fabioberti.it - stock.adobe.com

A Chinese nation-state threat actor has been caught conducting cyber espionage operations against two Russian defence research institutes using phishing emails that spoof the Russian Ministry of Health and contain malicious documents that exploit western sanctions against Russia as a lure.

The campaign was detected by threat analysts at Check Point Research and has been attributed to a Chinese nation-state actor. CPR found that the campaign has been running since the summer of 2021, long before the crisis in Ukraine escalated into war, and the threat actor used new and previously undocumented tools to evade detection.

CPR’s research head Itay Cohen said the campaign bore multiple overlaps with other Chinese cyber espionage campaigns, such as those carried out by APT10 (aka Stone Panda, MenuPass and Red Apollo) and Mustang Panda (aka TA416, Bronze President and Red Delta).

“We exposed an ongoing espionage operation against Russian defense research institutes that have been carried out by experienced and sophisticated Chinese-backed threat actors,” said Cohen.

“Our investigation shows that this is a part of a larger operation that has been ongoing against Russia-related entities for around a year. We discovered two targeted defense research institutions in Russia and one entity in Belarus.”

The threat actor is using some new and previously undocumented tools to conduct their intrusions, including a multi-layered loader and a backdoor that has been dubbed Spinner. Reflecting this relative sophistication, the researchers have named the campaign Twisted Panda.

Two of the known victims belong to a holding company within the Russian state-owned Rostec defence conglomerate, which is on the UK’s list of sanctioned institutions, specialising in radio-electronics, electronic warfare and avionics. A third victim in the Russian puppet state of Belarus has not been named.

The email subject lines include “List of <target name> persons under US sanctions for invading Ukraine” and in the third instance “US spread of deadly pathogens in Belarus”, which is likely a reference to an ongoing campaign of misinformation on the subject of chemical weapons.

On opening the attached documents, the malicious code is downloaded from the attacker-controlled server to install and covertly run a backdoor that enables them to obtain data about the infected system. This data can then be used to further execute additional commands on the system.

“Perhaps the most sophisticated part of the campaign is the social engineering component. The timing of the attacks and the lures used are clever. From a technical point of view, the quality of the tools and their obfuscation is above average, even for APT groups,” said Cohen.

“I believe our findings serve as more evidence of espionage being a systematic and long-term effort in the service of China’s strategic objectives to achieve technological superiority. In this research, we saw how Chinese state-sponsored attackers are taking advantage of the ongoing war between Russia and Ukraine, unleashing advanced tools against who is considered a strategic partner – Russia,” he added.

Businesses are increasingly focused on their environmental sustainability efforts, as investors, customers and regulators drive ...

Concerns about the spread of disinformation prompted DHS to create the Disinformation Governance Board, which was immediately met...

Allan Tate, executive chair of the MIT Sloan CIO Symposium, lays out the big idea of the 2022 conference and explains how the ...

DeadBolt ransomware is once again targeting QNAP's NAS devices, and the vendor is urging customers to patch immediately.

Administrators are grappling with four VMware vulnerabilities -- two older flaws that are under active exploitation and two new ...

A successful cyber-war game can help organizations find weaknesses in their system but only if the right participants are ...

COVID-related lockdowns around China prevented Cisco from getting critical components, leading to a projected decline in revenue.

More network management tools often lead to manual errors and network trouble. Instead, consider tool integration and how ...

Cisco added automated testing for video conferences and a troubleshooting dashboard to the ThousandEyes internet intelligence ...

Designing an efficient data center is no small feat. Review data center facility and infrastructure components and different ...

DCIM tools can improve data center management and operation. Learn how six prominent products can help organizations control ...

5G networking requires organizations and data centers to support IoT, while 4G requires increased machinery. Learn more about the...

Apollo is out with updates for its namesake GraphQL platform, including a new router technology and a data federation update to ...

Data governance shouldn't be built around technology, but the other way around. Existing infrastructure, executive support, data ...

The open source database services provider is out with a new integrated offering that provides automated capabilities for ...

All Rights Reserved, Copyright 2000 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info