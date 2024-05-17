



Since June 2023, Microsoft has observed severalcyber and influence trendsfrom China and North Korea that indicate nation-state threat groups are doubling down on familiar targets using more sophisticated influence techniques to achieve their goals. To protect their organizations against the latest attack vectors and state threats, security teams must stay on top of these trends. Chinese influencers are perfecting their techniques and experimenting with I In recent months, Chinese cyber actors have largely targeted three main areas: South Pacific island entities, regional adversaries in the South China Sea, and the U.S. defense industrial base. Meanwhile, Chinese influencers have been able to refine their use of AI-generated and AI-enhanced content while experimenting with new media in an effort to stoke divisions in the United States and exacerbate divisions in the Asia-Pacific region. For example, in aSeptember 2023 reportwe explored the use of generative artificial intelligence by Chinese influence operations (IO) assets to create engaging visual content, including AI-generated memes that targeted the United States to amplify issues controversial domestic affairs and criticize the Biden administration. Storm-1376 is one of China's most prolific players using AI content, with IO campaigns spanning over 175 websites and 58 different languages. Recently, Storm-1376 campaigns have begun using AI-generated photos to mislead the public, fuel conspiratorial content, particularly against the U.S. government, and target new populations with localized content. Last August, Storm 1376 spread a number ofconspiratorial posts on social mediaclaiming that the US government deliberately set the fire on the island of Maui in Hawaii, to test a military-grade “weather weapon”. In addition to publishing the text in at least 31 languages ​​across dozens of websites and platforms, Storm-1376 used AI-generated images of coastal roads and burning residences to make the content more eye-catching. As the 2024 U.S. election cycle approaches, we expect China to continue creating and amplifying AI-generated content aimed at American audiences. North Koreans increase software supply chain attacks, crypto heists On the North Korean side, cyber threat actors have stolen hundreds of millions of dollars in cryptocurrency, carried out attacks on the software supply chain, and targeted their perceived national security adversaries in 2023. These operations are used to generate revenue for the North Korean government, especially for its government.weapons program and collect intelligence on the United States, South Korea, and Japan. United Nations says North Korean cyber actors stole3 billion dollarsin cryptocurrency since 2017, with several heists totaling between$600 million and $1 billionin 2023 alone. A malicious actor tracked by Microsoft named Sapphire Sleet has carried out a number of small but frequent cryptocurrency theft operations. The group has developed new techniques to carry out these operations, such as sending fake invitations to virtual meetings containing links to an attacking domain and registering fake recruitment sites. Sapphire Sleet is known for targeting executives and developers of cryptocurrency, venture capital, and other financial organizations. We have also seen North Korean actors carry out software supply chain attacks against IT companies, providing access to downstream customers. One group, known as Jade Sleet, used GitHub repositories and weaponized npm packages in asocial engineering spear phishing campaignwhich targeted employees of cryptocurrency and technology organizations. The attackers posed as developers or recruiters, invited targets to collaborate on a GitHub repository, and convinced them to clone and execute its contents, which contained malicious npm packages. Another group, known as Onyx Sleet, exploited the TeamCity CVE-2023-42793 vulnerability to carry out a remote code execution attack and gain administrative control of servers. The group has been linked to software supply chain attacks against at least 10 victims, including a software vendor in Australia and a government agency in Norway, and used post-compromise tools to execute additional payloads. As North Korea embarks on new government policies and pursues ambitious weapons testing plans, we can expect cryptocurrency heists and supply chain attacks from increasingly sophisticated targeting the defense sector. Security teams in defense and related industries must remain vigilant against these threats.

