Welcome to Memetic Warfare.

Firstly, I wanted to kick this week off with a recommendation from the excellent Substack Natto Thoughts. This week they took a look at one of the APT 27 operators in-depth, and it’s always fun to see what they find.

Natto Thoughts

Zhou Shuai: A Hacker’s Road to APT27

On March 5, 2025, in addition to unsealing the i-SOON indictment, the US Department of the Treasury sanctioned Zhou Shuai (周帅) (a.k.a Coldface) — a Chinese hacker associated with allegedly state-backed cyber threat group APT27 — and Zhou’s company, Shanghai Heiying Information Technology Company (上海黑英信息技术有限公司). On the same day, the US Department of Just…

Read more

a month ago · 3 likes · Natto Team

From there, let’s take a look at another interesting announcement - an apparent Chinese attribution of Taiwanese hacking activity, archived version available here in English.

This attribution, announced by the Ministry of State Security (MSS), the Chinese foreign intelligence agency, posted its statement in Chinese on Weibo.

The statement claims to expose a Taiwanese APT - the "Information, Communications and Electronic Force Command", responsible for "electronic warfare, information warfare, cyber warfare, and military line maintenance, serving as the main force for the island of Taiwan's cyber operations against the mainland”.

The statement accuses them of carrying out traditional cyberespionage activity, but also interestingly being quite active in IO - posting “propaganda”, creating bots on various platforms, and even being behind the previously-discussed “Anonymous 64” hacktivist group.

There’s a lot of deflection here also as to the illicit, non-traditional cyber espionage activity of actual Chinese APT groups, leading the Chinese to accuse the Taiwanese of the same shenanigans. That isn’t to say that Taiwan doesn’t carry out cyber operations against China, but rather that the report accuses Taiwanese operators of moonlighting to “enrich themselves”, carry out expense fraud and so on.

Alongside the official statement, as pointed out by Oleg Shakirov here, Chinese CTI firms published their own reports on the same day on the group.

We’ve seen a similar dynamic of Chinese state organizations coordinating with private sector firms with the CVERC. It’s not uncommon for US CTI firms to also coordinate with the US government, but usually they’re a bit more overt about it.

So, what makes this unique being just being a notable news event? Well, a few things. Firstly, the CVERC is still active and publishing content (which I’ll hopefully cover in depth in the future), and is a key vector for Chinese IO activity.

The MSS has published and attributed less frequently than the CVERC, but is still active, and shows that exploiting CTI, and private sector reporting at that, is a key component of Chinese IO capabilities.

This statement as well is also indicative of the MSS coming full circle and mimicking US-style attribution. Previous MSS attributions have been shorter and often unaccompanied by technical data or reporting (be it accurate or not), whereas here we have a statement that, silliness and unprofessionalism aside, is more in line with what we’d expect from Western/US attribution attempts. Imitation is the most sincere form of flattery I guess!

If you’re interested in some analysis of the technical elements, check out the Three Buddy Problem podcast below.

The next article that we’ll look at is from the Eurovision News network, available here. They took a deep look at Russian hybrid operations in Europe, ranging from sabotage to physical IO.

This is an in-depth look, and it starts off strong:

They even recreate what the TG group looks like:

They map out and track over 80 incidents of suspected Russian activity:

There’s a lot more here and it’s worth reading, so take a look. The main theme is that Russia is outsourcing hybrid activity via messaging applications and other platforms to ramp up their IO activity, be it on or offline, as well as other acts of sabotage.

We’ll conclude with two recommendations. The first is a podcast recommendation from Crowdstrike. This episode covers the use of residential proxies for cybercrime, meaning when a cybercriminal takes over a given device or gains access to a residential network.

Once controlled, often via an IoT device or an exposed router, the actor can then sell access to that device by which other actors can route their traffic, obfuscating their point of origin.

So, why is this a big deal? Well, residential proxies have been used in cybercrime of all kinds for years, but can and are also used by adversaries to open massive amounts of accounts on various platforms - the utility of that for IO is obvious.

Listen to the episode if you’re interested, and hopefully we’ll see more coverage of the convergence of the cybercrime underground and IO going forward, even if not explicitly discussed in the podcast episode.

The last recommendation is a recent look at the Romanian elections from the Cyfluence Research Institute, available here. The report focuses in on some specific accounts and platform activity worth looking at, so give it a look. I’m always happy to see a new research organization pop up, especially in Europe where it’s needed, so hopefully we’ll see more from them soon.

That’s all for this week - check out Telemetryapp.io and I’ll see you back here sometime in next week.