U.S. authorities, companies, and non-governmental organizations have become the target of a nascent Chinese state-backed risk actor known as Storm-2077.
The suspected actor, reportedly active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services globally, according to Microsoft.
The exercise cluster, added by the corporation, overlaps with a risk group being monitored by Recorded Future’s Insikt Group, which is.
Recent reports have highlighted the growing concern surrounding assault chains that leverage publicly available exploits to compromise internet-facing edge devices, often leading to initial access and subsequent deployment of malicious payloads such as Cobalt Strike, as well as open-source malware like Pantegana and Spark RAT, a trend observed by cybersecurity firms in July.
“In the past decade, as a result of numerous authorities’ indictments and widespread public exposure of malicious actors’ tactics, attributing and tracking cyber operations allegedly emanating from China has become increasingly challenging due to the perpetrators’ evolving methodologies.”
Malicious actors allegedly utilize Storm-2077 to orchestrate sophisticated intelligence-gathering missions by sending targeted phishing emails designed to harvest legitimate credentials linked to eDiscovery functions, thereby enabling the exfiltration of sensitive emails containing potentially devastating information that could significantly facilitate further malicious activities.
According to Microsoft, in alternate scenarios, Storm-2077 has been observed gaining unauthorized access to cloud environments by exploiting compromised endpoints and harvesting credentials. “As soon as administrative access was secured, Storm-2077 developed its proprietary software with mail learning capabilities.”
As revealed by Google’s Menlo Park-based Threat Analysis Group, a sophisticated influence operation dubbed GLASSBRIDGE has been uncovered, utilizing a network of inauthentic news sites and wire services to disseminate narratives that align with China’s global political agenda.
Since 2022, the technology giant has taken action against over a thousand websites operated by GLASSBRIDGE, blocking them from appearing in its Google News and Google Discover products.
“These misinformation websites are run by standalone digital PR companies offering services such as newswire distribution, syndication, and advertising.” “They present themselves as objective retailers, reprinting articles from China’s state-run media outlets, press releases, and other commissioned content sourced from various public relations companies.”
Firms operating under various names include Shanghai Haixun Knowledge, a cluster, Occasions Newswire/ Shenzhen Haimai Yunxiang Media, responsible for marketing efforts, as well as Shenzhen Bowen Media and DURINBRIDGE, the latter being a content distribution agency serving Haixun and DRAGONBRIDGE.
Shenzhen Bowen Media, a China-based advertising agency, is known for operating World Newswire, a press release service similar to the one used by Haixun to disseminate pro-Beijing content on subdomains of reputable news outlets, as revealed by Google’s Mandiant in July 2023.
Recognized subdomains include markets.post-gazette.com, markets.buffalonews.com, enterprise.ricentral.com, enterprise.thepilotnews.com, and finance.azcentral.com, among numerous other instances.
“In a disturbing trend, the disreputable websites operated by Glassbridge demonstrate that information operation actors are now employing tactics beyond social media to disseminate their biased narratives,” Molter stated. “While masquerading as impartial sources, IO operatives can craft their messaging to resonate with specific local demographics, presenting their perspectives as credible news and editorial offerings.”
