The scale of Beijing's systematic tapping of private industry and universities to build up its formidable hacking and cyber-warfare capabilities is larger than previously understood.

Source: KaimDH via Shutterstock

Hundreds of private cybersecurity firms, technology services providers, and universities are helping China's state apparatus develop offensive cyber capabilities to support the country's strategic military, economic, and geopolitical goals, according to research released this week.

"The existence of state-sponsored threat groups operating under the Chinese state's direction has long been well documented," researchers at France's Orange Cyberdefense wrote in their report, based on eight months of analysis of China's cyber-offense capabilities. But any notions that these entities are strictly in government hands, especially given the authoritarian nature of China's government, are off base, the authors warned. "China's offensive cyber capabilities are, in fact, supported by a complex and multilayered ecosystem involving a broad array of state and non-state actors," they wrote.

Their findings provide deeper context on the troubling success that Chinese cyber actors have had infiltrating US critical infrastructure, breaching government, military, and business networks, not to mention theft of defense data, trade secrets, and intellectual property from American entities and others around the world.

**An Extensive Ecosystem**

The synergies have enabled quicker government access to cutting-edge technology and talent, especially in critical areas such as artificial intelligence (AI), big data analytics, 5G wireless, and cloud computing, says Dan Ortega, security strategist at Anomali. "China's collaboration between its tech companies and state entities has dramatically accelerated the development of its cyber-offensive capabilities," Ortega says. Importantly, it has also allowed the nation to scale state-sponsored cyber missions effectively. And that collaboration enables government access to vast data sets collected by companies, facilitating enhanced targeting and more-effective cyberattacks, he notes.

"China fosters formal and informal partnerships with tech firms through initiatives like the Military-Civil Fusion strategy, mandating companies to share their technological advancements and insights with the state," he says. A feedback loop exists in which innovations made in the private sector directly enhance state capabilities.

**Poised to Strike?**

The Orange report arrives as domestic concerns grow over Chinese cyberattacks on US entities, such as operations like Volt Typhoon's targeting of critical infrastructure organizations. Many in government and industry are convinced that Chinese groups have attained the presence they need on US networks to cause widespread disruption to domestic energy, telecommunications utilities, and technology services. Such concerns prompted the Office of the Director of National Intelligence (ODNI) to describe China as the "most active and persistent cyber threat to US government, private sector, and critical infrastructure networks," in its 2024 annual report.

Orange's research showed the four main government stakeholders responsible for building and executing China's cyber-offense capabilities are the People's Liberation Army (PLA), the Ministry of State Security (MSS), the Ministry of Public Security (MPS), and the Ministry of Industry and Information Technology (MIIT). Their multipronged efforts include actively recruiting or otherwise supporting private hackers and hacktivists in activities such as data theft, website defacement, and distributed denial-of-service attacks.

**Hundreds of Private Firms**

Under the current model, the government stakeholders are working with hundreds of private companies, both big and small, to carry out cyberattacks against foreign and domestic entities that are of strategic interest to Beijing, the Orange report noted. One example of big-player involvement in the report is Shanghai stock exchange-listed Integrity Technology Group (ITG), which the FBI has linked to the Flax Typhoon APT. Like ITG, many of China's top technology companies are also the state's biggest cyber contractors, according to Orange's report. "Enterprises such as ThreatBook, Qihoo360, and Qi An Xin not only provide defensive security solutions to public agencies but are also believed to indirectly contribute to offensive cyber operations."

At the other end of the spectrum are dozens of smaller and medium-size private entities that often act as subcontractors for the bigger companies and deliver a range of highly specialized services. One example is i-Soon, a 72-person Shanghai firm whose ties to the Chinese government emerged after a leak earlier this year. "These entities often act as subcontractors to the industry giants, filling the gap in their cyber offensive competencies and further fragmenting the hack-for-hire supply chain," Orange's researchers wrote. The company found that while in many instances, China's PLA, MSS, and others worked with legitimate private entities, others created shell companies that acted as fronts for procuring cyberattack infrastructure.

**Tapping Top Universities**

The Chinese government's efforts to rope in academic institutions began in earnest in 2017. Today many universities — including eight of the C9 League of China's top nine public universities — are engaged in state-sponsored cyber-offense research, according to Orange. Their contributions range from advanced research on the use of AI in cybersecurity to helping state operatives translate stolen documents and gathering open source intelligence.

Trey Ford, chief information security officer at Bugcrowd, says the willingness among Chinese companies to work for the government point up very different business norms in China. While organizations in countries like the US are beholden to fiduciary, legal, ethical, and privacy norms, those in China have a different set of obligations. "Communist government-backed organizations, aligned to formal Five-Year economic and military objectives, will have very different outcomes in mind, and can make different investments and sacrifices than capitalist businesses," he says.

Customer trust and user privacy are different context in China than in the US and other western nations, Ford says.  "Companies doing business in China must run their services in-country today. This includes the expectation of access to their systems, data, intellectual property — as well as their customers' data."

The continued expansion of China's cyber ecosystem will lead to more sophisticated attacks and better targeting of intellectual property and critical infrastructure through trusted business relationships, cautions Stephen Kowski, field chief technology officer at SlashNext Email Security+. "This model could enable more advanced supply chain compromises and social engineering attacks that bypass traditional security controls," Kowski says. "China's civil-military fusion model creates a seamless flow of technology and expertise between private sector innovations and state-sponsored cyber operations, enabling faster deployment of advanced attack techniques."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's Cyber Offensives Built in Lockstep With Private Firms, Academia

Apple Security Advisory 11-19-2024-5 - macOS Sequoia 15.1.1 addresses code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1

macOS Sequoia 15.1.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121753.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

JavaScriptCore  
Available for: macOS Sequoia  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
actively exploited on Intel-based Mac systems.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 283063  
CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's Threat  
Analysis Group

WebKit  
Available for: macOS Sequoia  
Impact: Processing maliciously crafted web content may lead to a cross  
site scripting attack. Apple is aware of a report that this issue may  
have been actively exploited on Intel-based Mac systems.  
Description: A cookie management issue was addressed with improved state  
management.  
WebKit Bugzilla: 283095  
CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's Threat  
Analysis Group

macOS Sequoia 15.1.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JSQACgkQX+5d1TXa  
Ivo92g/8Dm9sVuOeQTu56JLi2yAlbu9NK8Udb4ByFIsi63HWksJ6rK9LzZfTF8Yd  
Z3SBk7aIHl9tMj2gJ6QJ71SwCdN/fTnAC9na5fZwUjdsjuH1uoPmiMSA48MDwmQC  
vf6grIhskLNi0bQrpcKR1C79fmGlO7Nua3zmbvdvs41/3g3A7udvf2KpZTkkDrP4  
+zwsVCJCu4xHTo5bU0NrM/Cbon+TO01/gyhnngZzl65bIPkhyeEDiVHW3K6aKDA8  
XpClgMGe7ZIRao0hmqqK+YYPso/yDdUDpHlfEFL/YYseVThd+t6EPn4irWFPCPTv  
usiMVUpOpqmMHfPaVO/uzwDR/wgpB8ws4BsBjytQ2q5ZZgyxsIUx6cEJazgbRXtI  
UIJWgodel8AClhWrRo8c14rIuUH1jqMh8EcbimFdC62vSivuNgwNdBd5U2wRnELr  
w1I65s3u7f3Qly8himbl+41ueYcgInsVld7206tk8Ygmm7zA4kupLBEH+EeK43c3  
2P0NF7CMQCnJcwbEqusIUi8AOSN2VgGi9E6BjjJGnLhbbieX/ssKTTbv+mt0ctyq  
5uB3WUZBDbhJKj8p/0+iBAlzZUJDkrudmy8No9Zc2ImTcZ61gP2Zbh/5lcI8hZu+  
SKOrc+1s5nRW1FcGXL2ZzjtnmXnU6DGFfN7stVtTmVAg4dEWzeo=  
=IY5p  
-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-5

Apple Security Advisory 11-19-2024-4 - iOS 17.7.2 and iPadOS 17.7.2 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2iOS 17.7.2 and iPadOS 17.7.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121754.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.JavaScriptCoreAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited on Intel-based Mac systems.Description: The issue was addressed with improved checks.WebKit Bugzilla: 283063CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to a crosssite scripting attack. Apple is aware of a report that this issue mayhave been actively exploited on Intel-based Mac systems.Description: A cookie management issue was addressed with improved statemanagement.WebKit Bugzilla: 283095CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 17.7.2 and iPadOS 17.7.2".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JGcACgkQX+5d1TXaIvqaMhAArOKmA61hgLNGofjznuKQo6Jc42iPl7a/ZiB2Tq5ynZKPIGmGiM3HdJQ8bbifOgpkmNcA3h1OUlXnnkbdehq6d8MzI9WSn6uHdgWZ5LqLMXOWgsEF5Hwwmm7zaqTaqMv4fV2J6w2wTcoL5XptxGXiEi37/GzcureD3hvL+nRAAzR6c/gRXmcEjGL7pVTNJA0C8VyY9kG+Uc7ia2m5Riux2jsYzWYppPfCwUFeo3bQDexG7WsiHa00OZN+HkNS5/1t/7hftJZ+w/PbVnEK23Dm962NQgCrcFKGnbjNGJQlIjl+xfbi6BuQ6lJJZAI+3WqPHXLAMCcae/DfERqXWnJu8fTMfCwCbQVx185Cih+mtH0oc4MtPtiZdhi8TxZpVGZHYjLJa9VANTrNzkAmFflnhAC4tAG2FXx3ld3t/8u9Fhv0oyTa5HlzVYJ/WJgK32eT7I1h7Oqrp49KZcMIM8H6ZwNXYOI+Rf7GXdEN2y9Qhb+IOvdilTrCTpzRl6Gu6fBwH0G0UGHRktnBPlryJdOg26J1iVBZg6/K/CSjQizWdDXN/Nq4YwI17Eq4HtFdtOtrs5n0bDz+fsfGbsieTyUz1BUet2xLzPECfD4nYEKmckD1d/dRylc3vK9YGOCp1nWDoPSKnmkU9Il2SFAIuEM9o60lCN7PMWBrC9zYXMAxFmY==+VKC-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-4

Apple Security Advisory 11-19-2024-3 - iOS 18.1.1 and iPadOS 18.1.1 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1iOS 18.1.1 and iPadOS 18.1.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121752.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.JavaScriptCoreAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited on Intel-based Mac systems.Description: The issue was addressed with improved checks.WebKit Bugzilla: 283063CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to a crosssite scripting attack. Apple is aware of a report that this issue mayhave been actively exploited on Intel-based Mac systems.Description: A cookie management issue was addressed with improved statemanagement.WebKit Bugzilla: 283095CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 18.1.1 and iPadOS 18.1.1".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JA8ACgkQX+5d1TXaIvrGzw/+PXf2fGgzCN5of6OYK0sWiJRRLZoL0uSZ9dOaD7I0/CyAx91Mv4OyH9Vveo9k84ZABNk4IO401WWLM8XSRSVILTcskT+SdXZrtOMYvmtUHUPKI35OWf1GBFdkgfnnFSRYf/B+WWb4PV0iO01lyFQVU5qDLcrUCAUQLwighfAX2yEn+Zml3NX6i2E5o2Rhc93Nac5a2cIcOGOSKrwsor0sh8NkAl9DcyPW6i6K3t59lUjiUY9XZQtEi6AyrChA84mo6Hb8wLwVIY17b8LVuruOSn3xg+Cc5eO5bOXp1O5lnR3dhuiZ2bl5BKawrp8+MDRsBZuTPS0k2Di3rmzuZ/GnvaQdtQKhcbOQ7tWW6evk/8TnFwlULaCr26OVbuLj0NWJ7GJYWpPuRWO0lFy9z9Fjdk4n+ptA7qmSWrhbdl+/uwUxJA5X58pVRWeWBExGP3S/ST/5YgAfZXBjHuDLiHKMOtQ3PktaMuEWhLFgGXNllXGQDihL4lS/XUQ1/E+mpWyY+kAbjtmCYlpez5MgeLkVv66yEWhOhsBMNIM+jkkRjktJo2SfhJMSryNLQlY37zn/VWf8Av+L60YoZhoMmx7DJLIr+HI257zbIE35CVZ+badn18d3eA+fq3RPtsDD8nlUePyZeNhEvc30Y5hXsIyK+Z0Ny+JgJfP1E6BeAJjjci0==ifwz-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-3

In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.

For determined hackers, sitting in a car outside a target's building and using radio equipment to breach its Wi-Fi network has long been an effective but risky technique. These risks became all too clear when spies working for Russia's GRU military intelligence agency were caught red-handed on a city street in the Netherlands in 2018 using an antenna hidden in their car's trunk to try to hack into the Wi-Fi of the Organization for the Prohibition of Chemical Weapons.

Since that incident, however, that same unit of Russian military hackers appears to have developed a new and far safer Wi-Fi hacking technique: Instead of venturing into radio range of their target, they found another vulnerable network in a building across the street, remotely hacked into a laptop in that neighboring building, and used that computer's antenna to break into the Wi-Fi network of their intended victim—a radio-hacking trick that never even required leaving Russian soil.

At the Cyberwarcon security conference in Arlington, Virginia, today, cybersecurity researcher Steven Adair will reveal how his firm, Volexity, discovered that unprecedented Wi-Fi hacking technique—what the firm is calling a “nearest neighbor attack"—while investigating a network breach targeting a customer in Washington, DC, in 2022. Volexity, which declined to name its DC customer, has since tied the breach to the Russian hacker group known as Fancy Bear, APT28, or Unit 26165. Part of Russia's GRU military intelligence agency, the group has been involved in notorious cases ranging from the breach of the Democratic National Committee in 2016 to the botched Wi-Fi hacking operation in which four of its members were arrested in the Netherlands in 2018.

In this newly revealed case from early 2022, Volexity ultimately discovered not only that the Russian hackers had jumped to the target network via Wi-Fi from a different compromised network across the street, but also that this prior breach had _also_ potentially been carried out over Wi-Fi from yet another network in the same building—a kind of “daisy-chaining” of network breaches via Wi-Fi, as Adair describes it.

“This is the first case we’ve worked where you have an attacker that’s extremely far away and essentially broke into other organizations in the US in physical proximity to the intended target, then pivoted over Wi-Fi to get into the target network across the street,” says Adair. “That’s a really interesting attack vector that we haven’t seen before.”

A slide describing the “nearest neighbor attack” that Russian hackers used to breach a DC network via Wi-Fi, from the Cyberwarcon presentation of Volexity founder Steven Adair.

Illustration: Volexity

Based on the hackers' targeting of individuals within their customer's network, Adair says that the GRU hackers appear to have been seeking intelligence about Ukraine. It's no coincidence, he says, that the daisy-chained Wi-Fi-based intrusion was carried out in the months just before and after Russia's initial full-scale invasion of Ukraine in February 2022.

Adair argues, though, that the case should serve as a broader warning about cybersecurity threats to Wi-Fi for high-value targets—and not just from the usual suspects loitering in the parking lot or the lobby. “Now we know that a motivated nation-state is doing this and has done it,” says Adair, “It puts on the radar that Wi-Fi security has to be ramped up a good bit.” He suggests organizations that might be the target of similar remote Wi-Fi attacks consider limiting the range of their Wi-Fi, changing the network's name to make it less obvious to potential intruders, or introducing other authentication security measures to limit access to employees.

Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. “I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?” he says. “We came up dry.”

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted—in fact, the name of another organization just across the road. “At that point, it was 100 percent clear where it was coming from,” Adair says. “It's not a car in the street. It's the building next door.”

With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from _another_ network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. “Who knows how many devices or networks they compromised and were doing this on,” says Adair.

In fact, even after Volexity evicted the hackers from their customer's network, the hackers tried again that spring to break in via Wi-Fi, this time attempting to access resources that were shared on the guest Wi-Fi network. “These guys were super persistent,” says Adair. He says that Volexity was able to detect this next breach attempt, however, and quickly lock out the intruders.

Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group—Microsoft refers to the group as Forest Blizzard—to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. “It was an exact one-to-one match,” Adair says.

The notion that APT28 would be behind the daisy-chained Wi-Fi hacking makes sense, says John Hultquist, the founder of Cyberwarcon who also leads threat intelligence at Google-owned cybersecurity firm Mandiant and has long tracked the GRU hackers. He sees the technique Volexity uncovered as the natural evolution of APT28's “close-access” hacking methods, in which the GRU has sent small traveling teams in person to hack into target networks via Wi-Fi if other methods failed.

“This is essentially a close-access op like they’ve done in the past, but without the close access,” Hultquist says.

The switch to hacking via Wi-Fi from a remotely compromised device rather than physically placing a spy nearby represents a logical next step following the GRU's operational security disaster in 2018, when its hackers were caught in a car in The Hague attempting to hack the Organization for the Prohibition of Chemical Weapons in response to the OPCW's investigation of the attempted assassination of GRU defector Sergei Skripal. In that incident, the APT28 team was arrested and their devices were seized, revealing their travel around the world from Brazil to Malaysia to carry out similar close-access attacks.

“If a target is important enough, they’re willing to send people in person. But you don’t have to do that if you can come up with an alternative like what we’re seeing here,” Hultquist says. “This is potentially a major improvement for those operations, and it’s something we’ll probably see more of—if we haven’t already.”

Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack

Cybersecurity researchers have discovered two malicious packages uploaded to the Python Package Index (PyPI) repository that impersonated popular artificial intelligence (AI) models like OpenAI ChatGPT and Anthropic Claude to deliver an information stealer called JarkaStealer.
The packages, named gptplus and claudeai-eng, were uploaded by a user named "Xeroline" in November 2023, attracting

PyPI Attack: ChatGPT, Claude Impersonators Deliver JarkaStealer via Python Libraries

PRESS RELEASE

PALO ALTO, Calif., Nov. 19, 2024 /PRNewswire/ -- As artificial intelligence (AI) continues to revolutionize industries, the cybersecurity field faces a dual-edged sword of opportunities and threats. StrongDM's latest report, "The State of AI in Cybersecurity," highlights the growing concerns and readiness of cybersecurity professionals to tackle AI-driven challenges. Based on a survey of 600 cybersecurity professionals, the report sheds light on pressing issues around AI regulation, perceived threats, defense confidence, and the future of the cybersecurity workforce.

Key Findings from the Survey:

*   Regulation Concerns: 76% of cybersecurity professionals believe AI should be "heavily regulated" to prevent misuse, underscoring the need for balance between safety and innovation.
    
*   AI-Driven Threats: A significant 87% of respondents expressed concerns about AI-driven cyberattacks, with malware (33%) and data breaches (30%) ranking as top threats.
    
*   Preparedness Levels: Only 33% of professionals feel "very confident" in their current defenses, and 65% of companies admit they are not fully prepared for AI-powered attacks.
    
*   Workforce Impact: Despite challenges, two-thirds of respondents feel optimistic about AI's potential to enhance, rather than replace, jobs in cybersecurity.
    

A Call for Regulation Amid Rapid AI Growth: The report reveals that 76% of surveyed professionals support "heavy regulation" of AI to mitigate potential risks. However, 15% worry that excessive oversight could stifle innovation. This underscores a need for balanced regulations that ensure security while fostering technological advancement.

Growing Concern Over AI-Powered Attacks: AI's potential to enable new attack vectors is top of mind for cybersecurity professionals, with 87% citing concern over AI-driven threats. Malware and data breaches emerged as the leading AI-powered concerns, with 33% and 30% of respondents, respectively, indicating their apprehension over these types of attacks.

Confidence Levels Are Low, but Hope Persists: The report highlights a stark contrast in preparedness, as only 33% of respondents expressed being "very confident" in their current defenses against AI threats. Meanwhile, 46% felt "somewhat confident," and 17% admitted their organizations were not ready for AI-driven attacks. These findings emphasize an urgent call for stronger strategies and investments to bolster AI-specific defenses.

Companies Playing Catch-Up: StrongDM's research found that 65% of respondents admitted their organizations are not fully prepared for AI-driven threats. While 32% of companies are actively investing in AI defenses, 48% say there's still much to be done to close the gap.

AI's Mixed Impact on the Cybersecurity Workforce: Despite the concerns surrounding AI, two-thirds of cybersecurity professionals maintain an optimistic outlook on the technology's impact on their jobs. 40% believe AI will enhance job roles without replacing them, and 25% foresee the creation of new job opportunities. Nonetheless, 30% expressed fears of job replacement, showcasing the nuanced views professionals hold on AI's future role in the workforce.

Complete Study Results: https://www.strongdm.com/blog/state-of-ai-in-cybersecurity-report

Methodology 

The report is based on a survey conducted in October 2024, targeting 600 US-based cybersecurity professionals. The survey was completed online via Pollfish, and responses were random, voluntary, and completely anonymous.

About StrongDM 

StrongDM is at the forefront of cybersecurity, specializing in Zero Trust Privileged Access Management (PAM). Our innovative solutions focus on continuous, policy-based controls that leverage actions and context to enhance enterprise security. StrongDM's technology scrutinizes each interaction in real time, preventing breaches before they occur and ensuring secure, frustration-free access across all platforms.

Supported by leading investors, including GV, Sequoia Capital, True Ventures, and Anchor Capital, StrongDM operates across North America, Europe, and Asia-Pacific, dedicated to setting new standards in cybersecurity and providing top-tier protection for today's digital enterprises.

For more information, visit the StrongDM website.

Study Finds 76% of Cybersecurity Professionals Believe AI Should Be Heavily Regulated

PRESS RELEASE

SAN FRANCISCO, Nov. 21, 2024 /PRNewswire/ -- VISO TRUST, a leader in AI-powered third-party risk management (TPRM), today announced the closing of its latest funding round of $7M in additional funding, bringing the total raised to $24M, with participation from both existing investors, Bain Capital Ventures, Work-Bench, Sierra Ventures, and Lytical Ventures, and new investors, Allstate Strategic Ventures, Cisco Investments, EnvisionX Capital, and Scale Asia Ventures.

This funding will further VISO TRUST's mission to transform TPRM through an adaptive AI-driven platform, bringing enhanced security intelligence and seamless third-party risk management to enterprises worldwide.

Enhancing Third-Party Risk Management with Integrated Security Intelligence

VISO TRUST's AI-powered platform delivers real-time, evidence-based assessments by intelligently collecting, analyzing, and continuously monitoring artifacts from vendors. This approach removes friction for vendors, eliminates the manual analysis burden for TPRM professionals, and enables comprehensive, high-quality assessments. The platform analyzes control presence, testing methodologies, exceptions, Nth-party references, and more, allowing security teams to focus on strategic initiatives.

VISO TRUST's AI-driven automation platform has become the industry benchmark for third-party risk management for industry leaders like Upwork, Instacart, Notion, and Bain Capital. By leveraging intelligent automation, VISO TRUST reduces vendor assessment and onboarding time by up to 90%, cutting TPRM hours to mere minutes per vendor and enabling enterprises to achieve comprehensive risk management at scale. With rapid assessments completed in just 5-7 days and a remarkable 98% vendor adoption rate, the platform empowers organizations to make informed, proactive risk decisions.

Paul Valente, CEO of VISO TRUST, commented on the funding round:

"We're excited to assemble a set of complementary and deep tech investors to advance our mission of transforming third-party risk management. This funding will enable us to accelerate the innovation of our platform, creating a robust ecosystem that integrates security intelligence and aligns with today's complex business workflows."

An investment in Next-Generation Monitoring and Response

VISO TRUST is at the forefront of next-generation monitoring, aggregating and analyzing diverse sources of vendor intelligence, including breach advisories, Software Bill of Materials (SBOM), and SEC filings. The platform provides real-time insights, enabling teams to make data-driven decisions, respond swiftly to emerging threats, and maintain continuous compliance, offering a distinct advantage in managing evolving cyber risks across the cloud-first, AI-driven enterprise landscape. This funding round will allow VISO TRUST to scale its unique artifact-based platform, creating an adaptable AI governance framework focused on real risk reduction.

"VISO TRUST's platform reshapes governance, risk, and compliance, enabling organizations to streamline vendor risk assessments and manage evolving cyber risks with agility in an increasingly complex digital landscape leveraging AI," said Janey Hoe, vice president, Cisco Investments. "As part of Cisco's AI Fund, we are excited to help accelerate VISO TRUST's mission to enhance security intelligence and real-time monitoring capabilities for enterprises worldwide."

VISO TRUST continues to build a future in governance, risk, and compliance where AI not only strengthens security but empowers organizations to navigate the dynamic and high-stakes digital landscape with resilience and precision.

About VISO TRUST

VISO TRUST is an AI-driven third-party risk management platform transforming traditional vendor risk assessments through automation and acceleration. Our platform provides continuous monitoring, risk remediation, Nth-party intelligence, and seamless workflow integrations, serving a global customer base across sectors like financial services, healthcare, and technology. VISO TRUST helps organizations mitigate the risks of vendor relationships at scale.

For more information, visit www.visotrust.com or contact \[email protected\].

VISO TRUST Secures $24M to Accelerate Innovation in AI-Powered Third-Party Risk Management

In a sign of the times, a backdoor malware whose ancestors date back to 2005 has morphed to target Linux systems.

Source: Imagebroker via Alamy Stock Photo

Two well-documented Chinese backdoors have recently been modified to operate on Linux systems.

The advanced persistent threat (APT) "Gelsemium" is a decade old now, and the new malware tied to the group, Wolfsbane and Firewood, can trace their lineage back to 2005. Throughout its history, Gelsemium has focused on information gathering from Windows systems. Now, it has adjusted its tooling to operate just as effectively in Linux environments.

This, experts say, is merely the latest manifestation of a long-brewing trend.

"The Linux malware landscape is certainly accelerating," says Jason Soroko, senior fellow at Sectigo. "The increase does make sense, as organizations have heavily adopted Linux for their back office server needs, both on premises and in the cloud. Adversaries are developing cross-platform malware to maximize their reach."

**The Wolfsbane & Firewood Backdoors**

The first public sample of the first new backdoor, dubbed Wolsbane, was uploaded to VirusTotal on March 6, 2023, from Taiwan, with later uploads coming from the Philippines and Singapore (historically, Gelsemium has targeted entities in the Middle East and East Asia).

Contextual evidence suggests that the malware's authors have been exploiting vulnerabilities in Java Web applications to access public-facing Apache Tomcat servers. And a deeper look inside reveals unmistakable overlaps with Gelsevirine, a Windows backdoor known to be used by Gelsemium. In essence, the Wolfsbane malware was a Linux port of Gelsevirine, featuring a modified Beurk Experimental Unix RootKit to hide its various malicious activities.

Alongside Wolfsbane, though not definitively attributable to Gelsemium, was a second Linux-ported backdoor, Firewood. An addition to its varied and typical backdoor capabilities, it possesses a kernel-level rootkit. 

Most interestingly, Firewood appears to be the latest evolution of "Project Wood," a phylum of a backdoor that traces back generations to a program first compiled in January 2005. The latest manifestation of Project Wood before Firewood, NSPX30, was reported earlier this year.

**What Explains the Surge in Linux Cyber Threats?**

Cyber threats rise across the board every year, but the particular rise in Linux-based threats stands out. 

Since at least 2020, vendors have tracked double- and triple-digit year-over-year increases in Linux attacks. In its annual "Global Threat Report," Elastic Security has regularly found that the Linux threat landscape vastly outpaces that of macOS, more closely resembling Windows in terms of sheer volume of attacks. In 2023, for example, it found that 54% of endpoint attacks affected Linux-based devices, compared with just 39% for Windows.

Over the past 12 months, around 32% of malware infections have targeted Linux, according to Jake King, Elastic's head of threat and security intelligence. "While steadily increasing, we are seeing greater volumes of attacks and, in some cases, with greater levels of sophistication. The XZ/Liblzma backdoor discovered by researchers earlier this year shows the desire of adversaries to compromise Linux hosts, likely for a variety of reasons, growing in sophistication to supply chain compromise," he says.

The rising threats to Linux may be attributable to an increasing adoption of Linux in enterprise environments, as Soroko alluded to, or the generally improving state of Windows security — the explanation ESET went with in its blog post — or an explanation even simpler.

"One of the reasons for growing observations can always be targeted to adversarial focus changing, but it is also likely that security tooling and telemetry for Linux hosts are improving at a pace whereby attacks are identified earlier, with a greater level of context," King suggests. For example, "A growing trend for threat observations this year was Impaired Defenses for Linux, showing that adversaries are specifically looking to bypass security tools native to Linux or disable third-party security tools. This is important, as it shows we're exposing many attacks that would have previously gone undetected years ago."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APT Gelsemium Deploys 'Wolfsbane' Linux Variant

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search…

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search deals, and restructuring its operations to limit monopoly.

As part of its antitrust lawsuit against Google, the U.S. Department of Justice (DOJ) has proposed major changes that could entirely change the tech giant’s business structure and its role on the Internet.

The DOJ’s latest filing seeks the divestiture of key Google assets, including its Chrome browser, and calls for structural changes that could impact Android and its search operations. Google has strongly criticized the proposals, framing them as a threat to innovation, security, and consumer choice.

****Background of the Lawsuit****

The DOJ first filed its antitrust lawsuit against Google **in October 2020**, accusing the company of abusing its dominance in the search engine market to squash competition. The case focuses on Google’s search distribution agreements with major partners, such as Apple, Mozilla, and smartphone manufacturers, which allegedly back its **monopoly** by making Google Search the default on browsers and devices.

The DOJ argues that these practices harm competition by blocking rival search engines from gaining a foothold in the market. Central to the case is the allegation that Google’s actions prevent fair competition and innovation, ultimately harming consumers.

****What the DOJ Proposes****

Hackread.com analysed the DoJ’s **latest filing (PDF)**. Here’s what the Department has outlined and proposed to end Google’s dominance:

*   **Divestiture of Chrome and Possibly Android**: The DOJ suggests that Google sell its Chrome browser and its Android operating system to limit its control over internet access points.
*   **Search Choice Screens**: The proposal requires Google to implement choice screens, where users select their preferred search engine on devices like Google Pixel phones. This design must be approved by a newly proposed “Technical Committee.”
*   **Data Sharing Requirements**: Google would be required to share search data and innovations with competitors, including foreign companies.
*   **Ban on Default Search Agreements**: The DOJ aims to prohibit Google from entering into agreements with partners like Apple or Mozilla to make Google Search the default engine.

The DOJ has framed these measures as necessary to ensure fair competition and restore balance to the digital marketplace.

****Google’s Response****

In response, Google has strongly pushed back against the DOJ’s proposals, describing them as extreme, radical interventionist agenda, and harmful to consumers. In a **blog post** published November 11, 2024, Google argued that the proposals would:

*   **Compromise Privacy and Security**: Divesting Chrome and Android could lead to increased risks for user data and diminish the security features Google has built into these platforms.
*   **Stifle Innovation**: Google warned that the measures could chill investment in cutting-edge technologies, particularly in artificial intelligence, where the company is a global leader.
*   **Hurt Partners and Developers**: Google claims the proposals would harm partners like Mozilla, whose Firefox browser relies on revenue from Google’s search placement agreements.
*   **Introduce Overregulation**: Google criticized the creation of a Technical Committee with broad powers to oversee its operations as an unprecedented overreach.

Google maintains that its dominance in the search market is due to offering “the industry’s highest quality search engine,” not through unfair practices. The company plans to submit its own proposals and continue its legal battle into the next year.

> DOJ had a chance to propose remedies related to the issue in this case: search distribution agreements. Instead, DOJ chose to push a radical interventionist agenda that would harm Americans and America’s global technology leadership. https://t.co/QslGbUyklR
> 
> — News from Google (@NewsFromGoogle) November 21, 2024

****Industry-Wide Implications****

If the DOJ’s proposals are implemented, the tech industry could see a major change in power dynamics and business practices:

*   **Impact on Browser and Operating System Markets**: Forcing Google to sell Chrome and potentially Android would create opportunities for competitors, but it might also disrupt the user experience for millions who rely on Google’s integrated ecosystem.
*   **Search Market Competition**: Measures like search choice screens could pave the way for smaller search engines to gain traction, but critics argue that such interventions may confuse users and lead to inferior experiences.
*   **AI Development**: Google’s claims about reduced AI investment could have far-reaching consequences for advancements in automation, machine learning, and related industries.
*   **Global Technology Leadership**: The case raises concerns about U.S. competitiveness in technology, as the remedies could weaken one of the nation’s largest and most influential tech companies.

Nevertheless, the DOJ’s proposals mean a straightforward measure to limit one of the most powerful companies in the world, but the battle is far from over. Google has vowed to contest the measures, and the case will likely drag on for months if not years.

This legal battle will also challenge how we balance competition and innovation in the tech world. Its outcome could change how we use technology and online search for years to come.

1.  **ChatGPT’s Training Methods Challenged in Lawsuit**
2.  **Google Incognito: New Disclaimer Reveals Data Tracking**
3.  **$4B lawsuit claims Google tracked iPhone users’ activities**
4.  **DuckDuckGo says Google Incognito searches are not private**
5.  **HP Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk**

Tag

#intel