New Entries in the CFR Cyber Operations Tracker: Q4 2019

This blog post was coauthored by Connor Fairman, research associate for the Digital and Cyberspace Policy program.

Nathan Marx, Digital and Cyberspace Policy program intern, oversaw data collection for new entries.

The Cyber Operations Tracker has just been updated. This update includes the state-sponsored incidents and threat actors that have been made public between October 2019 and December 2019. We also modified some older entries to reflect the latest developments.

Here are some highlights:

• The Russian cyber espionage unit Turla hijacked hacking infrastructure belonging to Iranian threat group Oilrig and used it to launch attacks in over thirty-five countries while masquerading as Iran. Russia has carried out “false flag” operations like this in the past. Last year, U.S. intelligence uncovered Russian hackers’ use of code associated with Lazarus Group, a North Korean threat actor.
• Amnesty International released a report showing how the Moroccan government used NSO Group’s Pegasus malware to target two prominent human rights activists in Morocco. The report noted that the targeted attacks are symptomatic of a larger pattern of reprisals against human rights activists by Moroccan authorities. We also added reports of Egypt, Saudi Arabia, Uzbekistan, and United Arab Emirates using malicious software to spy on dissidents and NGOs. An increasing number of entries in the tracker are of states using commercially available and self developed malware against their political opponents.

A detailed log of the added and modified entries follow. If you know of any state-sponsored cyber incidents that should be included, you can submit them to us here. 

Edits to Old Entries

Mustang Panda. Added its alias Bronze President.

Newscaster. Added its aliases APT 35, Ajax Security Team, and Phosphorus.

OilRig. Added that in October 2019, Oilrig’s hacking infrastructure was revealed to have been compromised by Turla. Noted that some operations previously attributed to the group may be Turla false flags.

New Entries

Kingdom (10/1)

Targeting of Japanese organizations (10/2)

PKplug (10/3)

Attacks in East and Southeast Asia (10/3)

Targeting of Egyptian dissidents (10/3)

Targeting of Uzbek dissidents (10/3)

Attack on U.S. presidential campaign government officials, journalists, and prominent expatriate Iranians (10/4)

Targeting of Russian speakers (10/10)

Targeting of Moroccan activists (10/10)

U.S. retaliation against Iran (10/16)

Targeting of European ministries (10/17)

Hijacking of Iranian hacking infrastructure (10/21)

Targeting of Avast (10/21)

Large-scale attacks against Georgia (10/28)

Targeting of sporting and anti-doping organizations ahead of 2020 Tokyo Olympics (10/28)

Compromise of Indian nuclear power plant (11/1)

DarkUniverse (11/5)

Targeting of Indian space agency (11/7)

Targeting of U.S. government and private entities and other victims (11/13)

Targeting of U.S. manufacturing group (11/13)

Targeting of South Korean macOS users (11/20)

Compromise of Kazakh individuals (11/23)

Golden Falcon (11/23)

Targeting of industrial control systems (11/23)

Targeting of Ukrainian government entities (11/25)

Targeting of Japanese companies with links to China (11/29)

Attack on forum of Hong Kong protesters (12/4)

Targeting of Middle Eastern oil companies (12/4)

Targeting of BMW and Hyundai (12/6)

Targeting of the Cambodian government (12/7)

Targeting of telecom companies across Africa, Europe, and Southeast Asia (12/12)

Gallium (12/12)

Bypassing of two-factor authentication (12/19)

Surveillance of individuals in the United Arab Emirates (UAE) and globally (12/22)

Targeting of nongovernmental organizations and political and law enforcement agencies in East and South Asia (12/29)