New threat intel effort to study ‘undermonitered’ regions

SCOTTSDALE, Ariz. —  A new cyber threat intelligence working group will seek to bring greater attention and resources to bear on understanding complex cyber operations in Africa and Latin America, regions that organizers of the effort say have been historically neglected by cybersecurity researchers.

Speaking at SentinelOne’s second annual LABScon threat research security conference on Thursday, organizers of the new “Undermonitored Regions Working Group” said it marks an attempt to drastically improve visibility in areas where geopolitical rivalry has caused an upswing in cyber operations but that lack investment, focus and attention from the wider cybersecurity community.

“In the threat intelligence industry, we have a habit of overlooking regions where our immediate financial interests don’t appear to be at stake,” Tom Hegel, a senior threat researcher with SentinelLabs, wrote in a blog that accompanied a talk he gave at the conference. “Yet, it is precisely in places like Africa and Latin America that we witness these threat actors subtly shifting the balance of negotiations and playing pivotal roles in larger geopolitical strategies … These regions are shaping up to be the battlegrounds of the future.”

Hegel told CyberScoop that the group will aim to collaborate on understanding intrusions, delivering intelligence to victims and defenders and, potentially, creatively disrupting operations. The group is currently made up of researchers from several cybersecurity vendors and a policy researcher focused on China. Hegel said he is looking to add members who can “make an impact.”

The formation of the group comes as China is deploying offensive cyber operations in support of its broader soft power agenda in Africa, according to Hegel. Intrusions tracked by Hegel, his team, and others “conspicuously align” with Chinese investment efforts that critics, particularly in the U.S., have termed “debt trap diplomacy,” Hegel wrote in his blog post. These intrusions include attacks on telecommunications, financial institutions and governmental bodies, according to Hegel.

In March, SentinelLabs threat researchers published an analysis dissecting Chinese cyberespionage activity targeting telecommunications entities in the greater Middle East as part of a global effort reaching back more than a decade and dubbed Operation Soft Cell by cybersecurity firm Cybereason.

On Thursday, Hegel revealed that the same attackers analyzed in March compromised an unnamed telecommunications entity in North Africa at a key moment. “The timing of this activity aligned closely with Chinese telecommunication soft power interests in Africa, as the organization was in private negotiations for further regional expansion,” Hegel wrote.

Over the past decade, policymakers and researchers have grown increasingly aware of Chinese espionage operations targeting countries in Africa. In 2018, an investigation by the French newspaper Le Monde revealed that the Chinese government maintained backdoor access into servers in the African Union’s headquarters in Ethiopia, a building funded and built by China between 2009 and 2012, with network technology and services reportedly provided by Chinese tech giant Huawei. A separate group of Chinese-linked hackers was found stealing security camera footage from within the building, Reuters reported in 2020.

The ubiquity of Chinese technology across the African continent and cases where technology developed by Chinese firms has been used to target and silence political opponents is one reason why Hegel argues it is critical to devote more resources to understanding cyber operations on the continent.

“As we have navigated through the complexities of Chinese influence in Africa, the role of offensive cyber actions, and the broader implications of tech dominance, it becomes evident that this intricate web of geopolitics and cyber threats demands attention across the cybersecurity industry,” Hegel wrote. “The story of Africa’s digital landscape today is, in essence, the precursor to the global narrative of tomorrow.”