Same targets, new playbooks: East Asia threat actors employ unique methods

Introduction

Microsoft has observed several notable cyber and influence trends from China and North Korea since June 2023 that demonstrate not only doubling down on familiar targets, but also attempts to use more sophisticated influence techniques to achieve their goals.

Chinese cyber actors broadly selected three target areas over the last seven months:

• One set of Chinese actors extensively targeted entities across the South Pacific Islands.
• A second set of Chinese activity continued a streak of cyberattacks against regional adversaries in the South China Sea region.
• Meanwhile, a third set of Chinese actors compromised the US defense industrial base.

Chinese influence actors—rather than broadening the geographic scope of their targets—honed their techniques and experimented with new media. Chinese influence campaigns continued to refine AI-generated or AI-enhanced content. The influence actors behind these campaigns have shown a willingness to both amplify AI-generated media that benefits their strategic narratives, as well as create their own video, memes, and audio content. Such tactics have been used in campaigns stoking divisions within the United States and exacerbating rifts in the Asia-Pacific region—including Taiwan, Japan, and South Korea. These campaigns achieved varying levels of resonance with no singular formula producing consistent audience engagement.

North Korean cyber actors made headlines for increasing software supply chain attacks and cryptocurrency heists over the past year. While strategic spear-phishing campaigns targeting researchers who study the Korean Peninsula remained a constant trend, North Korean threat actors appeared to make greater use of legitimate software to compromise even more victims.

Chinese cyber operations target strategic partners and rivals

Gingham Typhoon targets government, IT, and multinational entities across the South Pacific Islands

During the summer of 2023, Microsoft Threat Intelligence observed extensive activity from China-based espionage group Gingham Typhoon that targeted nearly every South Pacific Island country. Gingham Typhoon is the most active actor in this region, hitting international organizations, government entities, and the IT sector with complex phishing campaigns. Victims also included vocal critics of the Chinese government.

Diplomatic allies of China who were victims of recent Gingham Typhoon activity include executive offices in government, trade-related departments, internet service providers, as well as a transportation entity.

Heightened geopolitical and diplomatic competition in the region may be motivations for these offensive cyber activities. China pursues strategic partnerships with South Pacific Island nations to expand economic ties and broker diplomatic and security agreements. Chinese cyber espionage in this region also follows economic partners.

For example, Chinese actors engaged in largescale targeting of multinational organizations in Papua New Guinea, a longtime diplomatic partner that is benefiting from multiple Belt and Road Initiative (BRI) projects including the construction of a major highway which links a Papua New Guinea government building to the capital city’s main road.¹

Chinese threat actors retain focus on South China Sea amid Western military exercises

China-based threat actors continued to target entities related to China’s economic and military interests in and around the South China Sea. These actors opportunistically compromised government and telecommunications victims in the Association of Southeast Asian Nations (ASEAN). Chinese state-affiliated cyber actors appeared particularly interested in targets related to the numerous US military drills conducted in the region. In June 2023, Raspberry Typhoon, a nation-state activity group based out of China, successfully targeted military and executive entities in Indonesia and a Malaysian maritime system in the weeks prior to a rare multilateral naval exercise involving Indonesia, China, and the United States.

Similarly, entities related to US-Philippines military exercises were targeted by another Chinese cyber actor, Flax Typhoon. Meanwhile, Granite Typhoon, yet another China-based threat actor, primarily compromised telecommunication entities in the region during this period, with victims in Indonesia, Malaysia, the Philippines, Cambodia, and Taiwan.

Since the publication of Microsoft’s blog on Flax Typhoon, Microsoft has observed new Flax Typhoon targets in the Philippines, Hong Kong, India, and the United States in the early fall and winter of 2023.² This actor also frequently attacks the telecommunications sector, often leading to many downstream effects.

Nylon Typhoon compromises foreign affair entities worldwide

China-based threat actor Nylon Typhoon has continued its long-running practice of targeting foreign affairs entities in countries around the world. Between June and December of 2023, Microsoft observed Nylon Typhoon at government entities in South America including in Brazil, Guatemala, Costa Rica, and Peru. The threat actor was also observed in Europe, compromising government entities in Portugal, France, Spain, Italy, and the United Kingdom. While most of the European targets were government entities, some IT companies were also compromised. The purpose of this targeting is intelligence collection.

Chinese threat group targets military entities and critical infrastructure in the United States

Finally, Storm-0062 surged in activity over the fall and winter of 2023. Much of this activity compromised US defense-related government entities, including contractors who provide technical engineering services around aerospace, defense, and natural resources critical to US national security. Additionally, Storm-0062 repeatedly targeted military entities in the United States; however, it is unclear whether the group was successful in its attempted compromises.

The US defense industrial base also remains a continued target of Volt Typhoon. In May 2023, Microsoft attributed attacks on US critical infrastructure organizations to Volt Typhoon, a state-sponsored actor based in China. Volt Typhoon gained access to organizations’ networks with living-off-the-land techniques and handson-keyboard activity.³ These tactics allowed Volt Typhoon to stealthily maintain unauthorized access to target networks. From June 2023 to December 2023, Volt Typhoon continued targeting critical infrastructure, but also pursued resource development by compromising small office and home office (SOHO) devices across the United States.

Chinese influence operations

In our September 2023 report, we detailed how Chinese influence operation (IO) assets had begun using generative AI to create sleek, engaging visual content. Throughout the summer, Microsoft Threat Intelligence continued to identify AI-generated memes targeting the United States that amplified controversial domestic issues and criticized the current administration. China-linked IO actors have continued to use AI-enhanced and AI-generated media (henceforth, “AI content”) in influence campaigns with an increasing volume and frequency throughout the year.

AI surges (but fails to sway)

The most prolific of these actors using AI content is Storm-1376—Microsoft’s designation for the Chinese Communist Party (CCP)-linked actor commonly known as “Spamouflage” or “Dragonbridge.” By the winter, other CCP-linked actors began using a wider array of AI content to augment online IO. This included a notable uptick in content featuring Taiwanese political figures ahead of the January 13 presidential and legislative elections. This was the first time that Microsoft Threat Intelligence has witnessed a nation state actor using AI content in attempts to influence a foreign election.

AI-generated audio: On Taiwan’s election day, Storm-1376 posted suspected AI-generated audio clips of Foxconn owner Terry Gou, independent Party candidate in Taiwan’s presidential race, who bowed out of the contest in November 2023. The audio recordings portrayed Gou’s voice endorsing another candidate in the presidential race. Gou’s voice in the recordings is likely AI generated, as Gou made no such statement. YouTube quickly actioned this content before it reached a significant number of users. These videos followed days after a fake letter from Terry Gou endorsing the same candidate had circulated online. Taiwan’s leading fact-checking organizations debunked the letter. Gou’s campaign also stated the letter was not real and that they would be pursuing legal action in response.⁴ Gou did not formally endorse any presidential candidate in the race.

AI-generated anchors: AI-generated news anchors generated by third-party tech companies, using Chinese technology company ByteDance’s Capcut tool, appeared in a variety of campaigns featuring Taiwanese officials,⁵ as well as messaging on Myanmar. Storm-1376 has made use of such AI generated news anchors since at least February 2023,⁶ but the volume of its content featuring these anchors has increased in recent months.

AI-enhanced videos: As disclosed by Canada’s government and other researchers, AI-enhanced videos used the likeness of a Canada-based Chinese dissident in a campaign targeting Canadian MPs.⁷ These videos, which were just one part of a multi-platform campaign that included harassing Canadian politicians on their social media accounts, falsely depicted the dissident making inflammatory remarks about Canada’s government. Similar AI-enhanced videos have been used against this dissident previously.

AI-generated memes: Storm-1376 promoted a series of AI-generated memes of Taiwan’s then-Democratic Progressive Party (DPP) presidential candidate William Lai in December with a countdown theme noting “X days” to take the DPP out of power.

Timeline of AI influence in Taiwan elections

Storm-1376 continues reactive messaging, sometimes with conspiratorial narratives

Storm-1376—an actor whose influence operations span over 175 websites and 58 languages—has continued to frequently mount reactive messaging campaigns around high-profile geopolitical events, particularly those that portray the United States in an unfavorable light or further the CCP’s interest in the APAC region. Since our last report in September 2023, these campaigns have evolved in several important ways including incorporating AI-generated photos to mislead audiences, stoking conspiratorial content—particularly against the US government—and targeting new populations, such as South Korea, with localized content.

1. Claiming a US government “weather weapon” started the Hawaii wildfires
In August 2023, as wildfires raged on the northwest coast of Maui, Hawaii, Storm-1376 seized upon the chance to spread conspiratorial narratives on multiple social media platforms. These posts alleged the US government had deliberately set the fires to test a military-grade “weather weapon.” In addition to posting the text in at least 31 languages across dozens of websites and platforms, Storm-1376 used AI-generated images of burning coastal roads and residences to make the content more eye-catching.⁸

2.Amplifying outrage over Japan’s disposal of nuclear wastewater
Storm-1376 launched a large-scale, aggressive messaging campaign criticizing the Japanese government after Japan began releasing treated radioactive wastewater into the Pacific Ocean on August 24, 2023.⁹ Storm-1376’s content cast doubt on the International Atomic Energy Agency (IAEA)’s scientific assessment that the disposal was safe. Storm-1376 messaged indiscriminately across social media platforms in numerous languages, including Japanese, Korean, and English. Some content even accused the United States of purposefully poisoning other countries to maintain “water hegemony.” Content used in this campaign bears the hallmarks of AI generation.

In some instances, Storm-1376 recycled content used by other actors in the Chinese propaganda ecosystem, including Chinese state-media affiliated social media influencers.¹⁰ Influencers and assets belonging to Storm-1376 uploaded three identical videos that criticized the Fukushima wastewater release. Such instances of posts from different actors using identical content seemingly in lockstep—which may indicate messaging coordination or direction—has increased throughout 2023.

3.Stoking discord in South Korea
Related to the Fukushima wastewater dumping, Storm-1376 made a concerted effort to target South Korea with localized content amplifying protests occurring in the country against the disposal, as well as content critical of the Japanese government. This campaign included hundreds of posts in Korean across multiple platforms and websites, including South Korean social media sites such as Kakao Story, Tistory, and Velog.io.¹¹

As part of this targeted campaign, Storm-1376 actively amplified comments and actions from Minjoo leader and unsuccessful 2022 presidential candidate, Lee Jaemyung (이재명, 李在明). Lee criticized Japan’s move as “contaminated water terror” and tantamount to a “Second Pacific War.” He also accused South Korea’s current government of being an “accomplice by backing up” Japan’s decision and initiated a hunger strike in protest that lasted 24 days.¹²

4.Kentucky derailment
During the Thanksgiving holiday in November 2023, a train carrying molten sulfur derailed in Rockcastle County, Kentucky. Approximately one week after the derailment, Storm-1376 launched a social media campaign that amplified the derailment, spread antiUS government conspiracy theories, and highlighted political divisions among US voters, ultimately encouraging mistrust of and disillusionment with the US government. Storm-1376 urged audiences to consider whether the US government may have caused the derailment and is “deliberately hiding something.”¹³ Some messages even likened the derailment to 9/11 and Pearl Harbor cover-up theories.¹⁴

Chinese IO sockpuppets seek perspectives on US political topics

In our September 2023 report, we highlighted how CCP-affiliated social media accounts have begun impersonating US voters by posing as Americans across the political spectrum and responding to comments from authentic users.¹⁵ These efforts to influence the 2022 US midterm elections marked a first in observed Chinese IO.

The Microsoft Threat Analysis Center (MTAC) has observed a small yet steady increase of additional sockpuppet accounts that we assess with moderate confidence are run by the CCP. On X (formerly Twitter), these accounts were created as early as 2012 or 2013, but only began posting under their current personas in early 2023— suggesting the accounts were recently acquired or have been re-purposed. These sockpuppets post both originally produced videos, memes, and infographics, as well as recycled content from other high-profile political accounts. These accounts nearly exclusively post about US domestic issues—ranging from American drug use, immigration policies, and racial tensions— but will occasionally comment on topics of interest to China—such as the Fukushima wastewater dumping or Chinese dissidents.

Alongside politically motivated infographics or videos, these accounts often ask followers whether they agree with the given topic. Some of these accounts have posted about various presidential candidates and then asked their followers to comment whether they support them or not. This tactic may be for the purpose of seeking further engagement, or possibly to gain insight into how Americans’ views on US politics. More such accounts could be operating to increase intelligence gathering around key voting demographics within the United States.

North Korea cyber operations

North Korean cyber threat actors stole hundreds of millions of dollars in cryptocurrency, conducted software supply chain attacks, and targeted their perceived national security adversaries in 2023. Their operations generate revenue for the North Korean government—particularly its weapons program—and collect intelligence on the United States, South Korea, and Japan.¹⁶

North Korean cyber actors loot a record-setting amount of cryptocurrency to generate revenue for state

The United Nations estimates that North Korean cyber actors have stolen over $3 billion in cryptocurrency since 2017.¹⁷ Heists totaling between $600 million and $1 billion occurred in 2023 alone. These stolen funds reportedly finance over half of the country’s nuclear and missile program, enabling North Korea’s weapons proliferation and testing despite sanctions.¹⁸ North Korea conducted numerous missile tests and military drills over the past year and even successfully launched a military reconnaissance satellite into space on November 21, 2023.¹⁹

Three threat actors tracked by Microsoft— Jade Sleet, Sapphire Sleet, and Citrine Sleet— focused the most on cryptocurrency targets since June 2023. Jade Sleet conducted large cryptocurrency heists, while Sapphire Sleet conducted smaller yet more frequent cryptocurrency theft operations. Microsoft attributed the theft of at least $35 million from an Estonia-based cryptocurrency firm in early June 2023 to Jade Sleet. Microsoft also attributed the heist of over $125 million from a Singapore-based cryptocurrency platform to Jade Sleet a month later. Jade Sleet started compromising online cryptocurrency casinos in August 2023.

Sapphire Sleet consistently compromised numerous employees, including executives and developers at cryptocurrency, venture capital, and other financial organizations. Sapphire Sleet also developed new techniques, such as sending fake virtual meeting invitations containing links to an attacker domain and registering fake job recruiting websites. Citrine Sleet followed up on the March 2023 3CX supply chain attack by compromising a downstream Türkiye-based cryptocurrency and digital assets firm. The victim hosted a vulnerable version of the 3CX application linked to the supply chain compromise.

North Korean cyber actors menace the IT sector with spear-phishing and software supply chain attacks

North Korean threat actors also conducted software supply chain attacks on IT firms, resulting in access to downstream customers. Jade Sleet used GitHub repos and weaponized npm packages in a social engineering spear-phishing campaign that targeted employees of cryptocurrency and technology organizations.²⁰ The attackers impersonated developers or recruiters, invited targets to collaborate on a GitHub repository, and convinced them to clone and execute its contents, which contained malicious npm packages. Diamond Sleet conducted a supply chain compromise of a Germany-based IT company in August 2023 and weaponized an application from a Taiwan-based IT firm to conduct a supply chain attack in November 2023. Both Diamond Sleet and Onyx Sleet exploited the TeamCity CVE-2023- 42793 vulnerability in October 2023, which enables an attacker to perform a remote code execution attack and gain administrative control of the server. Diamond Sleet used this technique to compromise hundreds of victims in various industries in the United States and European countries including the United Kingdom, Denmark, Ireland, and Germany. Onyx Sleet exploited that same vulnerability to compromise at least 10 victims—including a software provider in Australia and a government agency in Norway—and used post-compromise tooling to execute additional payloads.

North Korean cyber actors targeted the United States, South Korea, and their allies

North Korean threat actors continued to target their perceived national security adversaries. This cyber activity exemplified North Korea’s geopolitical objective of countering the trilateral alliance among the United States, South Korea, and Japan. The three countries’ leaders solidified this partnership during the Camp David summit in August 2023.²¹ Ruby Sleet and Onyx Sleet continued their trends of targeting aerospace and defense organizations in the United States and South Korea. Emerald Sleet maintained its reconnaissance and spear-phishing campaign targeting diplomats and Korean Peninsula experts in government, think tanks/NGOs, media, and education. Pearl Sleet continued its operations targeting South Korean entities that engage with North Korean defectors and activists focused on North Korean human rights issues in June 2023. Microsoft assesses that the motive behind these activities is intelligence collection.

North Korean actors implement backdoors in legitimate software

North Korean threat actors also utilized backdoors to legitimate software, capitalizing on vulnerabilities in existing software. For the first half of 2023, Diamond Sleet frequently used weaponized VNC malware to compromise victims. Diamond Sleet also resumed using weaponized PDF reader malware in July 2023, techniques that Microsoft Threat Intelligence analyzed in a September 2022 blog post.²² Ruby Sleet also likely utilized a backdoored installer of a South Korean electronic document program in December 2023.

North Korea utilized AI tools to enable malicious cyber activities

North Korean threat actors are adapting to the age of AI. They are learning to use tools powered by AI large-language models (LLM) to make their operations more efficient and effective. For example, Microsoft and OpenAI observed Emerald Sleet utilizing LLMs to enhance spearphishing campaigns targeting Korean Peninsula experts.²³ Emerald Sleet used LLMs to research vulnerabilities and conduct reconnaissance on organizations and experts focused on North Korea. Emerald Sleet also employed LLMs to troubleshoot technical issues, conduct basic scripting tasks, and draft content for spear-phishing messages. Microsoft partnered with OpenAI to disable accounts and assets associated with Emerald Sleet.

Looking ahead

China will celebrate the 75th anniversary of the founding of the People’s Republic of China in October, and North Korea will continue to push forward key advanced weapons programs. Meanwhile, as populations in India, South Korea, and the United States head to the polls, we are likely to see Chinese cyber and influence actors, and to some extent North Korean cyber actors, work toward targeting these elections.

China will, at a minimum, create and amplify AI generated content that benefits their positions in these high-profile elections. While the impact of such content in swaying audiences remains low, China’s increasing experimentation in augmenting memes, videos, and audio will continue—and may prove effective down the line. While Chinese cyber actors have long conducted reconnaissance of US political institutions, we are prepared to see influence actors interact with Americans for engagement and to potentially research perspectives on US politics.

Finally, as North Korea embarks upon new government policies and pursues ambitious plans for weapons testing, we can expect increasingly sophisticated cryptocurrency heists and supply chain attacks targeted at the defense sector, serving to both funnel money into the regime and facilitate the development of new military capabilities.