Pegasus spyware observed in Thailand. New North Korean ransomware group. Cozy Bear uses online storage services.

At a glance.

  • Pegasus spyware observed in Thailand.
  • New North Korean ransomware group.
  • Cozy Bear uses online storage services.
  • A new technique against air-gapped systems.

Pegasus spyware observed in Thailand.

Researchers at the University of Toronto’s Citizen Lab have observed the Pegasus spyware being used in “an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy.” The spyware targeted at least thirty people between October 2020 and November 2021, and coincided with pro-democracy protests in Thailand. Citizen Lab doesn’t definitively attribute the campaign to the Thai government, but they believe it’s unlikely that another nation-state would be interested in these targets:

“Conducting such an extensive hacking campaign against high profile individuals in another country is risky and runs the possibility of discovery, especially given the well-known previous cases where Pegasus infections were publicly discovered and publicly disclosed.

“In addition, the victimology, and in some cases the timing of the infections, reflects information that would be easily available to the Thai authorities, such as non-public relationships and financial activity, but substantially more challenging for other governments to obtain.”

New North Korean ransomware group.

Microsoft warns that a North Korean threat actor that calls itself “H0lyGh0st” is targeting small and midsize businesses in several countries with ransomware. The victims include “manufacturing organizations, banks, schools, and event and meeting planning companies.” Microsoft tracks the threat actor as DEV-0530, and notes that it’s not clear if Pyongyang is behind the operation or if North Korean government employees are acting independently for their own financial gain:

“The first possibility is that the North Korean government sponsors this activity. The weakened North Korean economy has become weaker since 2016 due to sanctions, natural disasters, drought, and the North Korean government’s COVID-19 lockdown from the outside world since early 2020. To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from…