Geopolitical Cyber Warfare
What can we learn from real world attacks
TL;DR
There are an increasing number of nation state attacks, however to block the initial access vector, detect and contain the attack is to do the same boring things we already know about. Attacks and threat actors discussed in detail in the post:
Silk typhoon Beyond trust vulnerability breach on US Treasury
Salt typhoon attacks on US telecom infrastructure
Vault typhoon device comprise
Russia Sandworm attacks during the Ukraine war
North Korean Silent Chollima espionage and financially motivated attacks against India and South Korea
Iran threat actor group Refined Kitten targeting OT
Introduction
The Ukraine war has shown that while the cyber battlefield has not eclipsed traditional kinetic warfare, it has an important role to play in espionage and potentially preparation of the battlefield for disruption. This post explores the rise of state-sponsored cyber threats in 2024, profiles key actors like China’s "Typhoon" groups, Russia-North Korea alliances and Iran in the OT world. Finally it outlines actionable strategies for building cyber resilience in this volatile landscape.
Silk Typhoon Beyond Trust vulnerability breach on US Treasury
The Silk Typhoon cyber attacks on the U.S. Treasury, leveraging vulnerabilities in BeyondTrust software, represent a significant breach linked to Chinese state-sponsored actors.
Attack Overview and Attribution
Who
The attacks were attributed to Silk Typhoon (also known as Hafnium or UNC5221), a Chinese state-backed Advanced Persistent Threat (APT) group known for cyber espionage targeting sectors such as defense, healthcare, education, and government entities.
When
The breach began in early December 2024, with BeyondTrust detecting anomalous activity on December 2nd and confirming the compromise by December 5th. The Treasury was notified on December 8th.
How
Attackers stole a Remote Support SaaS API key from BeyondTrust, a third-party vendor providing identity and access management services to the Treasury. This key allowed them to bypass security controls, remotely access Treasury workstations, and exfiltrate unclassified documents .
Targets and Impact
Office of Foreign Assets Control (OFAC): Responsible for enforcing economic sanctions. Attackers sought intelligence on potential sanctions against Chinese entities.
Committee on Foreign Investment in the U.S. (CFIUS): Oversees national security risks from foreign investments. Sensitive CFIUS investigation materials were accessed.
Office of Financial Research: Compromised, though the full scope remains under investigation.
Scale
Over 400 Treasury workstations and 3,000 unclassified files were accessed, including documents from Treasury Secretary Janet Yellen, Deputy Secretary Wally Adeyemo, and Acting Under Secretary Brad Smith .
Data included law enforcement-sensitive information, usernames, passwords, and details on sanctions and foreign investments .
Limitations: Classified systems and email networks were not breached .
Exploited Vulnerabilities and Tactics
BeyondTrust Vulnerabilities:
CVE-2024-12356: A critical command injection vulnerability (CVSS score 9.8) allowing remote code execution .
CVE-2024-12686: A medium-severity command injection flaw .
Operational Tactics:
Timing: Attacks occurred during non-working hours to evade detection .
Tools: Use of the China Chopper web shell and exploitation of zero-day vulnerabilities, consistent with Silk Typhoon’s historical methods .
Reconnaissance Focus: The group prioritized data theft over destructive actions .
Response and Mitigation
Containment:
The compromised BeyondTrust instance was shut down by December 16, terminating the hackers’ access.
Investigative Efforts: The Treasury collaborated with CISA, FBI, intelligence agencies, and third-party forensic experts to assess the breach .
No Wider Spread: CISA confirmed the incident was contained to the Treasury, with no impact on other federal agencies .
Salt Typhoon attacks on US telecom infrastructure
The Salt Typhoon cyber attacks on U.S. telecommunications infrastructure represent a large-scale, state-sponsored espionage campaign attributed to Chinese hackers.
Overview and Attribution
Who
Salt Typhoon (also known as Earth Estries, FamousSparrow, or UNC2286) is a Chinese state-sponsored Advanced Persistent Threat (APT) group linked to China’s Ministry of State Security (MSS). The group has been active since at least 2022, targeting critical infrastructure globally, with a focus on telecommunications, government, and technology sectors .
Purpose
Espionage, data theft, and potential disruption of critical communications networks. The attacks aimed to gather intelligence on U.S. government officials, corporate executives, and geopolitical adversaries, as well as access sensitive call metadata, SMS content, and law enforcement wiretap systems .
Timeline and Targets
Timeframe
The campaign began in 2022 and escalated in 2024–2025. Initial breaches were detected in late 2024, with ongoing activity persisting into 2025 .
Primary Targets
Telecom Giants: AT&T, Verizon, T-Mobile, Lumen Technologies, Charter Communications, Consolidated Communications, and Windstream .
Critical Systems: Exploited vulnerabilities in routers, switches, firewalls (e.g., Cisco, Fortinet), and legacy infrastructure. The attackers also infiltrated law enforcement portals used for court-ordered surveillance, compromising data on monitored individuals, including foreign spies .
High-Profile Individuals: Accessed call records of political figures, including presidential candidates and officials like Kamala Harris and JD Vance .
Attack Methodology
Initial Access
Zero-Day Exploits: Salt Typhoon leveraged vulnerabilities such as CVE-2021-26855 (Microsoft Exchange ProxyLogon), CVE-2022-3236 (Sophos Firewall), and CVE-2023-48788 (FortiClientEMS) to infiltrate networks .
Spear-Phishing: Targeted employees with access to administrative systems via malicious email attachments .
Legacy Infrastructure: Exploited outdated hardware (e.g., 50-year-old landline systems) and unpatched software .
Post-Compromise Tactics
Custom Malware: Deployed tools like GhostSpider (a backdoor for persistent access) and SnappyBee (for data exfiltration) .
Lateral Movement: Used valid credentials and remote services (e.g., SSH, RDP) to spread across networks .
Data Exfiltration: Stole sensitive communications data, including unencrypted SMS, call audio, and wiretap records, encrypting and exfiltrating it via covert channels .
Evasion Techniques:
Log Deletion: Erased traces of activity to hinder forensic analysis .
Obfuscation: Used polymorphic malware and encrypted payloads to avoid detection .
Impact and Consequences
National Security Risks
Exposed sensitive communications of government officials and compromised law enforcement surveillance systems, potentially aiding Chinese spies in evading detection .
Enabled geolocation tracking of millions of individuals and disrupted telecom services for critical infrastructure sectors (e.g., energy, ports) .
Economic and Reputational Damage:
Financial losses for telecom providers due to incident response and infrastructure upgrades .
Erosion of public trust in U.S. telecommunications security .
Regulatory Fallout
The FCC proposed annual cyber security certifications for telecom companies and stricter compliance measures .
The Biden administration drafted an executive order to enforce stronger encryption and cloud security standards .
Mitigation and Response
Containment Efforts
Affected companies like Verizon and AT&T claimed to have eradicated active threats, though experts warn of lingering vulnerabilities. I mean how can you really be sure in such a large network? Also the other thousands of telco’s in the US and other 5 eyes countries…
CISA and the FBI issued guidance, including patching public-facing systems and disabling risky services like Cisco’s Smart Install .
Policy Changes
Enhanced collaboration between U.S. agencies and Five Eyes allies (Australia, Canada, New Zealand) to share threat intelligence .
Sanctions imposed on Chinese entities, including Sichuan Juxinhe Network Technology Co. and individuals like Yin Kechen .
Vault Typhoon device comprise
Volt Typhoon is a Chinese state-sponsored cyber espionage group first identified by Microsoft in May 2023. It has been active since at least mid-2021, targeting critical infrastructure sectors in the United States and its territories, particularly Guam. The group’s operations focus on stealth, persistence, and reconnaissance, with the suspected long-term goal of disrupting critical communications infrastructure between the U.S. and Asia during geopolitical crises .
The chinese argue that Vault Typoon is a US false flag operation: https://www.mps.gov.cn/n2255079/n6865805/n7355748/n7355818/c9806794/content.html
Key Characteristics and Tactics
Targets and Objectives
Sectors: Communications, energy, transportation, government, maritime, utilities, defense, and education sectors .
Geographic Focus: U.S. mainland and Guam, a strategic Pacific territory near potential conflict zones like Taiwan .
Primary Goals: Espionage, credential theft, and maintaining long-term access to networks for potential future disruption .
Stealth Techniques
Living-off-the-Land (LOTL): Relies on built-in system tools (e.g., PowerShell, WMIC, ntdsutil) to avoid detection. Rarely uses custom malware, blending activities with legitimate administrative tasks .
Proxy Infrastructure: Routes traffic through compromised small office/home office (SOHO) devices (e.g., routers from ASUS, Cisco, NETGEAR) to mask origins .
Credential Harvesting: Extracts credentials from Active Directory, LSASS memory, and browser data, using valid accounts for lateral movement .
Attack Lifecycle
Initial Access: Exploits vulnerabilities in internet-facing devices (e.g., Fortinet FortiGuard, Citrix, Pulse Secure) .
Privilege Escalation: Gains domain admin privileges to access critical systems like domain controllers .
Discovery and Collection: Enumerates network topology, processes, and files using commands like `ping`, `tasklist`, and custom scripts .
Exfiltration: Stages data in password-protected archives (e.g., 7-Zip) for later extraction .
Command and Control (C2)
Uses open-source tools like Impacket and Fast Reverse Proxy (FRP) for encrypted communication over non-standard ports .
Rarely deploys traditional malware, instead relying on hands-on-keyboard activities .
Impact and Implications
Espionage vs. Disruption: While no destructive attacks have been observed, Microsoft assesses with "moderate confidence" that Volt Typhoon is developing capabilities to disrupt critical infrastructure during crises, such as severing U.S.-Asia communications .
Geopolitical Risks: The targeting of Guam—a hub for U.S. military operations—suggests preparation for conflict scenarios involving Taiwan or regional tensions .
Collateral Damage: Integration of IT and OT systems increases the risk of operational disruptions, as seen in past incidents where 94% of IT breaches impacted OT environments .
Russia Sandworm attacks during the Russia/Ukraine war
The Sandworm group (also known as APT44, FROZENBARENTS, or GRU Unit 74455) has been a central actor in Russia’s cyber warfare campaign during the Ukraine conflict. Linked to Russia’s military intelligence agency (GRU), Sandworm has executed high-impact attacks targeting Ukraine’s critical infrastructure, military operations, and civilian morale.
Power Grid Attacks
Sandworm is the only group confirmed to have caused blackouts via cyberattacks. During the Ukraine war, its operations evolved to integrate digital and physical warfare:
October 2022 Substation Attack: Sandworm triggered a power outage by exploiting a MicroSCADA control system to trip circuit breakers at a Ukrainian substation. This coincided with Russian missile strikes on the same city, amplifying chaos and hindering recovery efforts. The attack used an ISO image containing scripts to execute malicious SCIL commands, bypassing traditional malware detection .
Industroyer2 Attempt (April 2022): A variant of the 2016 Industroyer malware was deployed to target high-voltage substations. Ukrainian defenders detected and neutralized it before a blackout occurred, though the malware retained capabilities to interact with grid equipment directly .
Destructive Wiper Malware
Sandworm repeatedly deployed data-destroying tools to erase evidence and cripple systems:
CADDYWIPER: A primary tool used since 2022, this malware overwrites files and partitions, rendering systems inoperable. It was deployed in the October 2022 attack to erase traces of intrusion but failed to reach the OT environment fully, suggesting operational miscoordination .
SwiftSlicer (January 2023): A newer wiper targeting Active Directory vulnerabilities, designed to disrupt administrative networks .
Evolution of Tactics
Sandworm shifted from custom malware to stealthier methods to evade detection:
Living-off-the-Land (LotL): Leveraged legitimate tools like PowerShell and MicroSCADA binaries to execute attacks, reducing reliance on detectable custom code .
Operational Speed: Developed OT attack capabilities in as little as two months, reflecting adaptability under wartime pressures .
Hybrid Warfare: Coordinated cyberattacks with kinetic strikes (e.g., missile attacks) to maximize psychological and physical disruption .
Espionage and Intelligence Gathering
As the war progressed, Sandworm expanded its focus to battlefield intelligence:
Infamous Chisel (August 2023): A malware campaign targeting Ukrainian military Android devices, exfiltrating data from communication apps (e.g., Signal, Telegram), authentication tools, and military-specific software .
Mobile Device Exploitation: Collected targeting data from captured Ukrainian devices to aid Russian ground forces .
Global and Political Operations
Beyond Ukraine, Sandworm’s activities align with Russia’s broader geopolitical goals:
Election Interference: Historical operations (e.g., 2017 French elections) suggest ongoing risks to democratic processes globally .
Proliferation of Cyber Capabilities: Sandworm’s techniques, such as OT-targeting frameworks, have lowered barriers for other state actors to replicate attacks .
Impact and Ukrainian Resilience
Collateral Damage: Attacks like NotPetya (2017) caused $10 billion in global losses, highlighting spillover risks .
Defensive Successes: Ukrainian agencies, with Western support, thwarted many attacks (e.g., Industroyer2) through rapid detection and collaboration with firms like ESET and Mandiant . .
North Korean Silent Chollima
The Silent Chollima group (also known as Andariel, Onyx Sleet, Stonefly, and TDrop2) is a North Korean state-sponsored cyber threat actor linked to the Lazarus Group and the Reconnaissance General Bureau (RGB). Active since at least 2009, the group has evolved from espionage and destructive attacks to financially motivated operations, aligning with Pyongyang’s dual goals of intelligence gathering and revenue generation for its military and nuclear programs .
Key Targets and Objectives
Sectors: Military, defense, aerospace, nuclear technology, energy, education, manufacturing, and cryptocurrency exchanges .
Geographic Focus: Primarily South Korea, the U.S., India, and Japan, with recent expansion into Southeast Asia and Europe .
Primary Goals:
Espionage: Stealing defense secrets (e.g., missile systems, radar technology, nuclear enrichment data) .
Financial Theft: Extorting funds via ransomware and targeting cryptocurrency platforms .
Tactics, Techniques, and Tools
Initial Access
Exploiting Vulnerabilities: Leveraged CVE-2023-42793 (TeamCity) and Log4Shell (CVE-2021-44228) for remote code execution .
Spear Phishing: Malicious email attachments (e.g., Word/Excel macros) and fake job offers via LinkedIn .
Watering Hole Attacks: Compromised websites to deliver malware to specific IP ranges .
Malware and Tools
Custom Malware: Dtrack (Preft), Dora RAT, TigerRAT, NineRAT (DLang-based RAT using Telegram C2), and FakePenny ransomware .
Open-Source Tools: Sliver C2, Mimikatz, Ngrok, and Chisel for lateral movement
Post-Exploitation
Credential Theft: Dumped LSASS memory and used Mimikatz to harvest credentials .
Persistence: Created fake services (e.g., `Aarsvc_XXXXXX`) and local admin accounts (e.g., `krtbgt`) .
Data Exfiltration: Staged data in password-protected archives and exfiltrated via SOCKS proxies .
Notable Campaigns
Operation Blacksmith (2023–2024):
Exploited Log4Shell to deploy NineRAT, targeting manufacturing and agricultural firms in South America and Europe .
Used HazyLoad, a custom proxy tool, to maintain stealth .
TeamCity Exploitation (2023–2024): Compromised servers via CVE-2023-42793 to gain administrative control, enabling ransomware deployment .
Ransomware Shift (2024):
Targeted U.S. entities with FakePenny ransomware, demanding Bitcoin payments (~$6.6 million) .
Used forged Tableau certificates and tools like Plink and FastReverseProxy to evade detection .
Defense Industry Espionage:
Stole blueprints for advanced weaponry (e.g., submarines, UAVs) and nuclear facility data from South Korean contractors .
Evolution and Strategic Shifts
From Espionage to Extortion: Traditionally focused on high-value intelligence targets, Silent Chollima pivoted to ransomware in 2024, likely to fund state operations amid sanctions .
Collaboration with Lazarus: Shared infrastructure and TTPs with Lazarus subgroups (e.g., Moonstone Sleet) but developed unique tools like NineRAT to avoid attribution .
Impact and Implications
Global Reach: Attacks on critical infrastructure (e.g., energy grids, defense contractors) risk destabilizing geopolitical security .
Financial Losses: Stole over $100 million in 2024 via ransomware and cryptocurrency heists .
Attribution Challenges: Overlapping TTPs with Lazarus and aliases like Jumpy Pisces complicate threat intelligence efforts .
Iranian threat actor group Refined Kitten (aka Peach Sandstorm, aka APT33) targeting OT
APT33, an Iranian state-sponsored threat group, has been active since at least 2013, targeting sectors critical to national security and economic interests.
2024 Tickler Malware Campaign
Targets: U.S. and UAE government, defense, satellite/space, and oil/gas sectors .
Tactics:
Password Spraying: Compromised accounts using common passwords to avoid detection .
Azure Abuse: Fraudulent Azure subscriptions hosted command-and-control (C2) infrastructure for the Tickler backdoor, which collected system data and executed malicious scripts .
Social Engineering: Impersonated professionals on LinkedIn (e.g., talent recruiters, developers) to gather intelligence and distribute malware .
Impact: Microsoft disrupted the Azure infrastructure, halting C2 operations .
Password Spraying & Cloud Exploitation (2023–2024)
Scope: Global campaigns targeting defense, satellite, pharmaceutical, and education sectors .
Key Methods:
Golden SAML Attacks: Stole Active Directory keys to bypass authentication and access cloud resources .
Lateral Movement: Used SMB and tools like AnyDesk for persistence .
EagleRelay: Custom tool for tunneling traffic through compromised Azure virtual machines .
Post-Compromise: Harvested credentials with Mimikatz and LaZagne, exfiltrated data via FTP, and deployed ransomware in collaboration with groups like BlackCat .
Historical Operations (2013–2019)
Early Focus: Energy (petrochemical) and aerospace sectors in Saudi Arabia, South Korea, and the U.S. .
Tools:
TURNEDUP Backdoor: Delivered via phishing emails disguised as job offer
DROPSHOT/Shamoon: Data-wiping malware linked to destructive attacks on critical infrastructure .
Domains: Registered fake domains mimicking aviation companies to enhance phishing credibility .
Evolution of Tactics
Shift to Cloud: Transitioned from on-premise attacks to exploiting Azure and Microsoft 365 environments .
AI Integration: Experimented with AI-generated content for phishing and influence operations, though less prominent than APT42 .
Collaboration with Ransomware Groups: Partnered with BlackCat and RansomHub to monetize breaches .
Key TTPs (MITRE ATT&CK Framework)
Initial Access: Spearphishing links/attachments, password spraying.
Execution: PowerShell, VBScript, and LOLBins (e.g., reg.exe).
Persistence: Registry Run keys, scheduled tasks.
Credential Access: Tools like Mimikatz and ProcDump.
Exfiltration: FTP and DNS tunneling.
Conclusion / So what? What can defenders do
Other than interest and seeing what nation state attackers do in the real world, how they gain access, how they persist and exfiltrate data there isn’t a huge amount to learn for defenders in my humble opinion.
I would still focus on the things that will get you hacked, because guess what if you scroll above you will see a lot of these resonate:
And when you have done those look at Zero Trust
