researchers in order to obtain propriety academic information.

Valuable intellectual property and data from hundreds of universities in the US and other countries, and a media company was stolen for private financial gain. The Mabna Institute reportedly stole more than 31 terabytes of academic data and intellectual property from universities, and email accounts of employees at private sector companies, government agencies, and non-governmental organisations. The data stolen were likely used for the benefit of Iran’s Islamic Revolutionary Guard Corps, though they were also sold through two websites: Megapaper.ir and Gigapaper.ir. These websites sold stolen research materials and academic credentials to customers in Iran.

The cyber campaign coincided with ”ario’s developments in Iran’s foreign policy and economy, including negotiations over the failed Iran nuclear deal and the subsequent imposition of harsh US sanctions, placing Iran under “maximum economic pressure”.

U.S. government

U.S. charged nine Iranian nationals linked with the program.

High Confidence (9 out of 12)

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
• There is not enough information to conclude whether stolen data was used to aid domestic private businesses (1 point)

In 2019, the Wall Street Journal reported that American cybersecurity firm iDefense observed a cyberespionage campaign had targeted 27 defense universities around the world, including several major American universities – University of Hawai’i, Penn State University, and the Massachusetts of Institute of Technology – as well as a few unnamed universities in Southeast Asia. The cyber campaign was estimated to have started in April 2017 and had targeted information about maritime technology under development for military use. Interestingly, most of the universities targeted were research hubs that focused on undersea technology and a submarine missile project (often government or navy funded). All targets also had links to the Woods Hole Oceanographic Institution, a Massachusetts-based oceanographic institute. The threat actor responsible was APT40, a hacking group that had suspected ties to China’s Ministry of State Security. APT40 has a history of stealing sensitive military information, including submarine missile plans and ship maintenance data.

iDefense

None

High Confidence (9 out of 12)

• Private entities are either the sole or the primary targets of intrusion (3 points)
• Commercial data are likely to have been targeted (2 points)
• APT actor has some history of stealing IP and other commercially valuable data (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

In February 2020, MyCERT announced that a cyber campaign had been targeting Malaysian government officials with spear-phishing attacks aiming to steal confidential documents from government networks. The campaign was attributed to APT40, a hacking group with known interests in engineering, transportation, and defence industry, especially when these sectors overlap with maritime technologies. The exact government agencies targeted are not known. The cyber campaign coincided with the Trump administration’s tightening of rules to prevent China from obtaining advanced technology from the US for commercial purposes and then repurposing it for military use, including radar equipment and semiconductors.

MyCERT

MyCERT made a technical attribution. But no further attribution by the Malaysian government.

Moderate Confidence (7 out of 12)

• Organizations with commercial data have been targeted in intrusions (1 point)
• No clear information if commercial data is targeted (1 point)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)

From March 2021 until September 2021, the hacking campaign consisted of phishing attacks targeting users in Australia and Malaysia.

On 2 June 2021, phishing emails were sent out to several offshore energy companies operating in the Kasawari gas field, off the coast of Sarawak in Malaysia. The campaign’s focus was primarily on companies engaged in the engineering, extraction of natural gas, or export of natural gas products, with four of the eight entities associated with the project. There were additional operations targeting several institutions in Australia, including defense universities and a consumer healthcare firm.

Given its strategic and economic importance, the Kasawari gas project has been subject to a series of grey zone tactics in 2021. On June 1 of that year, when the assembly of the wellhead platform was underway, 16 Chinese aircrafts were spotted off the coast of Sarawak, prompting Malaysia to scramble its fighter jets to intercept the transport lanes. The first phase of the phishing campaign had begun one day after the aircraft incident. The South China Sea disputes is a major security flashpoint in the Indo-Pacific, hosting six different claimant states, including China and four Southeast Asian states. With the waters being heavily contested and many major oil companies competing to win contracts and extract energy sources, there is plenty of room for potential uses of cyber tools.

Through joint technical work by Proofpoint and PwC Threat Intelligence, investigators are moderately confident that the campaign has been perpetrated by TA423 / Red Ladon, a China-based hacking group that has traditionally targeted organizations with operations associated with the South China Sea.

Proofpoint and PwC

None

High Confidence (10 out of 12)

• Private entities are either the sole or the primary targets of intrusion (3 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor has some history of stealing IP and other commercially valuable data (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)

From January 2020 until 2021, cybersecurity firms detected a massive cyberespionage campaign targeting private entities. These campaigns were conducted in three clusters. First, from January to March 2020, there was a broad campaign against 75 private entities in 20 countries, with a focus on industries ranging from petrochemicals to defense industrial base. Mandiant notes that while it’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, the victims appear to be more targeted in nature. The economies affected were Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA.

Second, in September 2020, hackers associated with APT41 were charged by the U.S. Department of Justice in connection with computer intrusion campaigns against more than 100 victims globally, including in Indonesia, Malaysia, Thailand, and Vietnam. The entities affected were those that specialize in software development, manufacturers, telecommunications, non-profit, universities, and civil society organizations.

Third, from July 2020 until August 2021 (ongoing as of then), Trend Micro observed an espionage campaign against victims in India, m, Malaysia, Philippines, Taiwan, and Vietnam in the airline, computer hardware, automotive, infrastructure, publishing, media, and IT industries.

US Government, Mandiant; Trend Micro

In second incident, U.S. Department of Justice indicts seven individuals (two arrested, five remaining)

High Confidence (9 out of 12)

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• Commercial data are likely to have been targeted (2 points)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

In May 2022, the US–Israeli cybersecurity firm Cybereason reported on an economic cyberespionage campaign that it dubbed ‘Operation CuckooBees’. The company estimated that a hacking group exfiltrated hundreds of gigabytes of information from some 30 multinational companies, which may potentially be worth trillions of US dollars.

The attackers were observed to have spent years clandestinely conducting reconnaissance and identifying valuable data. They targeted IP developed by the victim companies, including ‘sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data’. Targets of Operation CuckooBees are said to be technology and manufacturing companies located in Asia, Europe and North America.

Mandiant, which is a major American cybersecurity firm, observes that targeting by ‘APT 41’ is ‘consistent with China’s national strategies to move production capabilities into research and development (R&D)-heavy fields’, particularly those associated with the ‘Made in China 2020’ strategic plan. The entities targeted may include those within the healthcare sector, pharmaceuticals, high-tech semiconductors and advanced hardware, electric vehicles, and telecommunications.

Cybereason

None

Very High Confidence (11 out of 12)

• Private entities are the sole or the primary targets of intrusion (3 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

Nicknamed Operation Diànxùn by the McAffee Advant Threat Research (ATR) Strategic Intelligence team, this cyberespionage campaign likely targeted people working in the telecommunications industry to access sensitive data and to spy on companies related to 5G technology. The first activity was observed to have taken place in August 2020, with several private entities suffering a cyber intrusion when the hackers leveraged a fake Huawei careers website to lure telecom employees and infect their systems with info stealers.

The McAfee ATR team holds with a moderate level of confidence that the motivation behind this specific campaign had to do with the banning of Chinese technology from the construction of telecoms network across the world. The countries outside of Southeast Asia – U.S., Spain, Germany, Austria, Czechia, and Ukraine – targeted were all signatories to a global security agreement for future 5G networks, highlighting concerns about equipment supplied by vendors that might be subject to state influence. Vietnam, meanwhile, is opting to avoid Huawei technology and instead moving to develop its own 5G technology.

McAfee ATR had attributed the hacking operations to two threat actors: RedDelta and Mustang Panda. Meanwhile, Mustang Panda has had a history of conducting cyberespionage operations on behalf of the Chinese state to steal information that align with China’s “Made in China 2025” goals and BRI plans. Thus, there is past precedence for their support in the pursuit of industrial goals.

McAffee Advant Threat Research

None

High Confidence (10 out of 12)

• Private entities are either the sole or the primary targets of intrusion (3 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor has some history of stealing IP and other commercially valuable data (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)

In June 2021, Recorded Future, an American cybersecurity firm, recorded a cyber campaign by Threat Activity Group 22 (TAG-22) that breached networks in Nepal, Philippines, Taiwan, and Hong Kong. The cyber intrusions largely focused on academic and governmental networks. The selection of the Industrial Technology Research Institute (ITRI) in Taiwan as a target is critical since the organization has been responsible for setting up and incubating several Taiwanese technology firms. ITRI also works on several research and development projects related to smart living, quality health, sustainable environment, and technology, issues that align with China’s development priorities under its 14th Five Year Plan. Since 2019, ITRI has imposed stricter cybersecurity measures, including by banning all smartphones and computers made by China’s Huawei from their internal network. The attacks had come amidst recent attacks by Chinese hacking groups at multiple organisations across Taiwan’s semiconductor industry. Beyond ITRI, other major targets had included Nepal Telecom and the Department of Information and Communications Technology. Given their employment of Winnti tools, Recorded Future suspects that TAG-22 are groups of private contractors operating on behalf of China’s Ministry of State Security.

Recorded Future

None

High Confidence (10 out of 12)

• Private entities are either the sole or the primary targets of intrusion (3 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor has some history of stealing IP and other commercially valuable data (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)

Lazarus Group is a known hacking group with close affiliations to the North Korean government. The group consists of a wide range of smaller hacking operations that have affiliations with either North Korea’s Ministry of State Security and the Reconnaissance General Bureau (GRB). The Lazarus Group’s attacks are driven by a series of motivations, including financial gain and political and economic espionage. They have conducted a series of cyber operations across Southeast Asia, Latin America, and India, some of which are listed below:

On September 4, 2019, Pukhraj Singh, an employee of India’s National Technical Research Organization (NTRO) and an independent Indian cyber security professional, informed the National Cybersecurity Coordinator that there is a cyber intrusion detected at the KNPP and ISRO right around the time of Chandrayaan-2’s final descent, after being tipped off by a third party. He had later also declared the same on his twitter handle on October 28, 2019. Soon after his disclosure, Indian media caught fire and propagated his message intensely. In response, on October 29, the Nuclear Power Corporation of India Ltd. and the KNPP authorities issued a statement dismissing Pukhraj Singh’s warning as “false information.” Just a day later, on October 30th, however, the NPCIL issued another statement confirming that a malware attack has indeed been faced by KNPP, and that the matter was conveyed to them by CERT-In on September 4, 2019.

Because the Russian government undertook the KNPP project in collaboration with the Government of India, not only were DAE specialists investigating the matter within India, Deputy Chief of the Russian Embassy Roman Babushkin also said, “The Russian authorities are working with Indian agencies to stop any further attacks.”

The attribution for the campaign was made by several security researchers, who identified the malware as a version of Dtrack, a backdoor trojan developed by the Lazarus Group, North Korea's elite hacking unit. Kaspersky Labs, a Russian cybersecurity company, had also said in September 2023 that banks, ATMs and research institutions were already being targeted by DTrack throughout the year of 2019, and the attack witnessed by ISRO and NCPIL could just have been a part of this larger campaign.

In November 2019, as India’s Chandrayaan-2 mission was underway, CERT-In issued an alert to ISRO to beware of a possible cyber attack on its system through phishing emails sent to senior officials. The emails were loaded with malware which had the potential to hijack the email identity of the recipient and in turn be used to send mails to juniors. A month prior, in October 2019, the Nuclear Power Corporation of India’s Kudankulam nuclear plant also witnessed a similar cyberattack. The Corporation acknowledged that one of the computers on its administrative network was struck by a malware known as ‘DTrack’. Although it is not confirmed if the attack on ISRO systems also used DTrack, the APT actor has been identified as the North Korean Lazarus Group. In ISRO’s case, officials confirmed through media reports that no systems were compromised. Yash Kadakia, founder of Mumbai-based cybersecurity firm Security Brigade, also said that he had evidence of emails with malware sent to the five government agencies that same year.

Sohn Young-dong, a defense expert at Hanyang University in Seoul, said that Pyongyang may be using the nuclear technology attacks to overcome its own energy crisis, as well as aiming to "sell such information to countries" like Iran.

In April 2023, Kaspersky lab, a threat intelligence enterprise, highlighted that for many months till January 2023, they have observed a Lazarus Group campaign in India that has deployed version 2.0 of BLINDINCAN malware by leveraging an open-source UltraVNC backdoored client. The features of this updated version of BLINDINCAN include plug-in based expanding capabilities, while also retaining features of the previous version, such as C2 communication, encryption methods and infection procedure. Once executed, the applications the payload has compromised would work normally but would covertly be collecting victim information and transferring it to the Command and Control servers of the malware.

The US Department of Justice has claimed that the group is part of the DPRK government’s strategy to ‘undermine global cybersecurity…and generate illicit revenue in violation of…sanctions.’

Indian Computer Emergency Response Team (CERT-In), made public by unnamed ISRO official; Kaspersky Lab

Intervention by CERT-In through notification to ISRO; reported nipping of attack in the bud

Initially, on 29 October 2019, Kundankulam Nuclear Power Project corporation issued a statement claiming that information pertaining to such a cyber attack are “false information” circulation on social media and in electronic and print media; just a day later in 30 October 2019, Nuclear Power Corporation of India Ltd. issued a statement confirming that identification of malware in NPCIL system is correct. The latter statement also said that data specialists are now investigating the matter.

‍

High Confidence (8 out of 12)

• Organisations with commercial data have been targeted in intrusions (1 point)
• Commercial data are likely to have been targeted (2 points)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)

Ke3chang is a hacking group that is suspected to have affiliations to the Chinese state. The group has been active since at least 2010 and has targeted a diverse range of entities, ranging from government to industry, like aerospace and energy. Their tactics have evolved over time, utilizing various malware families such as Mirage and BS2005. The campaign has traditionally focused on Asian targets but have now moved on to focus on Latin America, particularly since 2017, when a series of cyber intrusions that affected foreign ministries, government agencies, and corporations in Chile, Guatemala, and Brazil were attributed to them. Since then, there has been a number of cyber incidents linked back to Ke3chang. Between September 19th and December 2021, MSTIC observed APT15 operations across several countries in Europe, Africa, and America, including Argentina, Brazil, Columbia, Mexico, and Peru. APT15 established long-term access and was able to schedule regular data exfiltration. MSTIC assesses this activity is in pursuit of economic and traditional intelligence collection objectives and will continue as China extends its BRI initiative. In December 2021, Microsoft’s legal team announced that they had obtained a court warrant that allowed it to seize 42 domains used by APT15. Meanwhile, between late 2022 and early 2023, APT15 leveraged a new backdoor called Backdoor.Graphican against the Americas, one European victim, and a corporation that sells products in Central and South America. While Latin America has historically been relatively free of APT attacks, Ke3chang has changed the dynamics and emerged as the highest profile hacking group focused on Latin American entities.

Microsoft; ESET

None

High Confidence (8 out of 12)

• Private entities are a majority of known sectors targeted in the intrusion. (2 points)
• Commercial data are likely to have been targeted (2 points)
• APT actor has some history of stealing IP and other commercially valuable data. (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)