New Entries in the CFR Cyber Operations Tracker: Q1 2020

This blog post was coauthored by Connor Fairman, research associate for the Digital and Cyberspace Policy program.

Nathan Marx, Digital and Cyberspace Policy program intern, oversaw data collection for new entries.

The Cyber Operations Tracker has just been updated. This update includes the state-sponsored incidents and threat actors that have been made public between January 2020 and March 2020. We also modified some older entries to reflect the latest developments.

Here are some highlights:

• After several instances of North Korean hacking of cryptocurrency exchanges and banks, we have added a new category of incident, “Financial Theft.” Our incident categories now include Financial Theft, DDoS, Esionage, Defacement, Data Destruction, Sabotage, and Doxing.
• For the first time, we have observed a state (Israel) publicly admitting that they have hacked back against another state-affiliated cyber actor. In response, we have added a new policy response category, “Hack Back.” We will continue to be on the lookout for additional examples of states hacking back in the future.
• The Hamas-associated threat actor APT-C-23 targeted Israeli soldiers by pretending to be women looking for romantic partners. Duped soldiers were then enticed to download apps that contained spyware onto their phones. In response, the Israel Defense Forces hacked back and dismantled the infrastructure used by APT-C-23 to launch its attacks.
• DarkHotel, an advanced threat actor possibly associated with the South Korean government, attempted to phish World Health Organization employees during the coronavirus pandemic.

A detailed log of the added and modified entries follow. If you know of any state-sponsored cyber incidents that should be included, you can submit them to us here. 

Edits to Old Entries

Newscaster. Changed title to Charming Kitten. Added aliases APT 35, Newscaster, Ajax Security Team, Phosphorus, and Group 83. Possibly linked to Rocket Kitten.

Darkhotel. Changed title to DarkHotel. Also added DUBNIUM, Fallout Team, Karba, and Luder as aliases.

Apt 28. Added Hades to list of aliases.

Kingdom. Changed title to KINGDOM.

New Entries

Compromise of Bapco (1/8)

Continued targeting of cryptocurrency businesses (1/8)

Targeting of U.S. grid (1/9)

Targeting of Burisma (1/13)

Stolen data on nearly two thousand Mitsubishi employees (1/20)

Spyware sent to Jeff Bezos on WhatsApp (1/21)

Konni Group (1/23)

Spear-phishing campaign against unnamed U.S. government agency (1/23)

Wide-ranging attacks on government organizations and companies across the Middle East and Europe (1/27)

Targeting of New York Times journalist Ben Hubbard (1/28)

Targeting of U.S. government employees (1/30)

Impersonation of journalists to compromise public figures (1/30)

Infection of computer systems belonging to universities in Hong Kong (1/31)

Intensified attacks against Ukrainian national security targets (2/5)

Disclosure by Japanese firms of breaches between 2015 and 2018 (2/6)

Targeting of Malaysian government officials (2/7)

Attack on Austrian foreign ministry (2/13)

Catfishing of Israeli soldiers (2/16)

Targeting of companies in the United States, Israel, Saudi Arabia, and elsewhere (2/16)

APT-C-23 (2/16)

Targeting of Japan, Russia, and South Korean entities (3/5)

Tonto Team (3/5)

Watering-hole attacks targeting Armenian government websites (3/12)

Vicious Panda (3/12)

Targeting of the Mongolian government using coronavirus-related lures (3/12)

Targeting of Ukraine with coronavirus phishing emails (3/13)

APT 36 (3/16)

Phishing with fake coronavirus health advisory (3/16)

Global phishing campaign against industrial, government, and civil society targets (3/20)

Targeting of the World Health Organization (3/23)

Targeting of Hong Kong citizens with mobile malware (3/24)

Targeting of over seventy-five organizations (3/25)

Targeting of North Koreans and North Korea–focused professionals (3/26)

Tracking of Saudi Arabian citizens in the United States (3/29)

Storm Cloud (3/31)

Targeting of Tibetans via watering-hole attacks (3/31)