【TeamT5 x CODE BLUE 2022】Because Security Matters

The biggest information security conference in Japan, CODE BLUE 2022, will be held in hybrid style in Tokyo, both virtual and on-site, on October 27th and 28th. TeamT5, with its Taiwan headquarter & Japan subsidiary, is proud to support, sponsor and participate in this Asia top international cybersecurity event.

This year, our cyber threat analysts & cyber security researchers will share their latest study on China’s Bots-Driven InfoOps and North Korean APT “CloudDragon” at this year’s conference.

See below for highlights of our events at CODE BLUE 2022.

Presented by : Silvia Yeh(Cyber Threat Analyst), Che Chang(Cyber Threat Analyst)

Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists. China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.

In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace. We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.

Presented by : Zih-Cing Liao(Cyber Security Researcher), Yu-Tung Chang(Cyber Security Researcher)

Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.

The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.

CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.

In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.

In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.

In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.

CODE BLUE is Japan's largest international information security conference, which aims to contribute to a better Internet world by connecting people through CODE (technology), beyond and across the BLUE (oceans). Every year, the world's top-class specialists and researchers gather together to share their latest findings and give cutting-edge talks. It is a place for all participants to exchange information and collaborate to respond to and solve information security problems.

More information on CODE BLUE 2022 Official Website.

*Image courtesy of CODE BLUE.