New Entries in the CFR Cyber Operations Tracker: Q1 2021

This blog post was coauthored by Kyle Fendorf, research associate for the Digital and Cyberspace Policy program. 

Eyako Heh, Digital and Cyberspace Policy program intern, oversaw data collection and Jessie Miller, Digital and Cyberspace Policy program intern, uploaded new entries. 

The Cyber Operations Tracker has just been updated. This update includes the state-sponsored incidents and threat actors that have been made public between January and March 2021.  

Here are some highlights: 

• In January, law enforcement agencies from several countries collaborated to take down the command and control servers of the EMOTET botnet. 

• In February, Chinese threat actors inserted malware into the Indian power grid during a border dispute between the two countries. The malware may have caused a failure in the Mumbai power grid. 

• In March, the Chinese threat actor Hafnium exploited a vulnerability in Microsoft Exchange to access user emails. The vulnerability was widely used by other groups after it was revealed. 

A detailed log of the added and modified entries follows. If you know of any state-sponsored cyber incidents that should be included, you can submit them to us here. 

Edits to Old Entries 

The Dukes. Added alias Dark Halo 

Lucky Cat. Added alias TA413 

Targeting of SolarWinds customers. Added sanctions. 

New Entries 

Targeting of Malwarebytes’ Office 365 tenant (1/19) 

Targeting of security researchers with malware (1/25) 

Take down of EMOTET botnet (1/27) 

Disruption of NetWalker ransomware (1/27) 

Targeting of international gambling firms (1/6) 

Targeting of SolarWinds (2/2) 

Targeting of South Sudanese citizens (2/2) 

Targeting of Qatari royal family (2/6) 

Targeting of United Arab Emirates government employees (2/10) 

Targeting of government authorities in Pakistan and Kashmir (2/11) 

Confucius (2/11) 

Targeting of domestic citizens in Iran (2/8) 

Domestic Kitten (2/8) 

Targeting of Pfizer vaccine data (2/16) 

Targeting of French IT monitoring company (2/15) 

Targeting of cryptocurrency exchanges and financial service companies (2/17) 

Targeting of Dutch data center (2/18) 

Targeting of Ukrainian web servers (2/22) 

Targeting of Ukrainian government document management system (2/24) 

Targeting of human rights activists in Vietnam (2/24) 

Targeting of Tibetan organizations (2/25) 

Targeting of the defense industry (2/25) 

Targeting of India’s power infrastructure (2/28) 

Targeting of organizations via Microsoft Exchange Server vulnerability (3/2) 

Hafnium (3/2) 

Targeting of Indian vaccine makers (3/1) 

Targeting of the Parliament of Western Australia (3/4) 

Targeting of Middle Eastern and Azerbaijani organizations (3/5) 

Targeting of Linux endpoints and servers (3/11) 

Targeting of classified government data in Ukraine (3/16) 

Targeting of telecommunications companies’ employees (3/16) 

Targeting of Uyghur activists, journalists, and dissidents (3/24) 

Targeting of U.S. and Israeli medical researchers (3/30)