New Entries in the CFR Cyber Operations Tracker: Q4 2020

This blog post was coauthored by Connor Fairman, research associate for the Digital and Cyberspace Policy program.

Eyako Heh, Digital and Cyberspace Policy program intern, oversaw data collection and uploaded new entries. 

The Cyber Operations Tracker has just been updated. This update includes the state-sponsored incidents and threat actors that have been made public between October and December 2020.

Here are some highlights:

• In October, U.S. Cyber Command launched a cyberattack to take down parts of the Russian botnet Trickbot. U.S. officials were concerned that the botnet could have infected election systems with ransomware ahead of the 2020 U.S. presidential election.
• For the second time, China has been accused of spying on the African Union’s headquarters. This time, security footage was reportedly obtained, granting hackers visual access to meeting rooms, hallways, and parking lots.
• In December, FireEye revealed a massive Russian compromise of SolarWinds’ Orion platform that has affected an estimated minimum of 18,000 victims.

A detailed log of the added and modified entries follows. If you know of any state-sponsored cyber incidents that should be included, you can submit them to us here.

Edits to Old Entries

Emissary Panda. Added alias LuckyMouse.

New Entries

Targeting of entities in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia, and Ukraine (10/1)

Targeting of network technology providers and organizations working with refugees in the Middle East (10/5) 

Targeting of Vietnamese dissidents, human rights workers, journalists, and private companies in Germany (10/8) 

Targeting of TrickBot computer networks (10/9)

Targeting of the Norwegian parliament’s email system (10/13)

Targeting of universities in the United States, Canada, Denmark, the Netherlands, Singapore, Sweden, and the United Kingdom (10/14)

Targeting of U.S. individuals with fake McAfee software installations (10/16)

Targeting of Israeli organizations with ransomware (10/16)

Targeting of Russian aerospace and defense companies (10/19) 

Targeting of Japanese companies involved in COVID-19 vaccine development (10/19)

Targeting of Tokyo Olympics organizers, logistics services, and sponsors (10/19) 

Targeting of U.S. military and defense computer networks (10/20)

Targeting of U.S. government networks (10/22)

Targeting of experts and think tanks in the United States, Japan, and South Korea (10/27)

Targeting of Think20 Summit and Munich Security Conference attendees (10/28)

Targeting of nongovernmental organizations in Myanmar (11/4)

KilllSomeOne (11/4)

Targeting of Vietnamese and Southeast Asian internet users (11/6)

Targeting of pharmaceutical companies and vaccine researchers with password spraying (11/13)

Targeting of vaccine researchers with fake job opportunities (11/13)

Targeting of vaccine researchers with spear-phishing emails (11/13)

Cerium (11/13)

Zinc (11/13)

Targeting of South Korean supply chains using stolen security certificates (11/16)

Targeting of Japanese companies and global subsidiaries (11/17)

Targeting of Apple MacOS users (11/27)

Targeting of companies involved in vaccine development (11/27)

Infection of French and Vietnamese companies and government agencies with crypto-mining malware (11/30)

Targeting of unnamed European foreign ministry (12/2)

Targeting of Mongolian government agencies (12/9)

Targeting of SolarWinds customers (12/9)

Targeting of the African Union (12/16)

Targeting of thirty-six Al Jazeera employees’ iPhones (12/20)