China-linked hackers could be behind cyberattacks on Russian state agencies, researchers say

Avatar

Hackers have targeted dozens of computers belonging to Russian state agencies and tech companies with malicious tools linked to Chinese threat actors, according to a new report.

In a campaign dubbed EastWind discovered late last month by researchers at Russian cybersecurity firm Kaspersky, the attackers used the GrewApacha remote access trojan (RAT), an unknown PlugY backdoor and an updated version of CloudSorcerer malware, which was previously used to spy on Russian organizations. 

The GrewApacha RAT has been used by the Beijing-linked hacking group APT31 since at least 2021, the researchers said, while PlugY shares many similarities with tools used by the suspected Chinese threat actor known as APT27.

According to Kaspersky, the hackers sent phishing emails containing malicious archives. In the first stage of the attack, they exploited a dynamic link library (DLL), commonly found in Windows computers, to collect information about the infected devices and load the additional malicious tools.

While Kaspersky didn’t explicitly attribute the recent attacks to APT31 or APT27, they highlighted links between the tools that were used.

Although PlugY malware is still being analyzed, it is highly likely that it was developed using the DRBControl backdoor code, the researchers said. This backdoor was previously linked to APT27 and bears similarities to PlugX malware, another tool typically used by hackers based in China.

APT27 has been active since at least 2010 and has targeted organizations in sectors including aerospace, government, defense, technology, energy, manufacturing and gambling. In 2022, it attacked a U.S. state legislature using a Log4j vulnerability.

Earlier in July, the U.K. government accused APT31, which overlaps with the group RedBravo, of breaching the servers of the Electoral Commission and accessing the personal information of nearly 40 million people.

According to Kaspersky, PlugY was deployed using an updated version of the CloudSorcerer backdoor. This tool has previously been deployed to steal data from Russian government agencies.

Researchers described CloudSorcerer as “a sophisticated cyber espionage tool” that relied on legitimate cloud services such as Yandex Cloud and Dropbox for stealth monitoring and data collection.

Its updated variant used a popular Russian blogging platform, LiveJournal, and a social question-and-answer website, Quora, as initial command and control servers.

Earlier in July, researchers at cybersecurity firm Proofpoint discovered a malicious tool that shared many similarities with CloudSorcerer and was used to target a U.S.-based organization.

In the EastWind campaign, the hackers used a similar infection method as described by Proofpoint in their attack on the U.S. organization, researchers at Kaspersky said.

In a comment to Recorded Future News, Proofpoint stated that they “do not have any additional details to share at this stage.”

CybercrimeGovernmentNation-stateNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

‘Prolific’ malvertising scammer arrested and extradited to US to face charges

Next Post

Suspected ‘hostile state’ behind hack of Poland’s anti-doping agency and leak of athletes’ data

Related Posts

Oracle Warns of Agile PLM Vulnerability Currently Under Active Exploitation

Oracle is warning that a high-severity security flaw impacting the Agile Product Lifecycle Management (PLM) Framework has been exploited in the wild. The vulnerability, tracked as CVE-2024-21287 (CVSS score: 7.5), could be exploited sans authentication to leak sensitive information. "This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network
Avatar
Read More

CISO Canberra

[[{“value”:” November 14, 2024 Location: Canberra Rex Hotel, Australia website: https://ciso-canberra.coriniumintelligence.com/ Join the collective effort to safeguard government…
Avatar
Read More