Skip to content
Cybersecurity

New Entries in the CFR Cyber Operations Tracker: Q3 2019

An update of the Council on Foreign Relations’ Cyber Operations Tracker for the period between July and September 2019.

<p>Cyber Operations Tracker</p>
Cyber Operations Tracker Council on Foreign Relations

By experts and staff

Published
  • Adam SegalCFR Expert
    Ira A. Lipman Chair in Emerging Technologies and National Security and Director of the Digital and Cyberspace Policy Program

This blog post was coauthored by Lauren Dudley, research associate for the Asia Studies program and Connor Fairman, research associate for the Digital and Cyberspace Policy program.

Elizabeth Merrigan, Digital and Cyberspace Policy program intern, oversaw data collection for new entries.

The Cyber Operations Tracker has just been updated. This update includes the state-sponsored incidents and threat actors that have been made public between July 2019 and September 2019. We also modified some older entries to reflect the latest developments.

Here are some highlights:

  • Chinese state-sponsored hackers targeted apps used by protesters in Hong Kong, popular websites and telecommunications networks used by the Uighur diaspora, and mobile phones used by senior members of the Tibetan government-in-exile, signaling attempts by Beijing to track and control populations it considers threatening to domestic security interests.
  • Hackers from the Russian-backed APT 28 exploited vulnerabilities in Internet of Things (IoT) devices, such as phones and printers, to gain access to other accounts on connected networks with more privileges and data. Microsoft researchers warned that these attacks will likely increase, making the reduction of vulnerabilities in IOT devices a pressing challenge for governments around the world.

A detailed log of the added and modified entries follow. If you know of any state-sponsored cyber incidents that should be included, you can submit them to us here

Edits to Old Entries

Lazarus Group. Added the sanctions imposed by the U.S. Treasury Department.

Thrip. Added its recently-uncovered affiliation with the Lotus Blossom threat actor.

APT 33. Added its affiliation with the Elfin cyber espionage group and attribution for Shamoon malware attacks in 2016 and 2017.

APT 17. Added the identification of three members of this threat actor, who are believed to be operating as contractors for the Chinese Ministry of State Security.

Axiom. Added its relationship with Winnti.

Inception Framework. Added its aliases, Cloud Atlas and Red October, and additional victim states, including Afghanistan, Kyrgyzstan, Russia, and Turkey.

New Entries

Targeting of secure messaging app used by Hong Kong protesters (6/13)

Targeting of German energy technology, chemicals, and consumer goods companies, among others (7/24)

Targeting of investigative journalists at Bellingcat (7/26)

Targeting of Internet of Things (IoT) devices used by Microsoft customers (8/5)

APT 41 (8/7)

Compromise of Bahraini government agencies and critical infrastructure (8/7)

Targeting of Czech Foreign Ministry (8/13)

Targeting of the Australian Parliament, including the Liberal, National, and Labor Parties (8/15)

Targeting of embassies and foreign ministries in Eastern Europe and Central Asia (8/20)

Autumn Aperture—use of malicious websites to target foreign ministries and other entities (8/22)

Compromise of websites related to Uighur communities (9/3)

Targeting of telecommunications operators in countries through which Uighurs are known to travel (9/5)

Targeting of enterprise VPN servers from Fortinet and Pulse Secure (9/5)

Targeting of over sixty universities in multiple countries, including the United States and United Kingdom (9/11)

Kimusky (9/11)

Autumn Aperture—malware embedded in antiquated file types (9/11)

Targeting of U.S. utility companies (9/21)

Targeting of senior members of Tibetan groups (9/24)

Poison Carp (9/24)

Compromise of Airbus suppliers (9/26)