14 July 2023

9 min read

Chinese hackers breach US government email systems | Cyber Intelligence Briefing: 14 July

July 2023
Chinese hackers breach US government email systems | Cyber Intelligence Briefing: 14 July placeholder thumbnail


Top news stories this week

  1. No silver lining. Chinese hackers gain access to US government agencies cloud email. 
  2. Fatal flaw. Criminals exploit error in Revolut payment system to steal USD 20 million. 
  3. Bitter pill to swallow. HCA Healthcare and Barts NHS Trust face data extortion. 
  4. Speared. State-linked threat actors utilise targeted phishing techniques. 
  5. Blast from the past. Two major USB-based malware campaigns detected. 
  6. Patch time. Apple, Microsoft, and Fortinet release patches addressing critical vulnerabilities. 



1. Chinese hackers breach US government email systems 

A China-based espionage group breached the cloud-based Outlook email systems of 25 organisations, including multiple US and European government agencies. The group, dubbed Storm-0558, gained access by exploiting a now remediated flaw in Microsoft’s token validation mechanism.  

So what?

While cloud migration can take the pressure off in- house staff, it is not a silver bullet for security. If your organisation has any cloud-based services, ensure that security responsibilities are clearly defined and monitored. 



2. Criminals steal USD 20 million after exploiting Revolut flaw

A flaw in Revolut’s payment system allowed criminals to steal USD 20 million of corporate funds over several months in 2022. The flaw, which stemmed from differences between US and European payment systems, meant Revolut would issue refunds when certain transactions were declined. Criminals would make fraudulent transactions and cash out funds via ATMs. 

So what?

Carrying out system log and user behavior monitoring can help organisation identify suspicious patterns which might be an indicator of an impending or in motion attack. 



3. HCA Healthcare and Barts NHS Trust data breach

Data belonging to an estimated 11 million patients from the US-based company HCA Healthcare has been posted for sale on a hacking forum. The data came up for sale after HCA refused to pay a ransom.  

In a separate incident, ransomware group BlackCat/AlphV claim to have stolen seven TB of data from Barts NHS Trust, which operates hospitals in London. The group reportedly skipped the deployment of ransomware encryption as no service outages have been reported. 

So what?

As threat actors shift tactics towards using data theft as a single means of extortion, it is increasingly important to consider mitigations such as encrypting data at rest.



4. Phishing campaigns against NATO-aligned targets

The Iranian-linked threat actor APT TA453 is impersonating Western academics to spread a single-click malware via email. Separately, an anti-Ukrainian group has been sending emails with a link to a fake Ukrainian World Congress website, which if visited, is designed to install a remote access trojan.   

So what?

Phishing attacks are the most common point of entry for cyber incidents. Organisations should ensure employees are trained to spot increasingly sophisticated attack methods. 




5. Two new USB-based malware campaigns observed

According to security researchers, USB drive malware attacks have tripled in the first half of 2023, with two major malware strains identified: 

  • Sogu malware. Spread by the Chinese espionage threat group ‘TEMP.HEX and is targeting global industries primarily for data theft. 
  • Snowydrive. If installed, this can allow threat actors to execute commands and take control of compromised systems. Organisations within the Asia oil and gas sector are being targeted.

So what?

The use of removable media should be prohibited. If this is untenable, organisations should enforce a strict Acceptable Use Policy (AUP) for USB device usage, including restricted access, regular malware scanning, and regulated disposal procedures.



6. Critical patches released for Apple, Microsoft and Fortinet products

Apple has released an emergency update to address a critical zero-day vulnerability being exploited by threat actors. The vulnerability affects a browser module and could allow threat actors to remotely execute code on iPhone, iPad, and MacOS. 

Microsoft fixed 132 vulnerabilities in this month's Patch Tuesday. This included nine critical remote code execution vulnerabilities and six zero-day vulnerabilities.

Fortinet has disclosed a critical vulnerability affecting FortiOS and FortiProxy that could allow a threat actor to remotely execute code. However, the company has stated that the issue has been addressed in the most recent release of their products. 

So what?

These patches address critical vulnerabilities and should be installed as soon as possible.



CRA23_Winner ShieldS-RM are proud to have been voted Cyber Incident Response Team of the Year at Zywave’s 2023 Cyber Risk Awards. Read more here.



Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.