New Entries in the CFR Cyber Operations Tracker: Q2 2023

Kyle Fendorf is the research associate for the Digital and Cyberspace Policy program.

Natasha White, intern for the Digital and Cyberspace program, oversaw data collection. 

The Cyber Operations Tracker has just been updated. This update includes the state-sponsored incidents and threat actors that have been made public between April and June 2023. 

Here are some highlights: 

• The FBI announced it had disrupted a Russian malware network, Snake, that was active in over fifty countries and had been operating in some form for at least twenty years. 

• A new Chinese threat actor, Volt Typhoon, was detected on U.S. military networks in Guam and other areas of the western Pacific and had established a presence in some critical infrastructure systems in the United States. The U.S. government said the group’s presence could be leveraged to attack critical infrastructure in the event of a future conflict. 

• North Korea’s Lazarus Group used a backdoor placed during a supply chain attack on the financial software firm Trading Technologies to access the systems of 3CX, a voice calling and video conferencing software provider, and distribute malware to 3CX customers. The attack marks the first known case of a group using access gained in an initial supply chain hack to launch a second one against a new network of customers. 

Edits to Old Entries 

Kimsuky. Added APT43 as an alias. 

Emissary Panda. Added Budworm as an alias. 

Nodaria. Added Cadet Blizzard as an alias. 

New Entries 

Targeting of military and government networks in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka (2/15) 

Targeting of 3CXDesktopApp customers and crypto firms (3/30) 

SideWinder (3/30) 

Targeting of organizations of strategic interest to the Chinese government (3/30) 

Targeting of experts in North Korea policy issues (4/5) 

Targeting of Indian education sector (4/13) 

Targeting of European government agencies and diplomats (4/13) 

Targeting of a Taiwanese media organization (4/17) 

Targeting of Indian government agencies (4/17) 

Targeting of human rights groups and activists related to human rights advocacy in North Korea (4/20) 

Targeting of Mac users at financial institutions (4/24) 

Targeting of U.S. critical infrastructure and civil-society groups (4/18) 

Targeting of South Korean institutions (4/25) 

Targeting of high-profile government, aviation, energy, telecoms and banking-sector entities in the Middle East and North Africa (4/25) 

Targeting of manufacturing and real-estate sectors in India and telecommunications companies in Bulgaria and Pakistan (4/27) 

Targeting Linux systems in Nepal and South Africa (4/28) 

Targeting of Ukrainian government bodies (4/30) 

Targeting of military personnel in South Asia (5/3) 

Targeting of military personnel and activists in Southeast Asia (5/3) 

Targeting of the Ukrainian public sector (5/4) 

Targeting of minority groups in Iran (5/4) 

Targeting of the staff of Korea Risk Group, as well as organizations in the United States, Asia, and Europe (5/4) 

Targeting East Asian and Southeast Asian health-care, manufacturing, technology, and government organizations (5/5) 

Targeting of PaperCut MF and NG print management servers by an Islamic Revolutionary Guard Corps–affiliated actor (5/8) 

Targeting of PaperCut MF and NG print management servers by a Ministry of Intelligence and Security–affiliated actor (5/8) 

Targeting of Pakistani government officials and networks in Turkey (5/8) 

Targeting of government networks with Snake malware (5/9) 

Targeting of South Korean hospital network (5/10) 

Targeting of cryptocurrency exchanges in DangerousPassword campaign (5/12) 

Targeting of Ukrainian civil-society groups (5/17) 

Targeting of users of Israeli shipping and logistics websites (5/23) 

Volt Typhoon (5/24) 

Targeting of telecommunications equipment in Guam (5/24) 

Targeting of Kenyan government (5/25) 

Targeting of Russian iPhone users (6/1) 

Targeting of Taiwanese government and critical infrastructure operators (6/2) 

Targeting of Islamic State group militants in Iraq (6/4) 

Targeting of analysts of North Korean affairs (6/6) 

Targeting of Vietnamese agriculture business (6/9) 

Targeting of South Korean professors, dissidents, and human rights advocates (6/12) 

Targeting of Atomic Wallet cryptocurrency users (6/13) 

Targeting of government organizations in Eastern Europe and Western Asia (6/14) 

Targeting of users of Naver (6/15) 

Targeting of organizations using Barracuda email security gateway devices (6/15) 

Targeting of the Indian defense sector (6/15) 

Targeting of Ukrainian government agencies in phishing attack (6/16) 

Targeting of Ukrainian email servers (6/20)