Friday 26th May 2023

CTI Weekly: Chinese State-Sponsored Threat Actor Engages in Targeted Intelligence Gathering, New Ransomware Campaign by FIN7, Manufacturing Sector Breaches & Compromises

Key Issue:

Chinese state sponsored threat actor Volt Typhoon compromised US critical infrastructure

Chinese state-sponsored threat actor Volt Typhoon has been engaged in targeted intelligence gathering operations against critical infrastructure in Guam and the US, as well as actively targeting multiple US companies for at least two years.

The affected organizations span various sectors, including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.

The threat actor’s activities include breaching telecommunications networks in Guam’s sensitive US military outpost. The joint advisory by cybersecurity agencies from multiple countries highlights the efforts made by Volt Typhoon to gain unauthorized access and establish covert positions within critical industries.

The campaign indicates espionage focus and potential disruption of critical communications infrastructure between the US and the Asia region. This emphasizes the persistent threat of state-sponsored actors and the global implications of such cyber threats. The context of escalating tensions between China and the US adds significance to the situation.

Other news:


The North Korean threat actor Kimsuky is utilizing a new variant of the RandomQuery malware in an ongoing campaign targeting human rights activists and organizations supporting defectors from North Korea. Meanwhile, the Russian nation-state unit APT28 is employing various phishing techniques to target Ukrainian civil society entities.

This suggests an intelligence-gathering campaign that may extend to Ukraine’s allies in the future. These activities underscore the persistent threat posed by state-sponsored actors and their efforts to gather sensitive information and potentially expand their operations beyond their initial targets.


The cybercriminal group FIN7 has launched a new ransomware campaign using Clop payloads, marking their return to ransomware attacks after a hiatus since 2021. In an attempt to avoid detection, cybercriminals engaging in Business Email Compromise (BEC) operations are now utilizing residential IP addresses to avoid triggering alerts related to impossible travel.

These developments highlight the ongoing activity and evolving tactics of cybercriminals in carrying out malicious activities such as ransomware attacks and BEC operations.

Data Breach

Gentex Corporation, a multinational technology and manufacturing company, has experienced a data breach caused by the Dunghill ransomware group, underscoring the persistent targeting of the manufacturing sector by cybercriminals.

Additionally, German arms manufacturer Rheinmetall confirms that its automotive unit has been compromised by Black Basta, as evidenced by data samples posted on a leak site. These incidents demonstrate the ongoing cybersecurity challenges faced by companies in the manufacturing industry and the need for robust defenses to protect sensitive data and infrastructure.

Subscribe below for more and to discover other significant cyber criminals, nation-state and hacktivist news.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.