US charges Chinese hackers linked to critical infrastructure breaches - Related to breaches, linked, operations, cyber, charges

Outsmarting Cyber Threats with Attack Graphs

Cyber threats are growing more sophisticated, and traditional security approaches struggle to keep up. Organizations can no longer rely on periodic assessments or static vulnerability lists to stay secure. Instead, they need a dynamic approach that provides real-time insights into how attackers move through their environment.

This is where attack graphs come in. By mapping potential attack paths, they offer a more strategic way to identify and mitigate risk. In this article, we'll explore the benefits, types, and practical applications of attack graphs.

An attack graph is a visual representation of potential attack paths within a system or network. It maps how an attacker could move through different security weaknesses - misconfigurations, vulnerabilities, and credential exposures, etc. - to reach critical assets. Attack graphs can incorporate data from various findings, continuously enhancement as environments change, and model real-world attack scenarios.

Instead of focusing solely on individual vulnerabilities, attack graphs provide the bigger picture - how different security gaps, like misconfigurations, credential issues, and network exposures, could be used together to pose serious risk.

Unlike traditional security models that prioritize vulnerabilities based on severity scores alone, attack graphs loop in exploitability and business impact. The reason? Just because a vulnerability has a high CVSS score doesn't mean it's an actual threat to a given environment. Attack graphs add critical context, showing whether a vulnerability can actually be used in combination with other weaknesses to reach critical assets.

Attack graphs are also able to provide continuous visibility. This, in contrast to one-time assessments like red teaming or penetration tests, which can quickly become outdated. By analyzing all possible paths an attacker could take, organizations can leverage attack graphs to identify and address "choke points" - key weaknesses that, if fixed, significantly reduce overall risk.

All attack graphs are not equal. They come in different forms, each with its strengths and limitations. Understanding these types helps security teams choose the right approach for identifying and mitigating risks.

Security graphs map relationships between different system elements, such as user permissions, network configurations, and vulnerabilities. They provide visibility into how various components connect. However, they don't show how an attacker could exploit them.

Pros - Security graphs are relatively easy to implement and provide valuable insights into an organization's infrastructure. They can help security teams identify potential security gaps.

- Security graphs are relatively easy to implement and provide valuable insights into an organization's infrastructure. They can help security teams identify potential security gaps. Cons - They require manual queries to analyze risks, meaning security teams must know what to look for in advance. This can lead to missed attack paths, especially when multiple weaknesses combine in unexpected ways.

Aggregated graphs combine data from multiple security tools like vulnerability scanners, identity management systems, and cloud security solutions into a unified model.

Pros - They leverage existing security tools, providing a more holistic view of risk across different environments.

- They leverage existing security tools, providing a more holistic view of risk across different environments. Cons - Integration can be challenging, with potential data mismatches and visibility gaps. Since these graphs rely on separate tools with their own limitations, the overall picture may still be incomplete.

Advanced and holistic attack graphs take a different direction. These are purpose-built to model real-world attacker behavior, with special focus on how threats evolve across systems. They map out all possible attack paths and continuously enhancement themselves as environments change. Unlike other graphs, they don't rely on manual queries or predefined assumptions. They also provide continuous monitoring, real exploitability context, and effective prioritization – which helps security teams focus on the most critical risks first.

Attack graphs provide continuous visibility into attack paths, which offers security teams a dynamic, real-time view instead of outdated snapshots from periodic assessments. By mapping how attackers could potentially navigate an environment, organizations gain a clearer understanding of evolving threats.

They also improve prioritization and risk management by contextualizing vulnerabilities. Rather than blindly patching high-CVSS flaws, security teams can identify critical choke points – the key weaknesses that, if fixed, significantly reduce risk across multiple attack paths.

Another major advantage is cross-team communication. Attack graphs simplify complex security issues, crucially helping CISOs overcome the challenge of explaining risk to executives and boards through clear visual representations.

Finally, attach graphs enhance the efficiency of remediation efforts by ensuring that security teams focus on securing business-critical assets first. By prioritizing fixes based on both actual exploitability and business impact, organizations can allocate security resources effectively.

Leveraging Attack Graphs for Proactive Security.

Attack graphs are shifting cybersecurity from a reactive stance to a proactive strategy. Instead of waiting for attacks to happen or relying on quickly-outdated assessments, security teams can use attack graphs to anticipate threats before they're exploited.

A key element of this shift from reactive to proactive security is the ability of attack graphs to integrate threat intelligence. By continuously incorporating data on emerging vulnerabilities, exploit techniques, and attacker behaviors, organizations can stay ahead of threats rather than reacting after damage occurs.

Continuous assessment is also critical in modern IT environments, where change is the norm. Attack graphs provide real-time updates. This helps security teams adapt as networks, identities, and cloud environments shift. Unlike static models, attack graphs offer ongoing visibility into attack paths, enabling smarter, more informed decision-making.

By leveraging attack graphs, organizations can move beyond traditional vulnerability management to focus on real exploitability and business impact. This shift from reactive patching to strategic risk reduction makes security operations more efficient and effective. Ultimately, attack graphs empower teams to close critical security gaps, strengthen defenses, and stay ahead of adversaries.

Note: This article is expertly written by Menachem Shafran, SVP of Strategy and Innovation, and Tobias Traebing, VP of Global Sales Engineering, at XM Cyber.

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsear......

Gemeinsam mit über zwanzig weiteren zivilgesellschaftlichen Organisationen richtet der Chaos Computer Club (CCC) einen Appell für eine digitale Brandm......

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations ......

US charges Chinese hackers linked to critical infrastructure breaches

The US Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.

Their victim list includes US federal and state government agencies, foreign ministries of multiple governments in Asia, [website] dissidents, as well as a prominent religious organization in the United States.

"These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC's MPS and Ministry of State Security (MSS) and on their own initiative. The MPS and MSS paid handsomely for stolen data," the Justice Department stated today.

Today, the DOJ charged two MPS officers and eight employees of Anxun Information Technology (also known as i-Soon) with involvement in these attacks and seized the domain used by i-Soon to advertise its hacker-for-hire services.

The State Department is also offering a reward of up to $10 million through its Rewards for Justice (RFJ) program for information that could help locate or identify the following defendants:

Chen Cheng (陈诚), Chief Operating Officer.

Indictments unsealed today reveal that i-Soon hackers conducted computer intrusions at the MSS's request. They also independently hacked targets and attempted to sell stolen data to at least 43 MSS or MPS bureaus across 31 Chinese provinces and municipalities.

i-Soon charged the MSS and MPS between $10,000 and $75,000 for every compromised email inbox and also trained MPS employees.

Reward for information on i-Soon hackers (US State Department).

China-based hackers Yin Kecheng (aka YKCAI) and Zhou Shuai (aka Coldface), linked to the state-backed APT27 hacking group, were also charged today for their involvement in this global hacking campaign.

While they're both still at large, the Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned them,while the State Department presented rewards of up to $2 million for information leading to their arrests and convictions.

"As alleged in court documents, between August 2013 and December 2024, Yin, Zhou, and their co-conspirators exploited vulnerabilities in victim networks, conducted reconnaissance once inside those networks, and installed malware, such as PlugX malware, that provided persistent access," the DOJ presented on Wednesday.

"The defendants and their co-conspirators then identified and stole data from the compromised networks by exfiltrating it to servers under their control. Next, they brokered stolen data for sale and provided it to various clients, only some of whom had connections to the PRC government and military.

"Between them, Yin and Zhou sought to profit from the hacking of numerous [website] technology companies, think tanks, law firms, defense contractors, local governments, health care systems, and universities, leaving behind them a wake of millions of dollars in damages."

Today's indictments and sanctions are part of a broader effort to combat cyberattacks coordinated by Chinese cybercriminals and state-sponsored hackers.

In December, OFAC sanctioned Sichuan Silence and one of its employees for involvement in Ragnarok ransomware attacks targeting US critical infrastructure.

One month later, it also targeted Chinese cybersecurity corporation Integrity Tech for its involvement in cyberattacks linked to the Chinese state-sponsored Flax Typhoon hacking group and sanctioned Yin Kecheng for his role in last year's breach of the Treasury Department's network.

Wenn Angreifer erfolgreich an einer Schwachstelle in Kibana ansetzen, können sie Systeme mit Schadcode verseuchen. Attacken sind aber nicht in jedem F......

The [website] Department of Justice (DoJ) has introduced charges against 12 Chinese nationals for their alleged participation in a wide-ranging scheme desig......

U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations

The [website] Department of Justice (DoJ) has showcased charges against 12 Chinese nationals for their alleged participation in a wide-ranging scheme designed to steal data and suppress free speech and dissent globally.

The individuals include two officers of the People's Republic of China's (PRC) Ministry of Public Security (MPS), eight employees of an ostensibly private PRC organization, Anxun Information Technology Co. Ltd. (安洵信息技术有限公司) also known as i-Soon, and members of Advanced Persistent Threat 27 (APT27, aka Budworm, Bronze Union, Emissary Panda, Lucky Mouse, and Iron Tiger) -.

Chen Cheng (陈诚), Chief Operating Officer.

Yin Kecheng (尹可成), APT27 actor aka "YKC"

Zhou Shuai (周帅), APT27 actor aka "Coldface"

"These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC's MPS and Ministry of State Security (MSS) and on their own initiative," the DoJ stated. "The MPS and MSS paid handsomely for stolen data."

Court documents reveal that the MPS and MSS employed a network of private companies and contractors in China to indiscriminately infiltrate companies and steal data, while also obscuring the involvement of the government.

The eight i-Soon employees, alongside two MPS officers, have been accused of breaking into email accounts, cell phones, servers, and websites from at least in or around 2016 through in or around 2023.

The [website] Federal Bureau of Investigation (FBI), in a court filing, stated the activities associated with i-Soon are tracked by the cybersecurity community under the monikers Aquatic Panda (aka RedHotel), while APT27 overlaps with that of Silk Typhoon, UNC5221, and UTA0178.

The agency further pointed out that the Chinese government is using formal and informal connections with freelance hackers and information security companies to compromise computer networks worldwide.

Separately, the [website] Department of State's Rewards for Justice (RFJ) program has revealed a reward of up to $10 million for information leading to the identification or location of any person who engages in malicious cyber activities against [website] critical infrastructure while acting under the direction of a foreign government.

The DoJ further noted that i-Soon and its employees generated tens of millions of dollars in revenue, making the business a key player in the PRC hacker-for-hire ecosystem. It's estimated to have charged anywhere between $10,000 and $75,000 for each email inbox it successfully exploited.

"In some instances, i-Soon conducted computer intrusions at the request of the MSS or MPS, including cyber-enabled transnational repression at the direction of the MPS officer defendants," the department mentioned.

"In other instances, i-Soon conducted computer intrusions on its own initiative and then sold, or attempted to sell, the stolen data to at least 43 different bureaus of the MSS or MPS in at least 31 separate provinces and municipalities in China."

Targets of i-Soon's attacks included a large religious organization in the United States, critics and dissidents of the PRC government, a state legislative body, United States government agencies, the ministries of foreign affairs of multiple governments in Asia, and news organizations.

An additional monetary reward of up to $2 million each has been revealed for information leading to the arrests and/or convictions of Shuai and Kecheng, who are accused of participating in a years-long, sophisticated computer hacking conspiracy to breach [website] victim companies, municipalities, and organizations for profit from 2011, and steal data after establishing persistent access via the PlugX malware.

Shuai has been alleged to operate as a data broker, selling the plundered information to various end-individuals, some of whom had connections to the PRC government and military, for a financial profit.

Concurrent to the charges, the DoJ has also presented the seizure of four domains linked to i-Soon and the APT27 actors -.

"i-Soon's victims were of interest to the PRC government because, among other reasons, they were prominent overseas critics of the PRC government or because the PRC government considered them threatening to the rule of the Chinese Communist Party," the DoJ expressed.

The corporation is also stated to have trained MPS employees how to hack independently of i-Soon and provided for sale various hacking methods that it described as an "industry-leading offensive and defensive technology" and a "zero-day vulnerability arsenal."

Advertised among the tools was a software called the "Automated Penetration Testing Platform" that's capable of sending phishing emails, creating files with malware that provide remote access to victims' computers upon opening, and cloning websites of victims in an attempt to trick them into providing sensitive information.

Another of i-Soon's offerings is a password-cracking utility known as the "Divine Mathematician Password Cracking Platform" and a program engineered to hack into various online services like Microsoft Outlook, Gmail, and X (formerly Twitter), among others.

"With respect to Twitter, i-Soon sold software with the capability to send a victim a spear phishing link and then to obtain access to and control over the victim's ," the DoJ explained.

"The software had the ability to access Twitter even without the victim's password and to bypass multi-factor authentication. After a victim's Twitter was compromised, the software could send tweets, delete tweets, forward tweets, make comments, and like tweets."

The purpose of the tool, referred to as "Public Opinion Guidance and Control Platform (Overseas)," was to let the business's customers leverage the network of hacked X accounts to understand public opinion outside of China.

"The charges showcased today expose the PRC's continued attempts to spy on and silence anyone it deems threatening to the Chinese Communist Party," Acting Assistant Director in Charge Leslie R. Backschies mentioned in a statement.

"The Chinese government tried to conceal its efforts by working through a private organization, but their actions amount to years of state-sponsored hacking of religious and media organizations, numerous government agencies in multiple countries, and dissidents around the world who dared criticize the regime."

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero......

Wenn Angreifer erfolgreich an einer Schwachstelle in Kibana ansetzen, können sie Systeme mit Schadcode verseuchen. Attacken sind aber nicht in jedem F......

Over 1,000 websites powered by WordPress have been infected with a third-party JavaScript code that injects four separate backdoors.