The Breach Report
Posts
The Breach Report: February 16, 2024

The Breach Report: February 16, 2024

Russia, Iran, China using Generative AI in offensive cyber operations

Rob Waters
February 16, 2024 • ⏱️ Reading Time: 6 minutes

The Breach Report: February 16, 2024

Welcome to the initial launch of the Breach Report, a special cybersecurity newsletter from the creators of Cybersecurity Careers Blog.

Microsoft reports Russia, Iran, and China using OpenAI Generative AI services in offensive cybersecurity operations

Microsoft disclosed that it has caught Iran and China using its Azure OpenAI generative AI services in offensive cybersecurity operations against targets. (image credit: Getty News)

Microsoft disclosed that it had caught Russia, Iran, and China using its Azure OpenAI generative AI services in offensive cybersecurity operations against targets. (image credit: Getty News)

State-backed hackers from Russia, Iran, and China are using Microsoft’s Azure OpenAI services in offensive cyber operations against its targets, Microsoft disclosed this week. On a blog post, the company reported that it terminated the accounts associated with the state-backed hackers abusing the Azure services upon detection.

Microsoft has identified the hackers as the following:

Two China-affiliated threat actors known as Charcoal Typhoon and Salmon Typhoon
Iran-affiliated threat actor known as Crimson Sandstorm
North Korea-affiliated actor known as Emerald Sleet
Russia-affiliated actor known as Forest Blizzard

Malicious cyber activities detected included researching target companies and cybersecurity tools, debugging code and script generation, and creating content for phishing campaigns.

Other activities detected included spear-phishing campaign content generation, malware detection evasion, and notably by Forest Blizzard, “open-source research into satellite communication protocols and radar imaging technology,” according to the report.

Microsoft states that it actively maintains teams to identify, disable, and disrupt any malicious usage of its Azure platform. The company “continues to iterate on safety mitigations” in light of this discovery and is disclosing it to the public for transparency.

We’re a far cry from the early days of ChatGPT and wondering whether it could write malware. It’s far more sophisticated than that, unfortunately.

U.S. Department of Justice Takes Down Russian Military Botnet

The U.S. Department of Justice has taken down a Russian military botnet operation attributed to Frozen Blizzard, also known as “Fancy Bear” and “APT28.” (image credit: Cybersecurity Careers Blog)

Another week, another Russian Frozen Blizzard operation disruption. The U.S. Department of Justice has reported that it disrupted and dismantled a Russian military botnet operation by Frozen Blizzard, also known as “Fancy Bear” and “APT28.” Frozen Blizzard is a Russian Federation Main Intelligence Directorate of the General Staff (GRU) and infamously is attributed with conducting the Solar Winds software supply chain cyberattack.

This botnet relied on “Moobot” malware, according to the DoJ investigation, installed on vulnerable Ubiquiti Edge OS routers with publicly known default administrator passwords. GRU operators then deployed the Moobot malware on the vulnerable edge devices, installed bespoke custom malicious scripts, and commandeered the infrastructure to function as a global cyber espionage platform.

“This is yet another case of Russian military intelligence weaponizing common devices and technologies for that government’s malicious aims,” said U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania. “As long as our nation-state adversaries continue to threaten U.S. national security in this way, we and our partners will use every tool available to disrupt their cyber thugs — whomever and wherever they are.”

Frozen Blizzard is a closely related cyber unit attributed to Russian intelligence to Midnight Blizzard, who was caught hacking top Microsoft executives’ email accounts last month. That unrelated breach was an intelligence and reconnaissance effort primarily aimed at understanding what Microsoft knew about the APT group.

Current Cybersecurity Headlines

New from our blog:

New from our favorite blogs and journalists:

‘What Was She Supposed to Report?:’ Police Report Shows How a High School Deepfake Nightmare Unfolded (404 Media)
University of Michigan Sells Recordings of Study Groups and Office Hours to Train AI (404 Media)
RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers (The Hacker News)
U.S. State Government Network Breached via Former Employee's Account (The Hacker News)
AI-powered romantic chatbots are a privacy nightmare (Ars Technica)
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug (Dark Reading)
Over 13,000 Ivanti gateways vulnerable to actively exploited bugs (Bleeping Computer)
North Korean hackers now launder stolen crypto via YoMix tumbler (Bleeping Computer)
New Era of AI Deepfakes Complicates 2024 Elections (The Wall Street Journal)

How did you like this edition of The Breach Report?

Your vote counts!

Until next time…

Rob Waters
Founder, The Breach Report

Join the conversation

or to participate.