Major Hacks & Campaigns

Rare protests in China over Xi Jinping’s Covid lockdown policy spread online this past week and Beijing is going to great lengths to censor them. Images and videos on the internet showed that protests were widespread across the country, with physical gatherings from groups of residents to street demonstrations of hundreds, while the government’s army of censors were kept busy removing a constant stream of online criticism. Some videos showed people calling for Xi and the Chinese Communist Party leaders to resign, in a rare act of defiance. Some online complaints were directed at conditions in the temporary isolation facilities. Residents in some compounds signed petitions demanding that infected neighbors be allowed to remain in their home quarantine with full support of the neighborhood, rather than being taken off to the makeshift centers after several blogs showed patients in some of Beijing’s newly erected facilities scrambling for food and medicine. In response, Beijing is censoring an ever growing list of words that reference the protests. And attempts are being made to deflect the narrative on both domestic and overseas platforms. One of the most common ways Chinese social media users get messages out is by posting on foreign social media platforms like Twitter and Facebook, which are blocked in China but accessed via VPN. China has a history of doing this. During the 2019 Hong Kong protests, Twitter, Facebook, and YouTube said they witnessed a coordinated attempt by the government to spread disinformation on their channels, and this led to hundreds of accounts and posts being removed.

Analyst Comment: LGC analysts have been closely monitoring the civil unrest in China and conducted research into tactics that Beijing has used in responding to such events. One common strategy is to deflect domestic criticism of the central government onto scapegoats such as companies, local agencies, and well-known personas. By analyzing the data of trending topics on Weibo, a Twitter-like and heavily censored platform, LGC analysts have observed that while there has been no mention of protests, there is an increase in mentions of investigations into COVID-19 testing-related frauds. This could indicate China’s possible intention to use these companies as scapegoats to distract the public’s defiance of the Zero-COVID policy. Another tactic that LGC analysts have observed is China’s allegations of the West for inciting domestic unrest. This is a common practice in Beijing’s playbook in dealing with various geopolitical events, such as cracking down on the Hong Kong protests and responding to sanctions due to Uyghur human rights issues.

Additionally, Beijing might also use China’s Ministry of Foreign Affairs(MFA) to channel its narrative. Since the protests took place on November 27, 2022, only one question associated with the recent countrywide protests was brought up during the MFA’s regular press conference. The question was related to a BBC journalist being arrested in Shanghai. The MFA’s response included a detailed description of the event, the content of the Shanghai police’s report, allegations against the BBC journalist’s violation of laws, and questions on BBC’s involvement in these geopolitical events in China. It is possible that the MFA response was pre-determined and scripted to shift the focus of the protests to foreign influence. Notably, on November 29, 2022, two trending topics associated with the arrest of the BBC journalists appeared on Weibo, suggesting a coordinated effort to shift the narrative. As an NYTimes article pointed out, President Xi has stayed silent about the rare open challenge to his rule, including calls for him to step down. He might have chosen to use security services and online censorship to combat the challenge.

Apple is facing international media scrutiny for a China-only software update it pushed just before the protests. The update limited the airdrop feature on iPhones in China – a feature that has traditionally been widely used to help protestors in places like Hong Kong circumvent authoritarian censorship. Apple has a history of adapting its products and services to conform with China’s strict controls. And the country accounts for a growing portion of Apple’s consumer market with iPhones accounting for 16% of the total smartphone shipments in China last quarter, up from 11% a year ago.

Russian software disguised as American was found in thousands of smartphone applications, making its way into the US Army and CDC networks. The software, developed by a technology company called Pushwoosh, exists on thousands of apps in both the Apple and Google online stores. The US Center for Disease Control and Prevention (CDC) said it had been deceived into believing Pushwoosh was based in the US capital and removed the software from seven public-facing apps when it learned of its Russian roots. The US Army removed an app containing Pushwoosh code for similar concerns. According to company documents publicly filed in Russia, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs about 40 people and reported revenue of $2.4M last year. It is registered with the Russian government to pay taxes in Russia. On social media and in US regulatory filings, however, it presents itself as a US company, based in the capital area and California. While no evidence exists that Pushwoosh misused user data, the company provides code and data processing support for developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers. However, Russian authorities have compelled local companies to hand over user data to domestic security agencies. Pushwoosh publicly denied the allegations, originally uncovered by Reuters, and has yet to provide evidence to defend its stance.

Analyst Comment: While there is no evidence that Pushwoosh misused user data, any company that has used it in their apps could be at risk of data theft or leaks. Motivations of Pushwoosh and the extent of damage it may have caused are unknown at this time. This revelation is one of many events in recent years that has led to an increased scrutiny on supply chains from regulatory agencies and businesses alike.

A month after a cyber incident brought down government servers and websites in the country of Vanuatu, officials are using private Gmail accounts, personal laptops, pen and paper, and typewriters to run the government. The incident happened just days after the country’s prime minister, Ishmael Kalsakau, came into office. The malware attack on state networks has caused delays in communication and coordination of the island nation of 314,000 people and 80 islands. After suspicious phishing attempts were detected, the malware crashed nearly all government and email website archives. The attack did not crash civilian infrastructure like airline or hotel websites. Most tourism and business has continued as usual. However, Vanuatu’s main hospital, Port Vila Central, was affected by the cyber attack forcing medical staff to use pen and paper and preventing them from paying suppliers. The hacking of the country’s servers is the latest in a string of cyber attacks in the region which include the attacks on Australia’s Medibank and Optus. It is still unclear who is behind the attack on Vanuatu. There are reports of a ransom demand that was turned down by the government, but they have not been officially confirmed.

Back to the top

Policy

US Cyber Command has published details for the first time on its “hunt forward” mission in Ukraine. In a statement to the press, CYBERCOM said that the mission consisted of a joint team of Navy and Marine Corps operators. They worked with local teams of Ukrainian specialists to look for and detect malicious cyber activity on Ukrainian networks. Kyiv provided the hunt forward teams with access to multiple networks, and work continued until days before Russia launched a wide-scale invasion of the neighboring country. The mission was carried out before and after Russia’s invasion – between December 2021 and March 2022. In addition to conducting a hunt forward on the ground, the team provided remote analytic and advisory support using new and innovative techniques, and conducted network defense activities aligned to critical networks.

The DoD released its Zero Trust Strategy and Roadmap, which details its plan to achieve reduced network attack surfaces, enable risk management, and effective data-sharing, and contain adversary activity in the next five years. The plan was developed through collaboration with the National Security Agency, the Defense Information Systems Agency, the Defense Manpower Data Center, U.S. Cyber Command, and the military services. DoD’s strategy lays out four goals: zero trust culture adoption; DoD information systems secured and defended; technology acceleration; and zero trust enablement. The Department expects all its components to achieve the target level goals by fiscal year 2027. The strategy does not mandate the use of specific IT solutions or zero trust products, leaving it to the military services and fourth estate agencies to determine the specifics. Rather, it outlines capabilities. Officials note that there may be challenges with how DoD components decide to pursue the zero trust goals using its current architecture, a commercial cloud, the private cloud, or a combination.  The release of DoD’s strategy follows the White House Office of Management and Budget’s federal zero trust strategy that was published earlier this year. DoD is also developing future zero trust roadmaps for both “commercial cloud” and “private cloud.” Those approaches are expected to achieve zero trust “quicker” than the five year baseline approach, according to the roadmap document. A senior official said DoD will likely pilot its zero trust approach with the four major commercial cloud providers involved in the Joint Warfighting Cloud Capability Acquisition: Google, Oracle, Microsoft, and AWS.

The fiscal year 2023 National Defense Authorization Act (NDAA) will likely involve more debate over cybersecurity policy after the House flipped following the November election cycle. Now that the Republicans took back the House, they are pushing for a delay on the defense bill, making it more uncertain which cybersecurity provisions will get done this year. The Washington Post Cybersecurity 202 broke down some predictions based on interviews with anonymous Hill staff and outside experts. According to their research, bipartisan legislation will likely codify into law the State Department’s Bureau of Cyberspace and Digital Policy. Another bipartisan effort seeks to set the term for the Cybersecurity and Infrastructure Security Agency (CISA) Director to five years to ensure the office remains nonpartisan by stretching it across presidential terms (much like the FBI and other agencies). And Senate lawmakers are seeking to reform the FedRAMP authorization program for cloud vendors and hopefully speed up the accreditation process. Policies up for debate include spyware safeguards where the Office of the Director of National Intelligence (ODNI) could bar spyware makers from receiving intelligence agency contracts. Another one up for debate is legislation to update a 2014 law governing federal agency cybersecurity which was left out of last year’s bill. Chuck Schumer (D-NY) and John Cornyn (R-TX) are lobbying colleagues to ban the Chinese chip-makers from winning defense contracts, but massive industry coalitions could block the effort making this bipartisan proposal uncertain. Policies that are unlikely to make it in the bill include one that ranks critical infrastructure in order of importance and prioritizes its protection. Another one unlikely to make it is a requirement for defense contractors to report software bill of materials (SBOM) to the Pentagon. The Joint Collaborative Environment also may not make the cut as the NSA recently began objecting to it saying it impedes existing public-private information sharing programs.

Back to the top

Vulnerabilities exist in 95% of applications – a quarter of which are critical or high risk – according to a November study by Synopsys. The report examines the results of 4,300 security tests conducted on 2,700 software targets, including web applications, mobile applications, source code files, and networks. The majority of security tests were penetration tests, or dynamic application security tests (DAST), and mobile application security tests (MAST). Industries represented in the tests included software and internet, financial services, business services, manufacturing, consumer services, and healthcare. 95% of the targets were found to have some form of vulnerability (a 2% decrease from last year). 20% had high-risk vulnerabilities (10% decrease), and 4.5% had critical vulnerabilities (1.5% decrease). Of note, vulnerable third-party libraries were found in 21% of the penetration tests conducted.

Back to the top

Sign Up