The East Asian threat landscape is evolving rapidly, and emerging trends from affiliated threat groups have the potential to impact public and private entities across the globe.
Chinese nation-state groups are conducting widespread cyber and influence operations (IO), with a particular focus on the South China Sea region. China also continues to target the US defense sector and probe US infrastructure signals in an attempt to gain competitive advantages for its foreign relations and strategic military aims. Lastly, Microsoft has seen China grow more effective at using IO to engage social media users with content on US elections.
North Korean threat actors are also on the move, demonstrating increased sophistication in their attack capabilities. While North Korea lacks the same level of influence capabilities as China, they have shown a continued interest in intelligence collection and growing tactical abilities to leverage cascading supply chain attacks and cryptocurrency theft.
All of these changes have serious geopolitical and financial implications for the global threat landscape at large. Keep reading to learn more about evolving East Asian threat trends.
Major trends in Chinese cyber operations
Since the beginning of 2023, Microsoft Threat Intelligence has identified three focus areas for China-affiliated cyber threat actors: the South China Sea, the US defense industrial base, and US critical infrastructure. Below is a deeper dive into what we’re seeing:
- Chinese state-sponsored targeting mirrors strategic goals in the South China Sea. China holds a wide range of economic, defense, and political interests in the South China Sea and Taiwan. Chinese state-affiliated threat actor’s offensive cyber activities may be due to conflicting territorial claims escalating, cross-Strait tensions rising, and an increased US military presence.
Raspberry Typhoon (RADIUM) and Flax Typhoon (Storm-0919) are two prominent threat groups targeting the South China Sea and Taiwan. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure (particularly telecoms) for intelligence collection and malware execution. Flax Typhoon primarily targets Taiwan and is focused on telecommunications, education, information technology, and energy infrastructure, leveraging custom VPN appliances to directly establish a presence within target networks.
- Chinese threat actors turn attention toward Guam as the US builds a Marine Corps base. The US industrial defense base faces threats from numerous Chinese nation-state groups, namely Circle Typhoon (DEV-0322), Volt Typhoon (DEV-0391), and Mulberry Typhoon (MANGANESE).
Circle Typhoon leverages VPN appliances to target IT and US-based defense contractors for resource development, collection, initial access, and credential access. Volt Typhoon has also conducted reconnaissance against US defense contractors, however, one of its most frequent targets are the satellite communications and telecommunications entities housed in Guam. The group often compromises small office and home routers, typically for the purpose of building infrastructure. Volt Typhoon also targets critical infrastructure entities in the United States. Finally, Mulberry Typhoon targets the US defense industrial base with zero-day device exploits.
- Chinese threat groups target US critical infrastructure. Microsoft has observed Chinese state-affiliated threat groups targeting US critical infrastructure across multiple sectors. Volt Typhoon has been the primary group behind this activity since at least the summer of 2021, and the extent of this activity is still not fully known.
Targeted sectors include transportation (such as ports and rail), utilities (such as energy and water treatment), medical infrastructure (including hospitals), and telecommunications infrastructure (including satellite communications and fiber optic systems). Microsoft Threat Intelligence teams assess that this campaign could provide China with capabilities to disrupt critical infrastructure and communications between the US and Asia.
These areas are not China’s sole priority, however. Microsoft has also observed IO affiliated with the Chinese Communist Party (CCP) successfully scale and engage with target audiences on social media. Ahead of the 2022 US midterms, Microsoft and industry partners observed CCP-affiliated social media accounts impersonating US voters across the political spectrum. These accounts even responded to comments from authentic users.
China has grown this agenda even further in 2023 by reaching audiences in new languages and on new platforms. These operations combine a highly controlled overt state media apparatus with covert social media assets, like bots, that launder and amplify the CCP’s preferred narratives.
Major trends in North Korean cyber operations
In contrast to China, North Korean cyber threat actors appear to have three main goals. They are as follows:
- Collect intelligence on perceived North Korean adversaries like South Korea, the US, and Japan. Emerald Sleet (THALLIUM) is the most active North Korean threat actor that Microsoft has tracked in 2023. In particular, we’ve seen Emerald Sleet send frequent spearphishing emails to Korean Peninsula experts around the world for intelligence collection purposes. In December 2022, Microsoft Threat Intelligence detailed Emerald Sleet’s phishing campaigns targeting influential North Korean experts in the US and US-allied countries. Rather than deploying malicious files or links to malicious websites, Microsoft found that Emerald Sleet employs a unique tactic: impersonating reputable academic institutions and NGOs to lure victims into replying with expert insights and commentary about foreign policies related to North Korea.
- Collect intelligence on other countries’ military capabilities to improve their own. Although North Korea is providing material support for Russia in its war in Ukraine, multiple North Korean threat actors have recently targeted the Russian government and defense industry. In March of this year, a threat group known as Ruby Sleet compromised an aerospace research institute in Russia. Around the same time, a separate group known as Onyx Sleet (PLUTONIUM) compromised a device belonging to a Russian university. Separately, an attacker account attributed to Opal Sleet (OSMIUM) sent phishing emails to accounts belonging to Russian diplomatic government entities. North Korean threat actors may be capitalizing on the opportunity to conduct intelligence collection on Russian entities due to the country’s focus on its war in Ukraine.
- Collect cryptocurrency funds for the state. Microsoft assesses that North Korean activity groups are conducting increasingly sophisticated operations through cryptocurrency theft and supply chain attacks. In January 2023, the Federal Bureau of Investigation (FBI) publicly attributed the June 2022 theft of $100 million in cryptocurrency from Harmony’s Horizon Bridge to Jade Sleet (DEV-0954), a.k.a. Lazarus Group/APT38. Furthermore, Microsoft attributed the March 2023 3CX supply chain attack that leveraged a prior supply chain compromise of a US-based financial technology company in 2022 to Citrine Sleet (DEV-0139). This was the first time Microsoft observed an activity group using an existing supply chain compromise to conduct another supply chain attack, which demonstrates the increasing sophistication of North Korean cyber operations.
What’s next?
China has continued to expand its cyber capabilities in recent years, and we’ve witnessed CCP-affiliated groups grow more effective and more ambitious with their IO campaigns. Moving forward, we expect wider cyber espionage against both opponents and supporters of the CCP’s geopolitical objectives on every continent. While China-based threat groups continue to develop and utilize impressive cyber capabilities, we have not observed China combine cyber and influence operations–unlike Iran and Russia, which engage in hack-and-leak campaigns.
North Korea will also continue to remain focused on targets related to its political, economic, and defense interests in the region.
As organizations work to protect against these nation-state groups, expect to see more operations leveraging video and visual media. CCP-affiliated networks have long utilized AI-generated profile pictures and this year, have adopted AI-generated art for visual memes. We also expect China to continue seeking authentic audience engagement by investing time and resources into cultivated social media assets.
Lastly, Taiwan and the US are likely to remain the top two priorities for Chinese IO, particularly with upcoming elections in both countries in 2024. Given that CCP-aligned influence actors have targeted US elections in the recent past, it is nearly certain that they will do so again. Social media assets impersonating US voters will likely demonstrate higher degrees of sophistication, actively sowing discord along racial, socioeconomic, and ideological lines with content that is fiercely critical of the US.
Visit Microsoft Security Insider to learn more about the latest cybersecurity trends and for more information on nation-state, check out our latest report.