Increase in targeting
Palo Alto believes the group is expanding its operations because it has scanned networks of organizations from 155 countries for known vulnerabilities since October. The scans appear to be targeted on IP addresses belonging to government infrastructure and specific targets of interest.
For example, during the US government shutdown that began in October, the group started scanning the infrastructure of governments in the Americas, including in Brazil, Canada, Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, and Trinidad and Tobago. The researchers believe the group has already compromised entities in Bolivia, Brazil, Mexico, Panama, and Venezuela.
The group seems to time its targeting to certain events. For example, when the president of Czechia met with the Dalai Lama in August, the group immediately started scanning the computer infrastructure belonging to the Czech Army, police, parliament, and presidency, as well as its ministries of interior, finance, and foreign affairs.
