New Entries in the CFR Cyber Operations Tracker: Q4 2023

The Cyber Operations Tracker has just been updated. This update includes the state-sponsored incidents and threat actors that have been made public between October and December 2023.

Here are some highlights:

• Cybersecurity firm Kaspersky Labs released more information on an attack that occurred in June 2023, dubbed Operation Triangulation. The attackers made use of four zero-day vulnerabilities in Apple products, including a vulnerability in Apple’s hardware-based memory protections that gave the attackers kernel level access to targeted devices. The campaign ran for at least four years and targeted researchers at Kaspersky and employees of diplomatic missions and embassies inside Russia.
• The Dukes, a Russian threat actor, use a zero-day in TeamCity, a software exchange and testing product made by the company JetBrains, to compromise the networks of hundreds of different companies and organizations. The attacks appear to have been opportunistic, with The Dukes targeting any system with JetBrains installed and escalating access in some cases.
• Chinese hackers broke into the networks of at least twenty-four Cambodian government agencies between 2022 and 2023 and likely gained access to sensitive files across all the agencies; the agencies work on a number of issues, including national defense, human rights, election oversight, trade and commerce, and telecommunications.

Edits to Old Entries

Targeting of Russian iPhone users. Updated description, victims, and sources to reflect new information on Operation Triangulation.

New Entries

Targeting of semiconductor manufacturing firms in East Asia (10/5)

Targeting of Mixin cryptocurrency network (10/6)

Targeting of government agency in Guyana (10/5)

Targeting of Ukrainian telecommunications providers (10/15)

Targeting of French think tanks, government agencies, universities, and businesses (10/26)

YoroTrooper (10/25)

Targeting of blockchain engineers at a cryptocurrency exchange (10/31)

Targeting of users of an Arabic dating app (10/31)

Targeting of Polish government organizations with Follina vulnerability (11/13)

Targeting of Polish government organizations with PlugX malware (11/13)

Targeting of Polish government agencies using compromised Ukrainian email accounts (11/13)

Targeting of customers of a South Korean asset management program (11/20)

Targeting of academic institutions, think tanks, and other research groups (12/7)

Targeting of South Korean defense industry (12/6)

Targeting of the telecommunications sector in Egypt, Sudan, and Tanzania (12/19)

Targeting of organizations using JetBrains software (12/13)

Targeting of home internet routers to add to a botnet (12/13)

Agrius (11/6)

Targeting of Israeli education and technology sectors (11/6)

Targeting of Cambodian government agencies (11/7)

Targeting of Ukrainian power grid (11/9)

Targeting of Danish critical infrastructure companies (11/15)

Targeting of CyberLink customers in supply-chain attack (11/22)

Targeting of Dutch chipmaker NXP (11/28)

Chimera (11/28)

Targeting of Ukrainian telecommunications operator Kyivstar (12/12)

Targeting of South Korean research institutes (11/30)

Targeting of AlphV ransomware group (12/19)