[Weekend Briefing] The next cyber frontline

By Kuksung Nam and Dain Oh, The Readable
Dec. 9, 2022 9:10PM KST Updated Dec. 14, 2022 2:50PM KST

“Weekend Briefing” is a weekly newsletter that is sent to The Readable’s subscribers every Friday. Cybersecurity journalists for The Readable carefully select important news stories from the previous week and deliver them in a compact form. Topics encompass cybercrime, geopolitics, and privacy. There are no costs involved with a subscription, and some content, such as the monthly ransomware index report, is only available to those who subscribe to our newsletters.

Hello, this is Kuksung Nam and Dain Oh in South Korea. The Readable has picked five news articles to share with you. Have a great weekend!

1. US, China expected to meet at the next cyber frontline in East Asia

The most important part of the cybersecurity domain in the following year in East Asia will be the strategic competition between the U.S. and China, an expert on the Asia-Pacific region’s threat intelligence said on Wednesday.

“The U.S. and China are building a more and more intensive [strategic] competition,” said Chang Checheng, a cyber threat intelligence analyst at Taiwan-based cybersecurity firm TeamT5, to The Readable at the Cyber Threat Intelligence Korea Conference on Wednesday. “China will need more information and espionage activities from its’ neighboring countries directed at the U.S. and APAC region.”

According to Chang, who shared his thoughts about the cyber landscape in the coming months, China will leverage cyberattacks for initial reconnaissance as the country tries to broaden their military expansion.

“We have seen Russian advanced persistent threats (APTs) come as the first step in the very beginning of the [Russia-Ukraine] war,” said the expert during his speech at the conference. “We believe cyberattacks will become the key factor.” To read the full reporting, click here.

2. AI helped crime investigators identify hacker in half-day

A black hat hacker who attempted to sell the personal information of 31 million South Koreans on the dark web was identified in less than half a day with the assistance of artificial intelligence, an expert disclosed on Wednesday.

“The initial report about the hacker was too sensitive to share with anyone but law enforcement,” said Seo Hyun-suk, country director of South Korea for the cybersecurity firm Group-IB, during his presentation at the Cyber Threat Intelligence Korea Conference, which took place on December 7.

From November 12 to December 7 of last year, the hacker who used “zerocool888” as their ID uploaded a series of postings on a dark web forum, saying that he or she acquired 31 million South Koreans’ personal information and then put the database up for sale. The volume of the data that zerocool888 uploaded on RaidForum included nearly 60% of the entire population of South Korea.

The researchers for Group-IB started their investigation on November 18, discovering the hacker’s Telegram account and email address. After concluding that the exposed information, such as the ID zerocool888, was newly opened to cut the connections from the past, the investigators found a new fact that the hacker had a different ID until recently: zerocool88, only a digit shorter than the current one. To read the full reporting, click here.

3. [CTI Korea 2022] Advanced persistent threats and intelligence

The Cyber Threat Intelligence Korea Conference was held on Wednesday, gathering leaders and experts in the cybersecurity industry in one place. The Readable, as the media sponsor for the conference, has highlighted some of the important statements by the speakers.

Liao ZihCing, threat intelligence researcher of TeamT5: “We have monitored Clouddragon, the North Korean state sponsored advanced persistent threat group, for over three years. The biggest difference between Clouddragon and the other adversaries is that they not only run cyberespionage campaigns, but also conduct cybercriminal activities. The interesting point that we have found this year is the connection between Clouddragon and the subgroup of Kimsuky.”

Youn Kwang-taek, CTO of Recorded Future APAC: “The most important aspect in the intelligence landscape is knowing the facts that only matter to you. Imagine you read an article about a robber who stabbed someone. You would not be worried about the robbery if it happened far away from the place where you live. However, we all have to take extra safety precautions if that incident occurs in our neighborhood. What matters most is the information that is related to you. And that is the intelligence.” To read the full reporting, click here.

4. [Perspective] The FUD against a payment solution

Fear, uncertainty, and doubt. The acronym FUD is a familiar word in the cybersecurity industry. It often plays a role in marketing as a way of making potential customers feel terrified and urging them to adopt cybersecurity products in response to upcoming attacks. The purpose of FUD varies. It can be used to inflate brand awareness or to destroy the reputation of a business rival. FUD is FUD because it has no solid evidence of the allegations that it raises itself. For the general public, the problem with FUD gets worse because there is so much technical jargon that aggravates the lack of understanding.

If one tech company decides to use FUD for its market expansion and a news organization colludes by publishing a news article, the odds for the public to review the facts and the magnitude of the actual matter are very low. According to a nonprofit organization, Media Literacy Now, only 38% of survey respondents reported learning how to analyze media messaging. This means that no matter what the truth is under the FUD circumstances, most news consumers will not think again about what they have just read. The manipulation will survive, and society will maintain the status quo without better security.

On Tuesday morning, the Maeil Business Newspaper, the fourth largest newspaper in South Korea and read by roughly 550,000 daily subscribers, published an article about security concerns of the payment solution Payco on the front page. Payco has obtained more than 10 million users since its inception in 2015, acquiring major financial services companies as its clients. The headline asserted that the signing key of the Payco application was stolen and that the company tried to hide the breach for at least four months, a devious statement twisting the facts. The line between the facts and false accusations is blurred in the article, abandoning its readers in fear. To read the full reporting, click here.

5. Ransomware index report: November 2022

The Readable’s subscribers can access a monthly ransomware report by S2W. The report includes specific numbers about ransomware groups and their victims in addition to the numbers of newly opened data leak sites by ransomware groups. By looking at the numbers, our readers will be able to get an idea of the overall threat landscape of the ransomware ecosystem. Sojun Ryu for The Readable provides reports representing his team’s work regarding threat intelligence.

Takeaways
In November 2022:

1. A total of 185 companies’ data were uploaded onto leak sites by ransomware groups.
2. LockBit was the most active ransomware group, uploading 30 companies’ data onto their leak sites. However, its activity appeared less active compared to the previous month, in which it uploaded 56 companies’ data onto leak sites.
3. Companies in the United States were targeted the most by ransomware groups, making up 45.3% of the total percentage.

To read the full reporting, click here.

hello@thereadable.co

The cover image of this article was designed by Areum Hwang.

Kuksung Nam is a cybersecurity journalist for The Readable. She covers cybersecurity issues in South Korea, including the public and private sectors. Prior to joining The Readable, she worked as a political reporter for one of the top-five local newspapers in South Korea, The Kyeongin Ilbo, where she reported several exclusive stories regarding the misconduct of local government officials. She is currently focused on issues related to anti-fraud, as well as threats and crimes in cyberspace. She is a Korean native who is fluent in English and French, and she is interested in delivering the news to a global audience.

Dain Oh is an award-winning cybersecurity journalist based in South Korea and the founding editor-in-chief of The Readable by S2W. Before joining S2W, she worked as a reporter for The Electronic Times, the top IT newspaper in Korea, covering the cybersecurity industry on an in-depth level. She reported numerous exclusive stories, and her work related to the National Intelligence Service led to her being honored with the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology in a unanimous decision. She was also the first journalist to report on the hacking of vulnerable wallpads in South Korean apartments, which later became a nation-wide issue.