Microsoft, recently busted by Beijing, thinks it's across China's ever-changing cyber-offensive
Sometimes using AI to make hilariously wrong images that still drive social media engagement
Microsoft, which earlier this week admitted not being able to detect a Chinese attack on its own infrastructure, has published a report [PDF] titled "Digital threats from East Asia increase in breadth and effectiveness." In the report, Redmond's Threat Intelligence group expounds on its fresh insight into evolving online aggressions from both China and North Korea.
The document identifies four trends Microsoft's researchers think are worth watching:
- China is directing espionage efforts at countries around the South China Sea – an area it claims despite rulings to the contrary in international courts;
- Beijing's become better at using social media for influence operations, even targeting candidates in US elections;
- Those influence operations have scaled, and gone multilingual;
- North Korea remains a vigorous actor and has in recent months become very interested in maritime technology.
The report details the work of a group Microsoft has named "Raspberry Typhoon" that "typically conducts intelligence collection and malware execution" and likes to target ministries that oversee defense, intelligence, economic matters, and trade. The gang targets governments around the South China Sea. Another Beijing-backed group, "Flax Typhoon" (akaStorm-0919), focuses on Taiwan and its telecommunications, education, information technology, and energy infrastructure.
Flax Typhoon likes to use a custom VPN appliance to directly establish a presence within the target network. A related group, "Charcoal Typhoon," worked with its flaxen colleagues to target what Microsoft described as "Taiwanese aerospace entities that contract with the Taiwanese military."
China's influence operations (IO), the report claims, have started to use AI to produce content – sometimes with bizarre results.
"Since approximately March 2023, some suspected Chinese IO assets on Western social media have begun to leverage generative artificial intelligence to create visual content," the report states, adding that the resulting material has "already drawn higher levels of engagement from authentic social media users."
"Users have more frequently reposted these visuals, despite common indicators of AI-generation – for example, more than five fingers on a person's hand."
Which rather leaves your correspondent thinking social media users are as much of a problem as China's propagandists.
- Russian infosec boss gets nine years for $100M insider-trading caper using stolen data
- Microsoft: China stole secret key that unlocked US govt email from crash debug dump
- Attackers accessed UK military data through high-security fencing firm's Windows 7 rig
- Microsoft ain't happy with Russia-led UN cybercrime treaty
Another interpretation of the report is that China is deploying so many people for its influence ops that they're bound to find a receptive audience eventually. The document states that China debuts a new influencer every seven weeks and they have accumulated "a combined following of at least 103 million across multiple platforms speaking at least 40 languages."
The report calls out North Korea for co-ordinated activity aimed at the maritime sector, with three threat actors – Ruby Sleet (CERIUM), Diamond Sleet (ZINC), and Sapphire Sleet – spending late 2022 and early 2023 working together to target the maritime and shipbuilding sector.
"Microsoft had not previously observed this level of targeting overlaps across multiple North Korean activity groups, suggesting that maritime technology research was a high priority for the North Korean government at the time."
The report points out that after the three-party maritime campaign ended, North Korea may have launched missiles from submarines and deployed underwater drones. While the document doesn't suggest causal connection, Microsoft's researchers clearly found the timelines intriguing.
The researchers suggest China and North Korea will dish up more of the same in coming months and years, with emphasis on operations related to the 2024 presidential election in the United States.
"Given that CCP-aligned influence actors have targeted US elections in the recent past, it is nearly certain that they will do so again," the report concludes, adding "Social media assets impersonating US voters will likely demonstrate higher degrees of sophistication, actively sowing discord along racial, socioeconomic, and ideological lines with content that is fiercely critical of the United States."
Just as this report – and many like it – are critical of China and North Korea, and silent on the extent and variety of cyber-ops conducted by other nations. ®