New Entries in the CFR Cyber Operations Tracker: Q2 2020

This blog post was coauthored by Connor Fairman, research associate for the Digital and Cyberspace Policy program.

Corbin Stevens, Digital and Cyberspace Policy program intern, oversaw data collection for new entries.

 The Cyber Operations Tracker has just been updated. This update includes the state-sponsored incidents and threat actors that have been made public between April 2020 and June 2020. We also modified some older entries to reflect the latest developments.

Here are some highlights:

• The Cyber Operations Tracker has an updated design with an interactive map showing the origins of state-sponsored cyber operations as well as by victim type. Click here to view the map.
• Suspected Vietnamese threat actor Ocean Lotus sent spear-phishing emails to officials from the Wuhan city government and China’s Ministry of Emergency Management and also uploaded malware-infected apps to the Google Play store to trick users into downloading them onto their phones.
• Hackers associated with the Iranian government sought to cripple computers that control water flow and wastewater treatment for two rural districts in Israel. In retaliation, Israel launched a cyberattack against Iran’s Shahid Rajaee Port, disrupting its operations. This is the first documented instance of a state confirming it used cyber means against another state in retaliation for a cyber operation.
• Suspected North Korean-affiliated threat actor Hidden Cobra used a variety of malware tools to hack into and steal money from banks, cryptocurrency exchanges, and ATMs.

A detailed log of the added and modified entries follows. If you know of any state-sponsored cyber incidents that should be included, you can submit them to us here.

Edits to Old Entries

Stolen data on nearly two thousand Mitsubishi employees. Included disclosure that the breach resulted in the theft of specifications for a hypersonic missile that Japan had been developing.

Compromise of the networks at the German parliament (Bundestag). Added details regarding Germany’s arrest warrant issued against Dmitry Badin and request that European Union governments impose cyber sanctions against him.

New Entries 

Targeting of World Health Organization (WHO) staff emails (4/2)

Operations against actors targeting Australians during COVID-19 pandemic (4/6)

Targeting of Arabic speakers with COVID-19-related apps (4/15)

Syrian Electronic Army (4/15)

Targeting of Wuhan government and China’s Ministry of Emergency Management (4/22)

Targeting of Poland’s War Studies University (4/23)

Distribution of malware through Google Play store (4/28)

Phishing of Vietnamese government officials (4/30)

Pirate Panda (4/30)

Targeting of CPC Corporation (5/5)

Targeting of government bodies in Australia and Southeast Asia (5/7)

Attack on Israeli water utilities (5/7)

Targeting of global financial institutions (5/12)

Targeting of COVID-19 research organizations (5/13)

Targeting of companies in Central Asia (5/14)

Disruption of operations at Shahid Rajaee Port (5/19)

Greenbug (5/19)

Targeting of South Asia telecommunication providers (5/19)

Targeting of Asian video game companies (5/21)

Targeting of air transportation and government agencies in Kuwait and Saudi Arabia (5/25)

Targeting of German critical infrastructure owners (5/26)

Targeting of ministries of foreign affairs and a national parliament in Central Asia and Eastern Europe (5/26)

Targeting of email servers using Exim mail transfer agent (5/28)

Targeting of Ukrainian government organizations (6/11)

Targeting of Central European aerospace and defense companies (6/17)

Targeting of Australian government agencies and private companies (6/19)