Cyberconflict and warfare

Lazarus Group uses fake firms to spread malware to the crypto industry

North Korean hackers, believed to be part of the Lazarus Group, have created fake US businesses to target cryptocurrency developers. According to cybersecurity firm Silent Push, two companies, Blocknovas LLC and Softglide LLC, were set up to infect victims with malicious software.

These companies were established using false information in New York and New Mexico, violating international sanctions.

The attacks involved job offers that led to ‘sophisticated malware deployments,’ aimed at compromising cryptocurrency wallets and stealing credentials. The FBI has since seized the Blocknovas website, which had been used to deceive individuals and distribute malware.

Silent Push noted that multiple victims had fallen victim to the scam, with Blocknovas being the most active front in the campaign.

The phishing operation is just one example of North Korea’s ongoing cyber activities. The Lazarus Group has previously been responsible for high-profile hacks, including the $1.4 billion attack on crypto exchange Bybit in February.

The FBI continues to focus on imposing risks and consequences for those facilitating these cyber operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Researchers report espionage campaign targeting government and critical sectors in Southeast Asia

Symantec has reported that the China-linked espionage group known as Billbug—also referred to as Lotus Blossom, Lotus Panda, Bronze Elgin, and Thrip—conducted a sustained intrusion campaign against multiple organizations in a Southeast Asian country between August 2024 and February 2025. The campaign involved the use of several custom tools, including loaders, credential stealers, and a reverse SSH utility.

According to Symantec, this activity appears to continue a series of operations previously observed in late 2023, which targeted various government and critical infrastructure organisations across Southeast Asia. While Chinese attribution has been suggested, specific attribution to an individual actor remains inconclusive. Identified targets include a government ministry, an air traffic control organisation, a telecommunications provider, and a construction company.

Additional intrusions were reported against a news agency and an air freight company in neighbouring countries. The campaign leveraged DLL sideloading techniques, utilising legitimate executables from Trend Micro and Bitdefender to load malicious code.

Symantec’s analysis detailed how these binaries were used to sideload malicious DLLs, which decrypted and executed payloads designed to maintain persistence and enable further compromise of targeted systems. Billbug has been active since at least 2009, with a documented history of targeting government, defence, telecommunications, and critical infrastructure sectors in Southeast Asia and beyond.

Symantec and other cybersecurity researchers have tracked the group across multiple campaigns, including previous operations involving backdoors like Hannotog and Sagerunex. The recent report also references related findings from Cisco Talos, which provided indicators of compromise connected to the same campaign.

Symantec noted that Billbug continues to adapt its techniques, including the use of compromised legitimate software and custom malware, to conduct espionage operations across the region.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Dutch Ministry of Defence expands recruitment of cyber reservists to support national cybersecurity efforts

The Dutch Ministry of Defence has announced plans to expand its cyber defence capabilities by recruiting additional cyber reservists, according to NOS. The initiative is part of the Ministry’s strategy to strengthen cybersecurity expertise within its armed forces, with recruitment efforts scheduled to intensify after the summer. Several reservist positions have already been advertised online.

Cyber reservists are civilian professionals with digital security expertise who contribute part-time to the military’s cyber operations. Typically employed under zero-hour contracts, they may be called upon to support defence activities during evenings, weekends, or specific operational periods, while continuing their civilian careers.

The reservist units are part of the Defence Cyber Command (DCC), which currently consists of six platoons. Reservists may also participate in military exercises in the Netherlands or internationally, including NATO operations, with voluntary deployments.

Recruitment targets for cyber reservists were set at 150 over a ten-year period, but this number has not yet been achieved. According to Defence Ministry officials, interest in these positions has increased following the escalation of global cyber threats, particularly after the Russian invasion of Ukraine, though exact figures remain undisclosed for operational security reasons.

Cybersecurity expert Bert Hubert highlighted the distinct nature of cyber reserve work compared to traditional military reservist roles, emphasising the complexity of effective cyber defence operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Russian hackers target NGOs with fake video calls

Hackers linked to Russia are refining their techniques to infiltrate Microsoft 365 accounts, according to cybersecurity firm Volexity.

Their latest strategy targets non-governmental organisations (NGOs) associated with Ukraine by exploiting OAuth, a protocol used for app authorisation without passwords.

Victims are lured into fake video calls through apps like Signal or WhatsApp and tricked into handing over OAuth codes, which attackers then use to access Microsoft 365 environments.

The campaign, first detected in March, involved messages claiming to come from European security officials proposing meetings with political representatives. Instead of legitimate video links, these messages directed recipients to OAuth code generators.

Once a code was shared, attackers could gain entry into accounts containing sensitive data. Staff at human rights organisations were especially targeted due to their work on Ukraine-related issues.

Volexity attributed the scheme to two threat actors, UTA0352 and UTA0355, though it did not directly connect them to any known Russian advanced persistent threat groups.

A previous attack from the same actors used Microsoft Device Code Authentication, usually reserved for connecting smart devices, instead of traditional login methods. Both campaigns show a growing sophistication in social engineering tactics.

Given the widespread use of Microsoft 365 tools like Outlook and Teams, experts urge organisations to heighten awareness among staff.

Rather than trusting unsolicited messages on encrypted apps, users should remain cautious when prompted to click links or enter authentication codes, as these could be cleverly disguised attempts to breach secure systems.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Sweden unable to determine cause of Baltic Sea cable damage

The Swedish Accident Investigation Authority (SHK) has published its final report on the damage to the C-Lion 1 subsea cable in the Baltic Sea on 18 November 2024, concluding that it cannot determine whether the incident was the result of an accident or intentional sabotage.

The investigation focused on the Chinese bulk carrier Yi Peng 3, which was initially identified as having caused the damage.

While investigators from several neighbouring countries, including Sweden, were allowed to board the vessel, the SHK reported that the visit was time-constrained and that access to key evidence—such as surveillance footage and the vessel’s Voyage Data Recorder—was not granted.

Interviews with the crew were conducted in the presence of Chinese officials.

The SHK outlined two possible scenarios: one in which the anchor was deliberately released to damage seabed infrastructure, and another in which it detached due to improper security.

The report noted that certain technical details—such as the absence of damage to key anchor components—make the accidental scenario less likely, but acknowledged that neither hypothesis could be confirmed due to investigative limitations.

Under international maritime law, flag states typically lead investigations in international waters, though exceptions may apply in cases involving suspected criminal activity.

While some analysts have raised concerns about potential state-sponsored sabotage, officials from several European countries have indicated increasing confidence that the recent cable breaks were not the result of coordinated or intentional activity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

NATO allies strengthen cyber defenses against critical infrastructure threats

Between 7 and 11 April, representatives from 20 allied governments and national agencies participated in a NATO-led exercise designed to strengthen mutual support in the cyber domain.

The activity aimed to improve coordination and collective response mechanisms for cyber incidents affecting critical national infrastructure. Through simulated threat scenarios, participants practised real-time information exchange, joint decision-making, and coordinated response planning.

According to NATO, cyber activities targeting critical infrastructure, industrial control systems, and public sector services have increased in frequency.

Such activities are considered to serve various objectives, including information gathering and operational disruption.

The role of cyber operations in modern conflict gained increased attention following Russia’s actions in Ukraine in 2022, where cyber activity was observed alongside traditional military operations.

Hosted by Czechia, the exercise served to test NATO’s Virtual Cyber Incident Support Capability (VCISC), a coordination platform introduced at the 2023 Vilnius Summit.

VCISC enables nations to request and receive cyber assistance from designated counterparts across the Alliance.

The support offered includes services such as malware analysis, cyber threat intelligence, and digital forensics. However, the initiative is voluntary, with allies contributing national resources and expertise to mitigate the impact of significant cyber incidents and support recovery.

Separately, in January 2025, the US officials met with her Nordic-Baltic counterparts from Denmark, Estonia, Finland, Iceland, Latvia, Lithuania, Norway, and Sweden.

Discussions centred on enhancing regional cooperation to safeguard undersea cable infrastructure—critical to communications and energy systems. Participants noted the broadening spectrum of threats to these assets.

In parallel, NATO launched the Baltic Sentry to reinforce the protection of critical infrastructure in the Baltic Sea region. The initiative is intended to bolster NATO’s posture and improve its capacity to respond promptly to destabilising activities.

In July 2024, NATO also announced the expansion of the role of its Integrated Cyber Defence Centre (NICC).

The Centre is tasked with enhancing the protection of NATO and allied networks, as well as supporting the operational use of cyberspace. It provides commanders with insights into potential cyber threats and vulnerabilities, including those related to civilian infrastructure essential to military operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Beijing blames NSA for hacking Asian Games systems

Chinese authorities have accused three alleged US operatives of orchestrating cyberattacks on national infrastructure during the Asian Games in Harbin this February.

The individuals, identified by Harbin police as Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, are said to have worked through the US National Security Agency (NSA).

The attacks reportedly targeted systems critical to the Games’ operations, including athlete registration, travel, and competition management, which held sensitive personal data.

Chinese state media further claimed that the cyber intrusions extended beyond the sporting event, affecting key infrastructure in Heilongjiang province. Targets allegedly included energy, transport, water, telecoms, defence research institutions, and technology giant Huawei.

Authorities said the NSA used encrypted data to compromise Microsoft Windows systems in the region, with the aim of disrupting services and undermining national security.

The Foreign Ministry of China denounced the alleged cyberattacks as ‘extremely malicious,’ urging the United States to halt what it called repeated intrusions and misinformation.

The UD Embassy in Beijing has yet to respond, and the allegations come amid ongoing tensions, with both nations frequently accusing each other of state-backed hacking.

Only last month, the US government named and charged 12 Chinese nationals in connection with cyberespionage efforts against American interests.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Trump eyes tariffs on semiconductors in push to boost US tech manufacturing

US President Donald Trump is preparing to introduce new tariffs on semiconductor imports, aiming to shift more chip production back to the United States.

Semiconductors, or microchips, are essential components in everything from smartphones and laptops to medical devices and renewable energy systems.

Speaking aboard Air Force One, Trump said new tariff rates would be announced soon as part of a broader effort to end American reliance on foreign-made chips and strengthen national security.

The global semiconductor supply chain is heavily concentrated in Asia, with Taiwan’s TSMC producing over half of the world’s chips and supplying major companies like Apple, Microsoft, and Nvidia.

Trump’s move signals a more aggressive stance in the ongoing ‘chip wars’ with China, as his administration warns of the dangers of the US being dependent on overseas production for such a critical technology.

Although the US has already taken steps to boost domestic chip production—like the $6.6 billion awarded to TSMC to build a factory in Arizona—progress has been slow due to a shortage of skilled workers.

The plant faced delays, and TSMC ultimately flew in thousands of workers from Taiwan to meet demands, underscoring the challenge of building a self-reliant semiconductor industry on American soil.

Why does it matter?

Trump’s proposed tariffs are expected to form part of a wider investigation into the electronics supply chain, aimed at shielding the US from foreign control and ensuring long-term technological independence. As markets await the announcement, the global tech industry is bracing for potential disruptions and new tensions in the international trade landscape.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Microsoft users at risk from tax-themed cyberattack

As the US tax filing deadline of April 15 approaches, cybercriminals are ramping up phishing attacks designed to exploit the urgency many feel during this stressful period.

Windows users are particularly at risk, as attackers are targeting Microsoft account credentials by distributing emails disguised as tax-related reminders.

These emails include a PDF attachment titled ‘urgent reminder,’ which contains a malicious QR code. Once scanned, it leads users through fake bot protection and CAPTCHA checks before prompting them to enter their Microsoft login details, details that are then sent to a server controlled by criminals.

Security researchers, including Peter Arntz from Malwarebytes, warn that the email addresses in these fake login pages are already pre-filled, making it easier for unsuspecting victims to fall into the trap.

Entering your password at this stage could hand your credentials to malicious actors, possibly operating from Russia, who may exploit your account for maximum profit.

The form of attack takes advantage of both the ticking tax clock and the stress many feel trying to meet the deadline, encouraging impulsive and risky clicks.

Importantly, this threat is not limited to Windows users or those filing taxes by the April 15 deadline. As phishing techniques become more advanced through the use of AI and automated smartphone farms, similar scams are expected to persist well beyond tax season.

The IRS rarely contacts individuals via email and never to request sensitive information through links or attachments, so any such message should be treated with suspicion instead of trust.

To stay safe, users are urged to remain vigilant and avoid clicking on links or scanning codes from unsolicited emails. Instead of relying on emails for tax updates or returns, go directly to official websites.

The IRS offers resources to help recognise and report scams, and reviewing this guidance could be an essential step in protecting your personal information, not just today, but in the months ahead.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

US Cyber Command integrates generative AI for enhanced cybersecurity operations

A senior official at US Cyber Command has stated that the agency has begun employing generative AI tools to significantly reduce the time required to analyse network traffic for potentially malicious activity. Speaking at an event hosted by the Information Technology Industry Council in Washington, D.C., Executive Director Morgan Adamski said Cyber Command is already observing operational benefits from its efforts to integrate AI across various mission areas, particularly in cybersecurity functions.

Cyber Command developed an AI roadmap last year outlining approximately 100 tasks to embed AI into logistics, security operations, and national defence functions. An AI task force within the Cyber National Mission Force conducts 90-day development cycles to test and integrate large language models and other AI technologies into command operations.

The task force is responsible for deploying, evaluating, and assessing the viability of these tools for broader implementation. The agency also examines how AI can be adopted at scale across its cybersecurity enterprise.

General Timothy Haugh, Commander of Cyber Command, noted last year that the task force was created ‘to move us from opportunistic AI application to systematic adoption.’ Through its Constellation initiative—a collaboration with the Defense Advanced Research Projects Agency (DARPA)—Cyber Command is working with private-sector AI firms to accelerate the deployment of new capabilities.

One such tool enables continuous Department of Defense Information Network (DoDIN) monitoring, which supports over three million global users daily. Adamski explained that the tool is strategically placed within key segments of the DoDIN where known adversary tactics may appear.

‘We can monitor traffic at those points and have been able to identify previously unseen malicious activity,’ she said. She also highlighted Panoptic Junction, a pilot initiative led by Army Cyber Command that uses AI to monitor network traffic for compliance, threat intelligence, and anomaly detection.

According to Adamski, the project produced results that have prompted considerations for wider adoption across the DoDIN.

For more information on these topics, visit diplomacy.edu.