Latest news with #SilkTyphoon
Epoch Times
4 days ago
- Epoch Times
Patents Related to CCP-Backed Silk Typhoon Hackers Reveal Capabilities
Cybersecurity research firm SentinelOne has identified more than 10 patents held by companies that are associated with the Chinese Communist Party (CCP)-backed hacking campaign known as Hafnium, or Silk Typhoon, revealing 'highly intrusive forensics and data collection technologies.' 'These technologies offer strong, often previously unreported offensive capabilities, from acquisition of encrypted endpoint data, mobile forensics, to collecting traffic from network devices,' the researchers wrote in a July 30 report.
Axios
02-08-2025
- Politics
- Axios
Beijing's hackers are playing the long game
Chinese hackers are targeting more sensitive U.S. targets than ever — not to smash and grab, but to bide their time. Why it matters: Beijing is investing in stealthy, persistent access to U.S. systems — quietly building up its abilities to disrupt everything from federal agencies to water utilities in the event of escalation with Washington. Even the most routine spying campaign could leave China with backdoors to destruction for years to come. Driving the news: At least three China-based hacking groups exploited vulnerable SharePoint servers in the last month, according to Microsoft. Researchers at Eye Security, which first discovered the SharePoint flaws, estimates that more than 400 systems were compromised as part of the SharePoint attacks. In this case, hackers also stole machine keys. That means the attackers can regain access whenever they want — even after the system is patched — unless admins take rare manual steps to rotate keys. The big picture: China's state-linked hackers have been growing in sophistication over the last few years as they focus more on targeting technology and software providers with hundreds of customers, often including government agencies. By the numbers: More than 330 cyberattacks last year were linked to China, double the total from 2023, according to CrowdStrike data shared with the Washington Post. Those numbers continued to climb in early 2025, according to CrowdStrike. Between the lines: At least three major Chinese government teams have been targeting U.S. networks in recent years. Volt Typhoon has focused on breaking into endpoint detection tools to burrow deep into U.S. critical infrastructure, including pipelines, railways, ports and water utilities. Their goal is to maintain persistent access and be prepared to launch destructive attacks in the event of contingencies such as a war over Taiwan, experts say. Salt Typhoon, known for its compromises of global telecom networks, has focused on traditional espionage and spying. This group tapped cell phones belonging to President Trump, Vice President Vance and other top government officials. The FBI believes that threat is now "largely contained." Silk Typhoon — which has been linked to a recent breach of the U.S. Treasury Department and is known for the global 2021 Microsoft Exchange hacks — has been ramping up its work in recent months. The group uses previously undetected vulnerabilities, known as zero-days, to break into networks. Zoom in: Researchers at cybersecurity firm SentinelOne have uncovered more than 10 patents tied to Silk Typhoon's work — a rarity among nation-state hackers. The patents — detailed in a report published Thursday — suggest the group was at one point developing new offensive tools, including to encrypt endpoint data recovery, conduct phone and router forensics and decrypt hard drives. The researchers also found that Silk Typhoon has links to at least three private sector companies. The intrigue: Beijing's growing reliance on private contractors adds another layer of complexity — shielding state involvement while expanding capability. A DOJ indictment released last month details how the Shanghai State Security Bureau directed employees at tech companies to hack into computers across U.S. universities and businesses to steal information. A trove of leaked documents stolen from private Chinese contractor I-Soon early last year also highlighted how hired hackers targeted several U.S. government agencies, major newspapers and research universities. State of play: China's growing cyber prowess comes as the Trump administration has diminished resources for its own cyber defenses. At least a third of the workforce at the Cybersecurity and Infrastructure Security Agency has left through voluntary buyouts, early retirements or layoffs. The Trump administration also wants to cut its budget. Yes, but: The administration is expected to invest heavily in its own offensive cyber powers — with $1 billion from the "One Big Beautiful Bill" heading to the Pentagon for just that purpose.
UPI
09-07-2025
- UPI
Chinese hacker arrested, charged with stealing U.S. COVID-19 research
The Department of Justice announced Tuesday the arrest of a Chinese national accused of hacking and stealing COVID-19 information from U.S. universities for the Beijing government. File Photo by Bonnie Cash/UPI | License Photo July 8 (UPI) -- Italian authorities arrested a Chinese national accused by the United States of working at the direction of Beijing to steal COVID-19 vaccine research from U.S. universities, immunologists and virologists during the early days of the pandemic. Xu Zewei, 33, of China, was arrested Thursday in Malan. The nine-count indictment charging him and his co-conspirator, 44-year-old Chinese national Zhang Yu, was unsealed Tuesday by the Justice Department as it seeks Xu's extradition. Zhang remains at large. The arrest and filing of charges are the latest U.S. law enforcement action targeting Chinese nationals accused of working at the behest of Beijing's foreign intelligence arm, the Ministry of State Security, in recent months. According to the indictment, Xu and his coconspirators were involved in the China state-sponsored HAFNIUM hacking campaign -- also known as Silk Typhoon -- that targeted vulnerabilities in the widely used Microsoft Exchange Server program to gain access to victims' information from February 2020 to June 2021. Federal prosecutors said they used the vulnerabilities in the Microsoft program to install code known as webshells on their victims' computers, gaining remote access to the devices. The victims were not named in the charging document, but are identified as a university located in the Southern District of Texas and a university based in North Carolina involved in "research into COVID-19 vaccines, treatments and testing," as well as a second university based in the southern district of Texas and a law firm with offices in Washington, D.C., and elsewhere, including internationally. During a press conference Tuesday, U.S. Attorney Nicholas Ganjei for the Southern District of Texas said Xu would be assigned targets from his handlers within the Ministry of State Security's State Security Bureau with instruction to hack their computers and steal specific information. Once with access to the requested accounts, he copied gigabits of COVID-19 research that he then transferred to China. Ganjei explained the law firm was targeted for the confidential information it had on its clients, specifically that of U.S. policy makers and government agencies. "Although the Chinese state-sponsored hackers are, on occasion, indicted by the Department of Justice, it is exceedingly rare -- indeed it is virtually unheard of -- to actually get your hands on them," he said. "Since 2023, the United States has waited quietly and patiently for Xu to make a mistake that would put him within the reach of the American Judicial system. And last week, he did just that, traveling from Shanghai to Milan, Italy." Ganjei said Italian authorities took him into custody once his plane touched down. He further described that alleged crimes as those not specifically targeting computers, but targeting "American scientific innovation" and the "American system of justice." "Although, the conduct in this case took place several years ago, we never lost sight of our goal to bring the perpetrators of these cyber intrusions to justice. Now, at least, some of that story can be told," he said. A little more than a week earlier, the Justice Department charged two Chinese nationals with spying on the U.S. Navy and its bases as well as assisting Beijing with recruiting others within the U.S. military as potential Ministry of State Security asstes.
The National
13-03-2025
- Politics
- The National
Cyber crime: Five hacking groups and syndicates to be aware of
Following an alleged cyber attack on Elon Musk's platform X this week, speculation over the perpetrators has been rife and generated a renewed interest in hacker and cyber threat groups around the world. Mr Musk said the IP addresses that caused X to be offline for almost an entire day originated near Ukraine but has not elaborated on that accusation. Morey Haber, a chief security adviser at cybersecurity firm BeyondTrust, said while he does not have strong feelings about Mr Musk's Ukraine claims, determining where cyber attacks originate is complicated. 'I would advise caution when blaming the attack on Ukraine, simply based on source IP address,' he said. 'Threat actors typically use bots, virtual private networks and bastion hosts to conduct attacks and obfuscate their identity, so the cyberattack of X/Twitter, if true, should have easily been defendable against an attack based on IP address or geolocation.' Associating a potential cyber attack with an IP address should never be used in a public statement without additional indicators or proof, Mr Haber added. Though it might be tempting to name and shame hackers and cyber threat actors, Mr Haber told The National that by the time the groups become widely known, they've already caused a lot of damage. 'Crime syndicates perform the most damage when they are unnamed, unknown and can operate from the deep shadows of the internet,' he said. Once they have been found and details around their operations leaked, Mr Haber added, their strength and ability to hack diminishes substantially. 'This doesn't negate their threat, but once indicators of compromise, methods of attack and malware become publicly documented, that should allow organisations to strengthen cybersecurity defences.' Mr Haber pointed out that hacking attracts a wide spectrum, with some perpetrators fuelled by politics and others by financial gain, some state-sponsored and others working alone. Here's a look at five of some of the more prominent groups currently on cybersecurity experts' radar and that have made headlines around the world: 'I only believe one cybersecurity syndicate poses the biggest threat worldwide,' said Mr Haber. 'Silk Typhoon, also known as APT27 and has been linked to the US Treasury Department breach in late 2024.' According to the US Cybersecurity and Infrastructure Security Agency and the FBI, Silk Typhoon has been linked to the Chinese government. Microsoft has also echoed that notion. 'Silk Typhoon is an espionage-focused Chinese state actor whose activities indicate that they are a well-resourced and technically efficient group with the ability to quickly operationalise exploits for discovered zero-day vulnerabilities in edge devices,' Microsoft's threat intelligence group has said. China has repeatedly denied the accusations. According to cybersecurity risk-mitigation company Cobalt, Anonymous is perhaps the most well-known hacking group. It first made headlines during the Occupy Wall Street protests in 2011, and Cobalt notes Anonymous has 'targeted PayPal, Visa and MasterCard'. 'Authorities have arrested hackers who claim to be part of Anonymous over the years, but the group's decentralised nature makes tracking down or prosecuting members challenging,' Cobalt wrote on its website. The group has also been known to use distributed denial-of-service (DDoS) attacks that have led to massive website disruptions. Both Norton and Cobalt list Morpho, a group of hackers dedicated to financially motivated cyber attacks, as a worrisome entity. The geographic origins of the group are largely unknown but, according to Norton, Morpho has previously targeted X, Meta, Microsoft and Apple to try to steal confidential information. There are some clues that Morpho has left behind in the cyber mess it causes. 'It's said that they may be of English-speaking origin because the code is entirely composed of English and their encryption keys are named after memes in American pop culture,' Norton said on its website. According to Cobalt, Morpho has also been known to seek intellectual property from health care and technology companies. Cybersecurity firms and technology analysts routinely list Darkside as one of the more prominent hacking groups. It rose to prominence in 2021 when it claimed responsibility for the Colonial Pipeline cyber attack that caused fuel shortages and price increases across the US. Darkside has also been known to run affiliate programmes to help other hacker groups in infiltration attempts. It has been known to use a 'ransomware-as-a-service model', meaning it sells or leases ransomware to others to carry out attacks. According to cybersecurity firm Norton, Darkside likely originates in Eastern Europe. 'This group is known for targeting high-profile corporations worldwide with stolen credentials and manual jacking with testing tools,' Norton said. Though it doesn't necessarily have the same history or name recognition of other hacking groups or cyber threat actors, Mint Sandstorm is quickly stoking fears in the technology security world. Microsoft's threat intelligence group said that Mint Sandstorm is an Iran-affiliated group 'known to primarily target dissidents protesting the Iranian government, as well as activist leaders, the defence industrial base, journalists, think tanks, universities, and multiple government agencies and services, including targets in Israel and the US'. It has been widely speculated that Mint Sandstorm was behind the attempted hack and potential breach of communications within Donald Trump's 2024 presidential campaign. 'Also uses credential harvesting to obtain access to official work accounts as well as personal accounts,' said Microsoft.
Axios
05-03-2025
- Politics
- Axios
U.S. indicts Chinese hackers in sweeping cyber espionage case
Federal authorities have charged 10 individuals and two Chinese government officials on Wednesday in connection to several high-profile Beijing-backed intrusions. Why it matters: The U.S. alleges that these individuals helped carry out a wide-reaching Chinese espionage campaign that targeted U.S. government agencies, state governments, news services, universities, defense contractors, law firms, and critical infrastructure. Catch up quick: The people either worked for Silk Typhoon — the Chinese hacking team linked to last year's Treasury breach — or for I-Soon, an offensive "hacker-for-hire" contractor that was exposed in an extensive online document leak last year. The leaked documents, which were publicly available on GitHub, detailed I-Soon's clients and targets. The big picture: The indictment offers one of the clearest insights yet into the shadowy world of offensive cyber contracting — a common practice among the world's superpowers. The Justice Department also seized the web infrastructure that both the Silk Typhoon and I-Soon hackers used in their attacks. A spokesperson for the Chinese embassy did not immediately respond to a request for comment. Zoom in: According to one indictment, I-Soon hacked a range of U.S. victims, including: The Defense Intelligence Agency, the Department of Commerce and the International Trade Administration; Two New York City-based newspapers, including one that publishes news related to China and is opposed to the Chinese Communist Party; A massive religious organization with millions of members; The New York State Assembly and a state research university; A D.C.-based news service that "delivers uncensored domestic news to audiences in Asian countries, including China;" and Several foreign ministries across southeast Asia. Meanwhile, according to a second indictment, the two hackers linked to Silk Typhoon targeted: U.S. technology and defense contractors working with the Pentagon and intelligence agencies; A university-based academic health system with servers in California; A major law firm with hundreds of attorneys specializing in corporate and intellectual property; A municipal government in the U.S.; and A D.C. think tank specializing in defense policy and a law firm that works on IP theft issues. Between the lines: The indictment reveals new details about how I-Soon worked with Beijing, including how much it charged, how long it worked on these efforts and more. I-Soon is believed to have worked with at least 43 different bureaus of China's Ministry of State Security and Ministry of Public Security across 31 different provinces and municipalities, according to the FBI. The company also charged the agencies between $10,000 and $75,000 for each email inbox it successfully hacked, according to the indictment. Sometimes I-Soon worked at the direction of the agencies and other times it would conduct its own hacks and then sell either the network access or data stolen from those targets to the Chinese government. The intrigue: I-Soon would train Chinese government employees to hack on their own, and it sold various tools to help them carry out their attacks. One of those products gave customers the ability to write phishing emails, create malware-laced files and clone websites, according to the U.S. Justice Department. Reality check: China is unlikely to extradite the indicted individuals, but the charges do bar them from traveling to the United States or allied countries where they could be arrested. Go deeper: Leaked documents detail inner-workings of China's vast hacking operations
