Updated 2022-10-19: Spyder Loader
Broadcom Symantec researchers said they spotted new attacks part of Operation CuckooBees. But unlike previous attacks, where this Chinese threat actor went after intellectual property, the new attacks targeted Hong Kong organizations with a version of the Spyder Loader malware. Read more:
- Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
- Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
“The victims observed in the activity seen by Symantec were government organizations, with the attackers remaining active on some networks for more than a year. We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign.”
China-linked APT41 has been targeting government organizations in Hong Kong as part of a campaign, dubbed Operation CuckooBees. This ongoing campaign has raked in hundreds of GB of information. Read more: Chinese ‘Spyder Loader’ Malware Spotted Targeting Organizations in Hong Kong
Something weird and very cringe-worthy happened at the start of the week when over the course of two days, on Monday and Tuesday, a few hundred (obviously very botty-bot) Twitter accounts started pushing a dumb rumor that the APT41 cyber-espionage group was actually the US National Security Agency.
In addition, some accounts tried to reinforce this ridiculously braindead disinformation attempt by floating a rumor that US cybersecurity firm Mandiant also linked APT41 to the NSA, which is obviously not true. Read more: APT41: A Dual Espionage and Cyber Crime Operation
Some accounts posted in Chinese, others posted in English, while others even went as far as to try and pose as IntrusionTruth—a mysterious entity that has been doxing Chinese APTs for half a decade now—in an attempt to give legitimacy to their wacky theory.
In fact, after exposing some of their internal structure in a blog post back in July, IntrusionTruth seems to believe that it was APT41 itself who orchestrated this entire Twitter lameness. Read more: Chinese APTs: Interlinked networks and side hustles
— Intrusion Truth (@intrusion_truth) October 13, 2022
It appears that Chinese actors may be trying to up their active measures/disinformation game. Noteworthy: low quality, low reach—and self-defeating subtext. For if indeed Chinese then this only illustrates that Intrusion Truth actually bites. Also note @NSA_CSDirector's response. https://t.co/G8ApbY3SqL
— Thomas Rid (@RidT) October 12, 2022
We call it lameness because anyone with a basic understanding and foothold in the cybersecurity industry saw through this in the first five seconds.
Obviously, this disinformation campaign wasn’t meant for the big-brains in the infosec industry, but because it was caught on early on and ridiculed into the ground, it was also almost immediately yeeted into the sun by the time of this newsletter, with the vast majority of the participating accounts being wiped clean. Read more: APT41 Alternative attribution Twitter Post
— Silas (@silascutler) October 13, 2022
All of this fits in some bizarre trend that we’ve observed this year from the Chinese government, which has been obsessed with painting the US government, and the NSA in particular, as some sort of Dick Dastardly of the cyber-espionage world, responsible for all sorts of bad things, like… spying. Because that’s obviously not what an intelligence agency does.
But trying to attribute your own operations to your adversary, despite quite obvious targeting and tooling differences, is some sort of brazen GigaChad move… that’s just on another level of stupid and incompetence.
For disinformation like this to work, there needs to be at least some sort of doubt about the information you’re trying to counter, and nobody believes that the NSA spent years spying on US government agencies and running a ransomware op as a side hustle.
Anyway, to whoever had this idea, thanks for the chuckles! T’was a boring week in infosec.