The CyberWire Daily Briefing

"China's Volt Typhoon snoops into US infrastructure, with special attention to Guam."

Views expressed in this cybersecurity, cybercrime update are those of the reporters and correspondents.  Accessed on 25 May 2023, 2023 UTC.  Content provided by email subscription to "The CyberWire Daily Briefing."

Source: ("The CyberWire Daily Briefing").

Please click link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (

More signal, less noise.

Early bird registration is open. Get the lowest price we offer.

Register now for Mandiant’s mWISE security conference.

Daily Briefing

May 25, 2023.

CSO Perspectives is back.

CSO Perspectives has returned for a 13th season. Tune in to the season premiere to hear our CSO Rick Howard go through cybersecurity first principles as they apply to the infosec workforce gap. This show is a CyberWire Pro exclusive, so subscribe to Pro to catch new episodes every Monday. Subscribe and listen.


At a glance.

  • China's Volt Typhoon snoops into US infrastructure, with special attention to Guam.
  • Iranian cyber ops against Israeli targets.
  • Blacktail, a new ransomware group using recycled ransomware.
  • Operation Magalenha, a Brazilian persistent campaign targeting Portuguese financial institutions.
  • Botnet targets gaming industry.
  • Phishing attempts impersonate OpenAI.
  • Geolocation graffiti.
  • What's up with KillNet.

China's Volt Typhoon snoops into US infrastructure, with special attention to Guam.

A joint advisory from all Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States) reports a major Chinese cyberespionage operation that's succeeded in penetrating a range of US critical infrastructure sectors. Microsoft, in its own report on Volt Typhoon, as the threat activity is being called, says the group has been active since at least the middle of 2021. The targets of the spying have extended to the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Microsoft writes that, "Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible." It does this, the Five Eyes stress, by carefully living off the land, exploiting existing legitimate administrative tools and privileges in its targets.

Much of Volt Typhoon's activity has been directed against Guam, a US Territory in the Western Pacific that hosts important US military bases. Those bases would be important to any US intervention on behalf of Taiwan, should China decide to take a page from Russia's geopolitical playbook and invade what it regards as a renegade province. For its part China dismisses the reports as a coordinated American disinformation campaign, and denies that it's engaged in any of the activities the Five Eyes and Microsoft associate with Volt Typhoon.

Sponsored by Expel

What are your biggest resource challenges? Expel makes every investment count.

ISOs have lots to think about. Teams and tech stacks. Budgets and booming attack surfaces. Security strategies evolving to address business goals. All of the above?

Expel’s software-driven approach to managed security puts your existing tech to work across cloud (and Kubernetes!), on-prem, network, SaaS, and SIEM, automating alert analysis, prioritization, and remediation so you get better answers to what matters the most. Fast.

Optimize your tech. Support your team. Stretch your budget. Expel.

Iranian cyber ops against Israeli targets.

Iranian threat actor Agrius has been observed continuing to target entities in Israel, Check Point reports. What appear to be destructive ransomware attacks are actually masking influence operations, the researchers suggest. The APT group, now calling both itself and its newest ransomware strain “Moneybird,” has been seen in recent attacks deploying their unseen ransomware written in C++. While the researchers did not elaborate on what organizations were victimized, the Record writes, the techniques reflect that of Agrius. Public-facing web servers were the initial point of compromise, which, when entered, allowed for reconnaissance and data stealing, as the hackers were able to move laterally within networks.

Information Security Buzz reports that another Iranian threat group is attacking Israeli shipping and logistics companies to lift customers’ data. Israeli cyber firm ClearSky says with “low confidence” that this may be the work of Tortoiseshell (known also as TA456 and Imperial Kitten). At least eight websites were impacted by the campaign, including “SNY Cargo, logistics company Depolog, and restaurant equipment supplier SZM.” Al-Monitor says what the firm calls a “watering hole attack,” or an attack infecting the website of a specific group, has also victimized some organizations in the financial services industry. The majority of websites, as of mid-April, had been purged of the malicious code.

Sponsored by CyberArk

The future of security is identity and with CyberArk, the future of identity is secure.

With 84% of organizations experiencing an identity-related breach, identity is the new battlefield. As the pioneers of privileged access management, we started by protecting the most privileged users and most critical data. With intelligent privilege controls, today we’re applying the same levels of security and protection to every identity – both human and machine. CyberArk offers the most advanced identity security platform in the world, surrounding every identity with a powerful force field of continuous protection.

Blacktail, a new ransomware group using recycled ransomware.

A new ransomware operation calling itself Buhti has been discovered by researchers at Symantec. The tool uses variants of Lockbit and Babuk ransomware, as well as a custom infostealer which is able to search for and archive specified file types. “Buhti, which first came to public attention in February 2023, was initially reported to be attacking Linux computers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers on compromised networks.” wrote Symantec. The researchers were unable to attribute this new campaign to any known threat actors and thus have dubbed the associated group “Blacktail.” 

Operation Magalenha, a Brazilian persistent campaign targeting Portuguese financial institutions.

SentinelLabs released a report today regarding a campaign they have observed targeting Portuguese financial institutions. Researchers have reported that the campaign is now targeting over 30 financial institutions, and assess with high confidence that this campaign is being conducted by a Brazilian threat group. “This conclusion is further supported by the presence of Brazilian-Portuguese language usage within the infrastructure configurations and malware implementations. We refer to the campaign conducted by this threat group as Operation Magalenha.” write the researchers. Operation Magalenha’s infrastructure shows some features that differentiate it from other campaigns: use of two PeepingTitle variants used simultaneously on the same infected machine. The operation also uses Timeweb Cloud, “a Russian IaaS provider known for its lenient anti-abuse policies, diverging from primarily relying on providers implementing stricter measures, such as DigitalOcean and Dropbox.” The operation uses multiple infection vectors such as phishing emails, malicious websites advertising fake installers of popular software, and social engineering.

Botnet targets gaming industry.

Akamai this morning detailed the activities of a new botnet by the name of Dark Frost, observed targeting the gaming industry. This botnet consists of stolen code from other botnets, particularly Mirai, Gafgyt, and Qbot. The threat actor seems driven, at least in part, by a need for attention, as they have been observed on social media channels not only admitting to their illicit botnet creation and use, but have been seen sharing live recordings of their attacks. The botnet has launched distributed denial of service (DDoS) attacks against not only gaming companies, but game server hosting providers, online streamers, and various other members of the gaming community. While the malware was unsophisticated, it was capable of significant damage. Threat actors are seeing a significantly lower bar to entry, with an ever-growing amount of source code from existing malware strains available, as well as access to AI code generation.

Phishing attempts impersonate OpenAI.

INKY has detailed a new phishing attack that impersonates ChatGPT creator OpenAI for credential harvesting. The threat actors are using a multitude of techniques in this brand impersonation phishing attack, including spoofing, dynamic redirection, and utilizing malicious links. They falsify an email that appears to be from OpenAI that researchers say appears “nearly identical to the one users receive when they sign up for a new ChatGPT OpenAI account.” The hackers spoof the email address to appear to come from the IT department of the receiver. They swap out the safe link in the legitimate email for a malicious link that asks for a user’s credentials. If they’re entered, then they’re stolen.

Geolocation graffiti.

The UK's Ministry of Defence this morning pointed out a geolocation-spoofing stunt. "Analysis by Geollect indicates that since 14 May 2023, commercial vessels’ Automatic Identification System (AIS) data has been remotely spoofed to create the impression of a 65km long Russian pro-war Z symbol on the Black Sea, visible on open source tracking software. AIS is used to track vessels, including to ensure their safety. Tracks making up the image suggested vessel speeds of up to 102 knots (188 km/h), further suggesting they were fake. Pro-Russian actors likely conducted the spoofing as an information operation, potentially in an attempt to bolster Russian morale ahead of an anticipated Ukrainian counter offensive. The spoofing of AIS increases the risk of maritime accidents. Despite Russian virtual information operations in the Black Sea, its physical navy remains vulnerable: the Ivan Khurs intelligence gathering vessel was likely attacked on 24 May 2023."

What's up with KillNet.

KillNet's boss-cum-spokesperson, KillMilk, this week announced that he was firing a bunch of his hacktivists. The Russian outlet reports that “According to information received from a number of Killnet participants, this is primarily about clearing the organization of small groups that make insufficient or insufficiently professional contribution to attacks on the infrastructure of Western countries. At the same time, the activities of the association will continue, although at first Killmilk really plans to work alone." So, hacktivists, up your game or you're out.

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.



Today's issue includes events affecting Armenia, Australia, Azerbaijan, Brazil, Canada, China, the European Union, Iran, Israel, Kenya, Mexico, New Zealand, Portugal, Russia, Spain, Sweden, Taiwan, Ukraine, the United Kingdom, and the United States.

We'd like your feedback.

We're always looking for ways to improve the CyberWire network to give you an intelligence-driven news experience that saves you time and keeps you in the know on the latest developments in cybersecurity. Help us continue to grow and meet your needs by sharing your feedback in our 2023 Audience Survey. Give us ten minutes of your time, and you'll have a chance to win a $100 Amazon gift card. (And also our sincere gratitude). Take the survey here.


Cyber Security Summits in Dallas, Denver & Austin (Multiple locations, May 2 - 25, 2023) Join us In-Person and network over breakfast, lunch & a cocktail reception in Dallas on 5/2, Denver on 5/18 and Austin on 5/25. Learn how to protect your business from Cyber threats from The FBI, U.S. DHS / CISA, Darktrace & more. Earn up to 8 CPE/CEU credits with your attendance. Get $100 off admission w/ code CyberWire23 at

Georgetown University Programs in Cybersecurity Webinar (Virtual, June 7, 2023) Advance your cybersecurity career with a Master's in Cybersecurity Risk Management from Georgetown University. You'll develop and execute integrated strategies, policies, and safeguards to manage risks across an enterprise. Attend our webinar on June 7 to learn more.

mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / /Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open


Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+455: Prigozhin speaks. (CyberWire) Wagner Group capo Prigozhin criticizes the Ministry of Defense and the Russian regulars for what he ...

Russia-Ukraine war at a glance: what we know on day 456 of the invasion (the Guardian) Russia has replaced its Wagner private military units with regular soldiers in the outskirts of ...

Zelenskiy Blasts Russia's 'Terrorizing' Drone Attack As Allies Set To Discuss Military Aid (RadioFreeEurope/RadioLiberty) U.S. Defense Secretary Lloyd Austin is to hold a virtual meeting of the Ukraine Defense Contact ...

Find MORE on our website.

Attacks, Threats, and Vulnerabilities

Researchers say they found spyware used in war for the first time (TechCrunch) Digital rights researchers accuse Azerbaijan of using spyware made by NSO Group in the context of ...

Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII (SentinelOne) Over the first quarter of 2023, SentinelLabs observed a campaign targeting users of Portuguese ...

NSA and Partners Identify China State-Sponsored Cyber Actor Using Built-in Network Tools When Targeting U.S. Critical Infrastructure Sectors (National Security Agency/Central Security Service) The National Security Agency (NSA) and partners have identified indicators of compromise (IOCs) ...

Find MORE on our website.

Security Patches, Mitigations, and Software Updates

Ericsson Sensitive Data Exposure via Trace.axd (Checkmarx) Ericsson Sensitive Data Exposure via Trace.axd

GitLab 'strongly recommends' patching max severity flaw ASAP (BleepingComputer) GitLab has released an emergency security update, version 16.0.1, to address a maximum severity ...


Customer Identity Trends Report 2023 (Okta) Delivering great customer experiences is easier said than done. Download Okta's 2023 Customer ...

New report reveals a 121% surge in cybercriminals using legitimate websites to obfuscate malicious payloads (GlobeNewswire News Room) 71% of malicious payloads sent from compromised accounts were HTML smuggling attacks51% increase in ...

Group-IB: the use of phishing kits surges by 25% in 2022 as they become more evasive and advanced (Group-IB) Group-IB, a global cybersecurity leader headquartered in Singapore, has recorded a 25% increase in ...

Find MORE on our website.


Why aren't venture capitalists flocking to fund cybersecurity startups? (TechCrunch) Cybersecurity companies are enjoying stellar growth and multiples, but VCs are still hesitant to ...

Ransomware is being excluded from cyber insurance policies (Security) According to a recent report, some cyber insurance policies aren't covering ransomware attacks as ...

Agile Defense acquires XOR Security (Intelligence Community News) Agile Defense, an end-to-end provider of large-scale, digital transformations solutions to the ...

Find MORE on our website.

Products, Services, and Solutions

Corvus Insurance Unveils Corvus Signal™, a Cyber Risk Prevention Solution Shown to Reduce Cyber Breaches (Business Wire) Policyholders who engaged with Corvus Signal in the past three years saw a nearly 20% lower ...

ThreatBlockr Announces Milestone of Blocking One Billion Threats Per Day (ThreatBlockr) The company also doubles down on support for higher education institutions as the industry continues ...

KnowBe4 and TDI Collaborate To Enhance Cyber Performance, Risk and Compliance Capabilities (KnowBe4) KnowBe4 and TDI Collaborate To Enhance Cyber Performance,Risk and Compliance Capabilities

Find MORE on our website.

Technologies, Techniques, and Standards

New CISA Zero Trust Maturity Model Brings Attention to Encryption-in-Use Solutions (Globe Newswire) CISA now recommends encrypting data in use as part of an optimal data security strategy

Broad coalition of advocacy groups urges Slack to protect users' messages from eavesdropping (CyberScoop) Tech, civil liberties and reproductive justice groups want the company to offer end-to-end ...

Recourse following data breaches – what can companies do? (Clyde & Co) Businesses face significant financial impact due to data breaches. These can include remediation and ...

Design and Innovation

IBM wants to build a 100,000-qubit quantum computer (MIT Technology Review) The company wants to make large-scale quantum computers a reality within just 10 years.

Cybersecurity Chiefs Navigate AI Risks and Potential Rewards (Wall Street Journal) For now, the long-term benefits of generative AI are unclear and the risks are manageable, security ...

AI in cybersecurity: Yesterday’s promise, today’s reality (MIT Technology Review) Why AI will drive more speed and accuracy in security and give defenders an edge.

Find MORE on our website.

Research and Development

Space Force Will Look At How to Hack Targets From Space (Defense One) “We're laying the groundwork for starting to figure that,” said the leader of Space Operations ...


Cybersecurity research aims for impact at Virginia Tech (Virginia Tech) The Commonwealth Cyber Initiative in Southwest Virginia is investing in researchers working at the ...

Legislation, Policy, and Regulation

Iran is using its cyber capabilities to kidnap its foes in the real world (Atlantic Council) This new form of transnational repression by Iran has alarmed security professionals and governments ...

5th Anniversary of the GDPR: Still a benchmark in the EU digital landscape? (European Data Protection Supervisor) On the occasion of the 5th anniversary of the entry into application of the General Data Protection ...

EU: Commission publishes statement ahead of 5th anniversary of GDPR (DataGuidance) On May 24, 2023, the European Commission published a statement ahead of the fifth anniversary of the ...

Find MORE on our website.

Litigation, Investigation, and Law Enforcement

America’s nuclear secrets are vulnerable to fraudsters and spies, watchdog report says (NBC News) The Government Accountability Office says the Energy Department has for years failed to act on ...

Pegasus spyware reaches into Mexican president’s inner circle (Washington Post) Mexico’s security forces have been among the world’s most aggressive in using cutting-edge ...

Lawsuits by Moderators of Violent Online Content Pose Threat to Big Tech (Wall Street Journal) Court cases in Kenya could widen legal risks as they cast fresh light on the industry’s far-flung, ...

Find MORE on our website.


Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
The CyberWire logo
Twitter IconFacebook IconLinkedIn IconEmail Icon

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc.

This email was sent to
why did I get this?  |  unsubscribe  |  manage subscription preferences

The CyberWire · 8110 Maple Lawn Blvd Ste 200 · Fulton, MD 20759-2694 · USA


Popular posts from this blog

SecurityWeek Briefing.

Cyber War Newswire

SecurityWeek Briefing.