Category Archives: Cyber War

China versus Taiwan and the United States, Just the Facts

Posted on by

A hacking group has compromised at least nine global organizations in the fields of technology, defense, energy and other key sectors as part of an apparent espionage campaign. Attribution is still ongoing, specific tools and methods used in the apparent hacking efforts are in line with those used by Chinese cyber-espionage group Emissary Panda, also known as TG-3390, APT 27 and Bronze Union.

While China has indeed surpassed the United States in the size of their Navy, the other concern is the build up of Chinese nuclear weapons.  Meanwhile, the United States has deployed at least 30 U.S.military forces to Taiwan for training.For years, U.S.-Taiwan military exchanges have been thought of as an open secret—also known by the People’s Republic of China (PRC) leadership in Beijing. However, Tsai became the first Taiwanese leader in decades to publicly acknowledge the existence of a training program.

The United States has deployed the Iron Dome missile-defense system for testing in Guam by U.S. military planners concerned about possible Chinese attacks.Chinese President Jinping awarded additional 'War Powers ...

WAR GAMES:

The Chinese military – the People’s Liberation Army – is waging so-called gray-zone warfare against Taiwan. This consists of an almost daily campaign of intimidating military exercises, patrols and surveillance that falls just short of armed conflict. Since that report, the campaign has intensified, with Beijing stepping up the number of warplanes it is sending into the airspace around Taiwan. China has also used sand dredgers to swarm Taiwan’s outlying islands.

Military strategists tell Reuters that the gray-zone strategy has the potential to grind down Taipei’s resistance – but also that it may fall short, or even backfire by strengthening the island’s resolve. They are also envisioning starker futures. While they can’t predict the future, military planners in China, Taiwan, the United States, Japan and Australia are nonetheless actively gaming out scenarios for how Beijing might try to seize the prized island, and how Taiwan and America, along with its allies, might move to stop it.Xi’s options include seizing Taiwan’s outlying islands, blockades or all-out invasion. Some Taiwanese military experts say Beijing’s next step might be to seize the lightly defended and remote Pratas Islands in the north of the South China Sea.  Any of these moves could spin out of control into war between China and America over Taiwan.

Reuters has published a comprehensive report and possible scenarios.

The Chinese military has built targets in the shape of an American aircraft carrier and other U.S. warships in the Taklamakan desert as part of a new target range complex, according to photos provided to USNI News by satellite imagery company Maxar.

The full-scale outline of a U.S. carrier and at least two Arleigh Burke-class destroyers are part of the target range that has been built in the Ruoqiang region in central China. The site is near a former target range China used to test early versions of its so-called carrier killer DF-21D anti-ship ballistic missiles, according to press reports in 2013.

This new range shows that China continues to focus on anti-carrier capabilities, with an emphasis on U.S. Navy warships. Unlike the Iranian Navy’s aircraft carrier-shaped target in the Persian Gulf, the new facility shows signs of a sophisticated instrumented target range.

A target in the shape of a U.S. Destroyer in the Taklamakan Desert in Central China. H I Sutton Illustration for USNI News Satellite image ©2021 Maxar Technologies Used with Permission

The carrier target itself appears to be a flat surface without the carrier’s island, aircraft lifts, weapons sponsons or other details, the imagery from Maxar shows. On radar, the outline of the carrier stands out from the surrounding desert – not unlike a target picture, according to imagery provided to USNI News by Capella Space.

There are two more target areas representing an aircraft carrier that do not have the metaling, but are distinguishable as carriers due to their outline. But other warship targets appear to be more elaborate. There are numerous upright poles positioned on them, possibly for instrumentation, according to the imagery. Alternatively these may be used for radar reflectors to simulate the superstructure of the vessel.

The facility also has an extensive rail system. An Oct. 9 image from Maxar showed a 75 meter-long target with extensive instrumentation on a 6 meter-wide rail.

Target range in the Taklamakan desert in Central China. H I Sutton illustration for USNI News

The area has been traditionally used for ballistic missile testing, according to a summary of the Maxar images by geospatial intelligence company AllSource Analysis that identified the site from satellite imagery.

“The mockups of several probable U.S. warships, along with other warships (mounted on rails and mobile), could simulate targets related to seeking/target acquisition testing,” according to the AllSource Analysis summary, which said there are no indications of weapon impact areas in the immediate vicinity of the mockups. “This, and the extensive detail of the mockups, including the placement of multiple sensors on and around the vessel targets, it is probable that this area is intended for multiple uses over time.“

Analysis of historical satellite images shows that the carrier target structure was first built between March and April of 2019. It underwent several rebuilds and was then substantially dismantled in December 2019. The site came back to life in late September of this year and the structure was substantially complete by early October.

Detailed Photos of the mobile target at the Ruoqiang facility. H I Sutton Illustration for USNI News Satellite image ©2021 Maxar Technologies Used with Permission

China has several anti-ship ballistic missile programs overseen by the People’s Liberation Army Rocket Force. The land-based CSS-5 Mod 5 (DF-21D) missile has a range of over 800 nautical miles. It has a maneuverable reentry vehicle (MaRV) to target ships. The larger CSS-18 (DF-26) has a range of around 2,000 nautical miles.

“In July 2019, the PLARF conducted its first-ever confirmed live-fire launch into the South China Sea, firing six DF-21D anti-ship ballistic missiles into the waters north of the Spratly Islands,” according to the Pentagon’s latest annual report on China’s military. The Chinese are also fielding a longer range anti-ship ballistic missile that initially emerged in 2016.

“The multi-role DF-26 is designed to rapidly swap conventional and nuclear warheads and is capable of conducting precision land-attack and anti-ship strikes in the Western Pacific, the Indian Ocean, and the South China Sea from mainland China. In 2020, the PRC fired anti-ship ballistic missiles against a moving target in the South China Sea, but has not acknowledged doing so,” reads the report.

A Nov. 5, 2021 Capella Space synthetic aperture radar image of the target in the shape of a U.S. aircraft carrier in the Taklamakan Desert H I Sutton Illustration for USNI News

In addition to the land-based anti-ship ballistic missiles, China has a program to equip the People’s Liberation Army Navy H-6 bombers with a massive anti-ship ballistic missile. First revealed in 2018, the CH-AS-X-13 will likely be the largest air-launched missile in existence, and would be large enough to accommodate a hypersonic warhead.

Another possible launch platform for anti-ship ballistic missiles is the new Type-055 Renhai Class large destroyer. Described as a guided-missile cruiser, it will be capable of carrying anti-ship ballistic missiles, according to the Pentagon report.

It’s not the first time China has built an aircraft carrier target in the desert. Since 2003, a large concrete pad, roughly the size of a carrier, has been used as a target. The slab, which is part of the Shuangchengzi missile test range, has been hit many times and is frequently repaired. The new site in the Taklamakan desert is 600 miles away and is much more evolved. The newer ship targets are closer approximations of the vessels that they are supposed to represent.

DoD Graphic

While questions remain on the extent of weapons that will be tested at the new facility, the level of sophistication of what can now be seen at the site show the PLA is continuing to invest in deterrents to limit the efficacy of U.S. naval forces close to China – in particular targeting the U.S. carrier fleet.

According to the Pentagon report released last week, a primary objective of the PLARF will be to keep U.S. carriers at risk from anti-ship ballistic missiles throughout the Western Pacific.

About that Drone Attack on the Pennsylvania Power Grid

Posted on by

The Drive: U.S. officials believe that a DJI Mavic 2, a small quadcopter-type drone, with a thick copper wire attached underneath it via nylon cords was likely at the center of an attempted attack on a power substation in Pennsylvania last year. An internal U.S. government report that was issued last month says that this is the first time such an incident has been officially assessed as a possible drone attack on energy infrastructure in the United States, but that this is likely to become more commonplace as time goes on. This is a reality The War Zone has sounded the alarm about in the past, including when we were first to report on a still unexplained series of drone flights near the Palo Verde nuclear powerplant in Arizona in 2019.

ABC News was first to report on the Joint Intelligence Bulletin (JIB) covering the incident in Pennsylvania last year, which the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the National Counterterrorism Center (NCTC) published on Oct. 28, 2021. The document, which ABC obtained a copy of, but only released a small portion of, is marked unclassified, but parts also labeled Law Enforcement Sensitive (LES) and For Official Use Only (FOUO). Other outlets have since obtained copies of this document, which reportedly says that this likely attack took place on July 16, 2020, but does not identify where the substation in question was located.


DHS via ABC News

RELATED READING: FBI Strategic Intelligence/Assessment on Domestic Terrorism

A portion of an annotated satellite image from a US Joint Intelligence Bulletin regarding a likely attempted drone attack on a power substation in Pennsylvania in 2020.

“This is the first known instance of a modified UAS [unmanned aerial system] likely being used in the United States to specifically target energy infrastructure,” the JIB states. “We assess that a UAS recovered near an electrical substation was likely intended to disrupt operations by creating a short circuit to cause damage to transformers or distribution lines, based on the design and recovery location.”

ABC and other outlets have reported that the JIB says that this assessment is based in part on other unspecified incidents involving drones dating back to 2017. As already noted, The War Zone previously reported on another worrisome set of incidents around Arizona’s Palo Verde Generating Station, the largest nuclear power plant in the United States in terms of its output of electricity, in 2019. In the process of reporting that story, we uncovered other reported drone flights that prompted security concerns near the Limerick Generating Station nuclear power plant in Pennsylvania earlier that year.

The Night A Mysterious Drone Swarm Descended On Palo Verde Nuclear Power Plant By Tyler Rogoway and Joseph Trevithick Posted in The War Zone
Here’s What’s In New Guidelines For Defending Infrastructure Against Drone Attacks By Brett Tingley Posted in The War Zone
The Y-12 Nuclear Development Site Has Deployed Its First Anti-Drone System By Brett Tingley Posted in The War Zone
Some Chinese-Made Drones Cleared By Pentagon For U.S. Government Use By Brett Tingley Posted in The War Zone
Is The United States Firing Off “Electricity Bombs” in Syria? By Joseph Trevithick Posted in The War Zone

“To date, no operator has been identified and we are producing this assessment now to expand awareness of this event to federal, state, local, tribal, and territorial law enforcement and security partners who may encounter similarly modified UAS,” the JIB adds.

Beyond the copper wire strung up underneath it, the drone reportedly had its camera and internal memory card removed. Efforts were taken to remove any identifying markings, indicating efforts by the operator or operators to conceal the identifies and otherwise make it difficult to trace the drone’s origins.


DHS via ABC News

A low-quality image showing the drone recovered after the likely attempted attack in Pennsylvania. The green lines are the nylon cables. A copper wire was attached to the bottom ends of both lines.

It’s unclear how much of a threat this particular drone posed in its modified configuration. The apparent intended method of attack would appear to be grounded, at least to some degree, in actual science. The U.S. military employed Tomahawk cruise missiles loaded with spools of highly-conductive carbon fiber wire against power infrastructure to create blackouts in Iraq during the first Gulf War in 1991. F-117 Nighthawk stealth combat jets dropped cluster bombs loaded with BLU-114/B submunitions packed with graphite filament over Serbia to the same effect in 1999.

Regardless, the incident only underscores the ever-growing risks that small drones pose to critical infrastructure, as well as other civilian and military targets, in the United States. If this modified drone did pose a real risk, it would also highlight the low barrier to entry to at least attempt to carry out such attacks. New DJI Mavic 2s can be purchased online right now for between $2,000 and $4,000.

The technology is so readily available that non-state actors around the world, from terrorists in the Middle East to drug cartels in Mexico, are already employing commercial quad and hexacopter-type drones armed with improvised explosive payloads on a variety of targets on and off more traditional battlefields. This includes attempted assassinations of high-profile individuals.

The U.S. government is finally coming to terms with these threats and there are certainly some steps being taken, at least at the federal level, to protect civilian and domestic military facilities against small drones. At the same time, it is equally clear that there is still much work to be done.

This particular incident in Pennsylvania last year highlights separate security concerns relating to Chinese-made small drones that are now widely available in the United States and are even in use within the U.S. government. DJI, or Da Jiang Innovations, is by far the largest Chinese drone maker selling products commercially in the United States today and has been at the center of these debates in recent years.

Whether or not the modified Mavic 2 posed a real danger in this instance or if this was truly the first-ever attempted drone attack on energy infrastructure in the United States, it definitely reflects threats are real now and will only become more dangerous as time goes on.

CIA Director in Moscow Did not Stop 90,000 Russian Troops at Ukraine Border

Posted on by

Senator Marco Rubio appears to be the only person really concerned about a Russian invasion of Ukraine. While CIA Director Bill Burns took a delegation to Moscow for what is said to be high level meetings, it has proven to be ineffective in altering Russian operations versus Ukraine. Top Russian security chief met with CIA director Burns ...

As usual we have this –>The Ukrainian Defense Ministry sent a release saying that about 90,000 Russian troops are stationed close to the border in areas east of the country controlled by rebel forces. This comes two days after Ukraine denied that Russian military personnel were in the area.

Eastern Ukraine has been a contentious area for years. In 2014, Moscow annexed the Crimean Peninsula shortly after the Ukrainian Revolution. Over 14,000 people have died as a result of the conflict.

Russian officials said the troops were present due to maneuvers. Kremlin spokesman Dmitry Peskov said that “Russia maintains troops presence on its territory wherever it deems necessary.”

The ministry’s statement said specifically that units of the Russian 41st army have remained in Yelnya, about 260 kilometers (about 160 miles) north of the Ukrainian border.

On Tuesday, Ukraine’s Defense Minister Andriy Taran submitted his resignation and Ukrainian lawmakers quickly approved it Wednesday. Davyd Arakhamia, the head of the parliamentary faction of President Volodymyr Zelenskyy’s Servant of the People party, said Taran had health problems.

Ukrainian media reported however that Zelenskyy’s office was behind the resignation of Taran and four other ministers, who were also dismissed by parliament on Wednesday.

Russia has cast its weight behind a separatist insurgency in Ukraine’s east that erupted shortly after Moscow’s 2014 annexation of Ukraine’s Crimean Peninsula.

A massive buildup of Russian troops in Russia’s west have been fueling fears of an escalation of large-scale hostilities.

Russian officials said that the troops were deployed as part of measures to counter security threats posed by the deployment of NATO forces near Russian borders. Russia and the alliance also have blamed each other for conducting destabilizing military exercises near the borders.

****CIA director makes rare trip to Moscow for talks on Russia ...

The CIA and the delegation came back empty handed it seems.

THE DIRECTOR OF THE United States Central Intelligence Agency has returned to Washington from a surprise visit to Russia, where he led a high-level team of American officials in meetings with their Russian counterparts. The two-day visit was announced almost simultaneously by both the American and Russian governments, following the arrival of the CIA director, William Burns, to Moscow on Tuesday.

Little information has emerged about the participants in the meetings. A statement from the American embassy in Moscow said simply that Burns had traveled there at the request of President Joe Biden, and that other United States officials had traveled with him. It is believed that Karen Donfried, the State Department’s assistant secretary for European and Eurasian Affairs, traveled with Burns. According to the American embassy, the meetings were held on Tuesday and Wednesday and concerned “a range of issues in the bilateral relationship between the United States and Russia.

A minute-long video, which was posted on social media by the Russian TASS news agency on Tuesday, showed a group of five American officials meeting with five Russian officials. The latter appeared to include Nikolai Patrushev, a close political ally of Russian President Vladimir Putin, who heads the Security Council of Russia —a body that is roughly equivalent to the United States National Security Council. Prior to his current role, Patrushev served as director of the Russian Federal Security Service (FSB).

It is worth noting that Burns speaks Russian and served twice as a diplomat in Russia, most recently as the American ambassador there. Some observers noted that Burns’ trip to Moscow is part of a broader pattern of increasingly frequent meetings between American and Russian officials in recent months. The last four months have seen at least four visits to Russia by senior officials in the Biden administration.

Microsoft Reveals Continued Hacks of Technology Companies

Posted on by

The Russia-linked hackers behind last year’s compromise of a wide swath of the U.S. government and scores of private companies, including SolarWinds Corp. , have stepped up their attacks in recent months, breaking into technology companies in an effort to steal sensitive information, cybersecurity experts said.

In a campaign that dates back to May of this year, the hackers have targeted more than 140 technology companies including those that manage or resell cloud-computing services, according to new research from Microsoft Corp. The attack, which was successful with as many as 14 of these technology companies, involved unsophisticated techniques like phishing or simply guessing user passwords in hopes of gaining access to systems, Microsoft said.

***SolarWinds Hackers Accessed US Justice Department Email ...

Source: In a recent blog post to the company’s website, Microsoft’s corporate vice president of customer security and trust, Tom Burt, wrote that “state actor Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain.”

Nobelium is “attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers,” according to the company.

Burt wrote that 609 Microsoft customers had been informed that they’d been attacked between July and October of this year close to 23,000 times “with a success rate in the low single digits.”

The attacks, according to the executive, were not aimed at a specific flaw in any of the systems, rather, they were “password spray and phishing” attacks, which are aimed at stealing credentials that grant the attackers access to privileged information.

The Russian state-backed hacking group is, according to Burt, “trying to gain long-term, systematic access to a variety of points in the technology supply chain, and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.”

***

Over 600 Microsoft customers targeted since July

“Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium,” said Tom Burt, Corporate Vice President at Microsoft.

“We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised.”

As Burt added, in all, more than 600 Microsoft customers were attacked thousands of times, although with a very low rate of success between July and October.

“These attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” Burt said.

“By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”

Nobelium MSP attacks
Nobelium MSP attacks (Microsoft)

This shows that Nobelium is still attempting to launch attacks similar to the one they pulled off after breaching SolarWinds’ systems to gain long-term access to the systems of targets of interest and establish espionage and exfiltration channels.

Microsoft also shared measures MSPs, cloud service providers, and other tech orgs can take to protect their networks and customers from these ongoing Nobelium attacks.

Nobelium’s high profile targets

Nobelium is the hacking division of the Russian Foreign Intelligence Service (SVR), also tracked as APT29, Cozy Bear, and The Dukes.

In April 2021, the U.S. government formally blamed the SVR division for coordinating the SolarWinds “broad-scope cyber espionage campaign” that led to the compromise of multiple U.S. government agencies.

At the end of July, the US Department of Justice was the last US govt entity to disclose that 27 US Attorneys’ offices were breached during the SolarWinds global hacking spree.

In May, the Microsoft Threat Intelligence Center (MSTIC) also reported a phishing campaign targeting government agencies from 24 countries.

Earlier this year, Microsoft detailed three Nobelium malware strains used for maintaining persistence on compromised networks: a command-and-control backdoor dubbed ‘GoldMax,’ an HTTP tracer tool tracked as ‘GoldFinder,’ a persistence tool and malware dropper named ‘Sibot.’

Two months later, they revealed four more malware families Nobelium used in their attacks: a malware downloader known as ‘BoomBox,’ a shellcode downloader and launcher known as ‘VaporRage,’ a malicious HTML attachment dubbed ‘EnvyScout,’ and a loader named ‘NativeZone.’