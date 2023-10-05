The East Asian threat landscape is evolving rapidly, and emerging trends from affiliated threat groups have the potential to impact public and private entities across the globe.\n\nChinese nation-state groups are conducting widespread cyber and influence operations (IO), with a particular focus on the South China Sea region. China also continues to target the US defense sector and probe US infrastructure signals in an attempt to gain competitive advantages for its foreign relations and strategic military aims. Lastly, Microsoft has seen China grow more effective at using IO to engage social media users with content on US elections.\n\nNorth Korean threat actors are also on the move, demonstrating increased sophistication in their attack capabilities. While North Korea lacks the same level of influence capabilities as China, they have shown a continued interest in intelligence collection and growing tactical abilities to leverage cascading supply chain attacks and cryptocurrency theft.\n\nAll of these changes have serious geopolitical and financial implications for the global threat landscape at large. Keep reading to learn more about evolving East Asian threat trends.\n\nMajor trends in Chinese cyber operations\n\nSince the beginning of 2023, Microsoft Threat Intelligence has identified three focus areas for China-affiliated cyber threat actors: the South China Sea, the US defense industrial base, and US critical infrastructure. Below is a deeper dive into what we\u2019re seeing:\n\nRaspberry Typhoon (RADIUM) and Flax Typhoon (Storm-0919) are two prominent threat groups targeting the South China Sea and Taiwan. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure (particularly telecoms) for intelligence collection and malware execution. Flax Typhoon primarily targets Taiwan and is focused on telecommunications, education, information technology, and energy infrastructure, leveraging custom VPN appliances to directly establish a presence within target networks.\n\nCircle Typhoon leverages VPN appliances to target IT and US-based defense contractors for resource development, collection, initial access, and credential access. Volt Typhoon has also conducted reconnaissance against US defense contractors, however, one of its most frequent targets are the satellite communications and telecommunications entities housed in Guam. The group often compromises small office and home routers, typically for the purpose of building infrastructure. Volt Typhoon also targets critical infrastructure entities in the United States. Finally, Mulberry Typhoon targets the US defense industrial base with zero-day device exploits.\n\nTargeted sectors include transportation (such as ports and rail), utilities (such as energy and water treatment), medical infrastructure (including hospitals), and telecommunications infrastructure (including satellite communications and fiber optic systems). Microsoft Threat Intelligence teams assess that this campaign could provide China with capabilities to disrupt critical infrastructure and communications between the US and Asia.\n\nThese areas are not China\u2019s sole priority, however. Microsoft has also observed IO affiliated with the Chinese Communist Party (CCP) successfully scale and engage with target audiences on social media. Ahead of the 2022 US midterms, Microsoft and industry partners observed CCP-affiliated social media accounts impersonating US voters across the political spectrum. These accounts even responded to comments from authentic users.\n\nChina has grown this agenda even further in 2023 by reaching audiences in new languages and on new platforms. These operations combine a highly controlled overt state media apparatus with covert social media assets, like bots, that launder and amplify the CCP\u2019s preferred narratives.\n\nMajor trends in North Korean cyber operations\n\nIn contrast to China, North Korean cyber threat actors appear to have three main goals. They are as follows:\n\nWhat\u2019s next?\n\nChina has continued to expand its cyber capabilities in recent years, and we\u2019ve witnessed CCP-affiliated groups grow more effective and more ambitious with their IO campaigns. Moving forward, we expect wider cyber espionage against both opponents and supporters of the CCP\u2019s geopolitical objectives on every continent. While China-based threat groups continue to develop and utilize impressive cyber capabilities, we have not observed China combine cyber and influence operations\u2014unlike Iran and Russia, which engage in hack-and-leak campaigns.\n\nNorth Korea will also continue to remain focused on targets related to its political, economic, and defense interests in the region.\n\nAs organizations work to protect against these nation-state groups, expect to see more operations leveraging video and visual media. CCP-affiliated networks have long utilized AI-generated profile pictures and this year, have adopted AI-generated art for visual memes. We also expect China to continue seeking authentic audience engagement by investing time and resources into cultivated social media assets.\n\nLastly, Taiwan and the US are likely to remain the top two priorities for Chinese IO, particularly with upcoming elections in both countries in 2024. Given that CCP-aligned influence actors have targeted US elections in the recent past, it is nearly certain that they will do so again. Social media assets impersonating US voters will likely demonstrate higher degrees of sophistication, actively sowing discord along racial, socioeconomic, and ideological lines with content that is fiercely critical of the US.\n\nVisit Microsoft Security Insider to learn more about the latest cybersecurity trends and for more information on nation-state, check out our latest report.