Government agencies and non-governmental organizations in the United States have become the target of a nascent China state threat actor known as Storm-2077.
The adversary, believed to be active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services across the world, Microsoft said.
The activity cluster, the company added, overlaps with a threat group that Recorded Future’s Insikt Group is tracking as TAG-100.
Attack chains have involved targeting various internet-facing edge devices using publicly available exploits to gain initial access and drop Cobalt Strike as well as open-source malware such as Pantegana and Spark RAT, the cybersecurity company noted back in July.
“Over the past decade, following numerous government indictments and the public disclosure of threat actors’ activities, tracking and attributing cyber operations originating from China has become increasingly challenging as the attackers adjust their tactics,” Microsoft said.
Storm-2077 is said to orchestrate intelligence-gathering missions using phishing emails to harvest valid credentials associated with eDiscovery applications for follow-on exfiltration of emails, which could contain sensitive information that could enable attackers to advance their operations.
“In other cases, Storm-2077 has been observed gaining access to cloud environments by harvesting credentials from compromised endpoints,” Microsoft said. “Once administrative access was gained, Storm-2077 created their own application with mail read rights.”
The disclosure comes as Google’s Threat Intelligence Group (TAG) shed light on a pro-China influence operation (IO) called GLASSBRIDGE that employs a network of inauthentic news sites and newswire services to amplify narratives that are aligned with the country’s views and political agenda globally.
The tech giant said it has blocked more than a thousand GLASSBRIDGE-operated websites from showing up in its Google News and Google Discover products since 2022.
“These inauthentic news sites are operated by a small number of stand-alone digital PR firms that offer newswire, syndication and marketing services,” TAG researcher Vanessa Molter said. “They pose as independent outlets that republish articles from PRC state media, press releases, and other content likely commissioned by other PR agency clients.”
This includes companies known as Shanghai Haixun Technology (which includes the HaiEnergy cluster), Times Newswire/Shenzhen Haimai Yunxiang Media (aka the PAPERWALL campaign), Shenzhen Bowen Media, and DURINBRIDGE, the last of which is a commercial firm distributing content for Haixun and DRAGONBRIDGE.
Shenzhen Bowen Media, a China-based marketing firm, is also said to operate World Newswire, the same press release service used by Haixun to place pro-Beijing content on the subdomains of legitimate news outlets, as revealed by Google’s Mandiant in July 2023.
Some of the subdomains identified were markets.post-gazette[.]com, markets.buffalonews[.]com, business.ricentral[.]com, business.thepilotnews[.]com, and finance.azcentral[.]com, among others.
“The inauthentic news sites operated by GLASSBRIDGE illustrate how information operations actors have embraced methods beyond social media in an attempt to spread their narratives,” Molter said. “By posing as independent, and often local news outlets, IO actors are able to tailor their content to specific regional audiences and present their narratives as seemingly legitimate news and editorial content.”
