Since June 2023, Microsoft has been tracking activity from multiple Chinese and North Korean nation-state groups. Our observations indicate that these threat actors are doubling down on familiar targets by using novel, more sophisticated influence techniques to achieve their goals.
In China, cyber actors have broadly targeted entities across the South Pacific Islands, regional adversaries in the South China Sea, and the US defense industrial base. Chinese influence actors have also been focused on refining their use of AI-generated or AI-enhanced content in these regions while simultaneously experimenting with new media.
In North Korea, threat groups have made headlines for increasing software supply chain attacks and cryptocurrency heists over the past year. We saw a consistent trend of strategic spear-phishing campaigns targeting researchers who study the Korean Peninsula. In addition, North Korean threat actors also appeared to make greater use of vulnerabilities in legitimate software to compromise further victims.
By staying abreast of changing nation-state tactics, security leaders can better prioritize their resources and drive greater organizational security.
Chinese influence actors hone techniques and experiment with AI-generated media
China-based threat actors have targeted a number of entities over the past several months. We’ve seen these groups opportunistically compromise government and telecommunications victims in the Association of Southeast Asian Nations (ASEAN), with a particular interest in targets tied to US military drills conducted in the region. For example, a nation-state activity group known as Raspberry Typhoon successfully targeted military and executive entities in Indonesia and a Malaysian maritime system. This attack preceded a rare multilateral naval exercise involving Indonesia, China, and the United States. Similar telecommunications attacks have spread to Malaysia, the Philippines, Cambodia, Taiwan, and Hong Kong.
We’ve also seen Chinese nation-state groups target foreign affairs entities across the globe—primarily government entities for intelligence collection, although some IT companies were also compromised. Military and US defense-related entities were also popular targets, including contractors who provide technical engineering services around aerospace, defense, and natural resources critical to US national security. Volt Typhoon was one of the most prominent aggressors against the US defense industrial base, leveraging living-off-the-land techniques and hands-on-keyboard activity to gain access to organizations’ networks and lurk undetected.
In September 2023, Microsoft released a threat intelligence report detailing how Chinese influence operation (IO) assets had begun using generative AI to create engaging visual content. We have continued to identify AI-generated memes that amplified controversial domestic issues in the United States and criticized the current administration. China-linked IO actors have continued to use AI-enhanced and AI-generated media (also known as AI content) in influence campaigns with an increasing volume and frequency throughout the year. Some common formats we’ve seen include AI-generated audio, news anchors, and memes, as well as AI-enhanced video.
Given the Chinese Communist Party’s (CCP’s) previous history of targeting government entities and attempting to sway foreign elections, we are likely to see Chinese cyber and influence actors targeting upcoming high-profile elections in India, South Korea, and the United States. At a minimum, we believe China will create and amplify AI-generated content that benefits their positions in these elections. While China’s efforts have previously yielded little impact, the CCP’s increasing experimentation in augmenting memes, videos, and audio may prove effective down the line. Chinese cyber actors have long conducted reconnaissance of US political institutions. Moving forward, we are prepared to see influence actors interact with Americans for engagement and to potentially research perspectives on US politics.
North Korean cyber actors increase software supply chain attacks and cryptocurrency heists
In North Korea, cyber threat actors have stolen hundreds of millions of dollars in cryptocurrency, conducted software supply chain attacks, and targeted their perceived national security adversaries over the course of the past year. These operations are used to generate revenue for the North Korean government—particularly its weapons program—and collect intelligence on the US, South Korea, and Japan. According to the United Nations, North Korean nation-state groups have stolen over $3 billion in cryptocurrency since 2017. There were multiple heists totaling between $600 million and $1 billion in 2023 alone.
What’s notable about North Korean threat actors is they have begun utilizing backdoors to legitimate software by capitalizing on vulnerabilities that already exist within the technology. We’ve also seen North Korean groups target executives and developers at cryptocurrency, venture capital, and other financial organizations to carry out numerous cryptocurrency heists. Finally, North Korean cyber actors have menaced the IT sector with spear-phishing and software supply chain attacks and targeted the United States, South Korea, and their allies with attacks on aerospace and defense organizations; human rights activists; diplomats; and Korean Peninsula experts in government, think tanks/NGOs, media, and education.
As North Korea embarks upon new government policies and pursues ambitious plans for weapons testing, we believe 2024 will see increasingly sophisticated cryptocurrency heists and supply chain attacks targeted at the defense sector. These operations will serve to funnel money into the regime while also facilitating the development of new military capabilities.
By staying aware of the latest threat landscape trends, security leaders are able to better prepare to help protect their organizations against the most pressing threats.
For more information about emerging nation-state trends and other security insights, visit Microsoft Security Insider.