Analysis Summary

Storm-2077, an emerging China state-sponsored threat actor active since at least January 2024, has launched cyberattacks on U.S. government agencies.

According to Microsoft, NGOs and critical industries worldwide including the Defense Industrial Base, aviation, telecommunications, financial, and legal sectors. Leveraging publicly available exploits the group has targeted internet-facing devices to achieve initial access deploying tools such as Cobalt Strike, Pantegana and Spark RAT. Storm-2077 has exhibited advanced intelligence-gathering tactics often using phishing campaigns to harvest credentials from eDiscovery applications and infiltrate cloud environments where they create applications with mail-read privileges for exfiltrating sensitive emails. This activity aligns partially with a group tracked by researchers as TAG-100.

China's cyber threat landscape has grown increasingly sophisticated over the last decade with attackers adapting their tactics following public disclosures and indictments. Storm-2077 exemplifies this evolution blending conventional phishing techniques with cloud-based credential harvesting to expand their operations. The group's methods highlight their focus on acquiring strategic intelligence which could be leveraged to further Chinese geopolitical objectives. Their ability to escalate privileges and maintain persistence in compromised systems underscores the challenges in detecting and mitigating their activities.

Parallel to cyber operations, China's influence campaigns have also escalated notably through a pro-China operation dubbed GLASSBRIDGE. This campaign utilizes a network of inauthentic news sites and digital PR firms to disseminate narratives aligned with the Chinese government's agenda. Companies like Shanghai Haixun Technology, Times Newswire and Shenzhen Bowen Media orchestrate these campaigns masking state-sponsored content as legitimate news articles. These fake outlets republish state media content or commissioned pieces sometimes hosted on subdomains of credible news organizations thereby amplifying their reach and credibility.

The GLASSBRIDGE operation illustrates how influence actors are diversifying beyond traditional social media platforms leveraging digital PR services to present pro-Beijing propaganda as independent journalism. Google has blocked over a thousand such websites from its News and Discover platforms since 2022. These efforts highlight China's multi-pronged strategy to shape global narratives through both cyber espionage and sophisticated information operations often tailored to regional audiences for maximum impact.

Impact

• Data Exfiltration
• Sensitive Data Theft
• Unauthorized Access

Remediation

• Regularly update and patch all internet-facing devices to mitigate vulnerabilities.
• Implement robust firewall and intrusion detection/prevention systems (IDS/IPS) to monitor and block suspicious traffic.
• Conduct employee training to recognize and report phishing attempts.
• Deploy email security solutions to filter malicious emails and attachments.
• Use multi-factor authentication (MFA) for all cloud-based applications and administrative accounts.
• Continuously monitor cloud activity for suspicious actions, such as unauthorized application creation or data exfiltration.
• Deploy endpoint detection and response (EDR) tools to identify and mitigate malware like Cobalt Strike, Pantegana, and Spark RAT.
• Perform regular threat hunting to uncover indicators of compromise (IOCs) and unusual behavior in systems.
• Collaborate with tech companies to identify and block fake news sites and suspicious subdomains.
• Encourage legitimate news platforms to verify content sources before publication.
• Investigate and scrutinize digital PR firms that might facilitate state-sponsored propaganda campaigns.
• Raise awareness among media organizations about the risks of hosting content from questionable sources.
• Launch educational campaigns to inform the public about misinformation tactics and encourage critical evaluation of online news.
• Partner with academic and civil organizations to study and expose information operations.
• Develop international policies to regulate the misuse of digital PR services and newswire distribution for propaganda purposes.
• Enhance cooperation between governments, tech firms, and cybersecurity entities to combat coordinated influence campaigns.