China-Based Threat Actor Storm-2077 and GLASSBRIDGE Influence Operations Exposed

A new China-linked threat actor, Storm-2077, has emerged as a significant cyber threat to U.S. government agencies, non-governmental organizations, and industries worldwide. Active since January 2024, the group has conducted operations targeting the Defense Industrial Base (DIB), aviation, telecommunications, financial, and legal sectors.

Cyber Attack Tactics

According to Microsoft, Storm-2077 employs advanced tactics to gain initial access and establish persistence:

1. Exploits: Targets internet-facing edge devices using publicly available vulnerabilities.
2. Malware Deployment: Drops tools like Cobalt Strike, Pantegana, and Spark RAT for post-compromise activities.
3. Credential Harvesting: Uses phishing campaigns to compromise credentials for eDiscovery applications to exfiltrate sensitive emails.
4. Cloud Environment Infiltration: Gathers endpoint credentials to gain administrative access to cloud systems, enabling the creation of malicious applications with elevated permissions.

Storm-2077’s methods align with Recorded Future's Insikt Group’s tracking of TAG-100, indicating overlapping threat activity clusters.

GLASSBRIDGE: China’s Global Influence Operation via Fake News Sites

In parallel to Storm-2077’s cyber campaigns, Google's Threat Intelligence Group (TAG) has uncovered GLASSBRIDGE, a pro-China influence operation leveraging fake news sites to disseminate narratives aligned with Beijing’s political agenda.

How GLASSBRIDGE Operates

1. Fake News Websites: Operated by digital PR firms posing as independent news outlets.
2. Content Amplification: Republishes PRC state media articles, press releases, and client-commissioned content.
3. Digital PR Firms Involved:

1. Shanghai Haixun Technology (HaiEnergy cluster)
2. Times Newswire/Shenzhen Haimai Yunxiang Media (PAPERWALL campaign)
3. Shenzhen Bowen Media
4. DURINBRIDGE, which distributes Haixun and DRAGONBRIDGE content.

Subdomain Manipulation

GLASSBRIDGE leverages legitimate subdomains of news outlets to spread pro-Beijing narratives, such as:

1. markets.post-gazette[.]com
2. business.ricentral[.]com
3. finance.azcentral[.]com

Influence Beyond Social Media

Unlike traditional social media campaigns, GLASSBRIDGE tailors its content to regional audiences via imitation news outlets, presenting state-aligned narratives as legitimate news.

Implications and Defense

Storm-2077 and GLASSBRIDGE illustrate the sophistication of China-linked cyber and influence operations:

1. For cybersecurity professionals: Emphasis on securing edge devices, monitoring phishing campaigns, and enhancing cloud security.
2. For media outlets: Vigilance against subdomain exploitation and inauthentic content amplification.