| Category | Details |
|---|---|
| Threat Actors | DPRK (North Korea) actors: Sapphire Sleet and Ruby Sleet. China-based actor: Storm-2077. |
| Campaign Overview | North Korea focuses on cryptocurrency theft, IT worker schemes, and espionage targeting weapons systems. China targets U.S. and global sectors for intelligence collection. |
| Target Regions | DPRK targets include global cryptocurrency firms, aerospace, and defense sectors. Storm-2077 targets U.S. government, aviation, telecom, and financial services worldwide. |
| Methodology | DPRK uses phishing, masquerades as recruiters/IT workers, and exploits zero-days. China uses phishing, exploits edge-facing devices, and accesses cloud environments. |
| Product Targeted | Cryptocurrency wallets, email services, aerospace technologies, cloud apps, and VPN software. |
| Malware Reference | Sapphire Sleet uses scripts to install malware. Ruby Sleet uses backdoored VPN clients and installers. |
| Tools Used | AI tools (e.g., Faceswap), phishing kits, legitimate certificates, and stolen credentials. |
| Vulnerabilities Exploited | Zero-day vulnerabilities, compromised software in supply chain attacks, and email access misconfigurations. |
| TTPs | Social engineering, credential harvesting, supply chain attacks, and malware deployment. |
| Attribution | DPRK operations are government-funded for weapons programs. China’s Storm-2077 is attributed to state-sponsored intelligence efforts. |
| Recommendations | Educate HR and hiring teams on signs of IT worker schemes, monitor cloud environments for unauthorized access, and verify employee identities during interviews. |
| Source | Mircosoft |
Read full article: https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply