IronNet Blog

IronNet Monthly Global Threat Update

Written by General (Ret) Keith Alexander and the IronNet Team | Apr 3, 2023 6:54:51 PM

In our third monthly global threat update, we briefly underscore some of the geopolitical, kinetic, and cyber trends/activity from the last month distilled in a few high-level takeaways.

On March 7, Army Gen. Paul Nakasone, commander of U.S. Cyber Command and the director of the National Security Agency (NSA), presented to the Senate Armed Services Committee on the role of these organizations in preventing and defeating cyberattacks on the United States. In his speech, Gen. Nakasone stated, “China is learning from Russian actions in Ukraine and elsewhere” and further noted “the People’s Republic of China (PRC) as our military’s pacing challenge.”

We believe these two comments from his remarks are: A) particularly symbolic of the current shift in geopolitical dynamics, and B) strategic areas for the private sector to be considering as part of its corporate risk assessments. When considering the circumstances and risks (cyber and otherwise) stemming from the Ukraine-Russia War, it’s important to also think of the additional geopolitical implications that may not be as apparent, like China’s response to the war.

The tension between China and the West is playing out in the news in the form of warnings from China about Taiwanese President Tsai Ing-wen visiting the U.S. and Central America, as well as coverage of China forming new alliances in the Middle East and acting as the middle-man in peace talks between Iran and Saudi Arabia.

March Geopolitical Observations

  • In the Ukraine-Russia War, a risk of springtime renewal of kinetic (and cyber) military offensives is a concern, also given Russia’s increasing desperation for a win – any win. Capturing a victory of some kind is the focus, in our view, and the primary strategic value for Russia of attempts to capture Bakhmut.
  • We continue to be on high alert to the risk that Russia could become more cyber aggressive as things drag on, as its resources are becoming increasingly constrained and its economy feels the impact. Its provocation of the U.S. by detaining an American journalist this past week is a strong signal of this more desperate undercurrent.
  • There is notable escalation of geopolitical tensions globally. The war has strengthened the coalition between the U.S. and its European allies in support of Ukraine, which has caused China to take note and become increasingly concerned that a Russian loss would negatively impact China’s aspirations regarding Taiwan.
    • As a result, China may: A) provide covert support to Russia by funneling supplies and/or weaponry through third parties such as North Korea or Iran; and B) take action to forge partnerships in key regions like the Middle East and entrench itself as a cornerstone of the global economy to make it more difficult for it to be pounded with sanctions like Russia. 
  • Is this the start of a new Cold War, where coalitions are forming, rhetoric is stronger and sensitivities are heightened? We seem to have taken a step in that direction. In addition to fostering important relationships in the Middle East and signaling a closer alliance with Russia during meetings with the Kremlin this past month, China recently raised the age of its military retirement to age 60, which makes many wonder about the impact that population demographics could be having on China’s foreign policy. Nevertheless, the evidence is clear that China is creating coalitions and putting in place geopolitical strategies in order to be best positioned to pursue its foreign policy objectives. 

March Cyber Activity 

  • Russian APT Activity
    • BlackBerry reports it has observed APT29 (aka NOBELIUM) using the Poland's ambassador’s visit to the U.S. as a lure to target EU countries; specifically, EU diplomatic entities and systems helping the Ukrainian government, transmitting information about the region's politics, and aiding Ukrainian citizens fleeing the country.
    • Proofpoint reports that the Russian Winter Vivern APT (aka TA473) is exploiting a Zimbra vulnerability (CVE-2022-27926) to abuse publicly facing Zimbra-hosted webmail portals, with the goal of gaining access to the emails of European military, government, and diplomatic organizations involved in the Ukraine-Russia War.
      • Earlier in the month, SentinelOne released research on the Winter Vivern APT, discussing how the group has recently targeted Polish government agencies, the Ukrainian and Italian Ministries of Foreign Affairs, individuals within the Indian government, and private telecommunications companies supporting Ukraine in the war.
  • Hacktivists target healthcare
    • Microsoft published research on pro-Russian hacktivist group KillNet and its affiliates targeting healthcare organizations with DDoS attacks, in which it mentioned that the group compromised a U.S. healthcare organization supporting U.S. military members. 
    • Russian pro-hacktivist group Phoenix claims to have targeted India’s Health Ministry management system in retaliation for India’s agreement over the Oil Price cap and sanctions of G-20 over the Ukraine-Russia war.
      • Phoenix claims to have access to all the hospitals of India and its staff and chief physicians. 
    •  In late March, KillNet and Anonymous Sudan (which is suspected to be an affiliate of KillNet) reportedly launched DDoS attacks on numerous Australian university, airport, and hospital websites. 
      • These latest attacks follow claims by Anonymous Sudan to have launched DDoS attacks on the websites of several French Airports, Hospitals, and Universities earlier this month, as well as a number of Danish hospitals at the end of February.
  • China supports Middle East aspirations with cyber operations
    • SentinelOne published a report on a Chinese threat campaign called Operation Soft Cell by Gallium/APT41 using a new credential theft capability and dropper mechanism to target telecom providers in the Middle East in Q1 2023.