Key Takeaways
A newly discovered cyber espionage campaign has compromised Russian government agencies and tech companies. Linked to Chinese threat actors, the attack involved a complex series of malicious tools and techniques.
Kaspersky researchers have named the campaign “EastWind ” and detailed its methods, including phishing, malware deployment, and data exfiltration. As the investigation unfolds, the full extent of the attack remains unclear.
A coordinated cyberattack targeting Russian government agencies and technology companies has been linked to Chinese threat actors. The attackers employed a sophisticated arsenal of malicious tools, including the GrewApacha RAT, PlugY backdoor, and updated CloudSorcerer malware.
The campaign, dubbed “EastWind” by Kaspersky researchers, involved phishing emails that delivered malicious code to collect system information and deploy additional malware.
While direct attribution to specific Chinese hacking groups like APT31 and APT27 is still under investigation, the tools’ characteristics strongly suggest their involvement.
Preliminary analysis suggests that the newly discovered PlugY malware shares striking similarities with the DRBControl backdoor, previously linked to the Chinese hacking group APT27. This connection and the malware’s resemblance to the PlugX tool, commonly used by Chinese cybercriminals, implies a Chinese origin.
The “EastWind” campaign employed a multi-stage attack process involving a series of malicious tools.
The initial infection vector was a phishing email containing a RAR archive. Once opened, a DLL side-loading technique deployed a backdoor named GrewApacha on the victim’s system. This malware, previously associated with the APT31 group, has been updated to use two command servers for increased resilience.
Subsequently, the attackers introduced an updated version of the CloudSorcerer backdoor, equipped with enhanced anti-analysis techniques. This malware now employs Quora and LiveJournal profiles as command-and-control servers, demonstrating the attackers’ adaptability.
A previously unseen backdoor, “PlugY”, was also deployed during the attacks. This versatile malware possesses a wide range of capabilities, including data exfiltration, remote code execution, and keylogging.
The CloudSorcerer hacking group has previously targeted Russian government agencies and a US think tank this year. The group’s advanced malware, which leverages legitimate cloud services for covert operations, has raised alarms within the cybersecurity community.
Researchers at Kaspersky had linked the group’s tactics to the previously observed CloudWizard, another APT targeting Russian-occupied Ukrainian territories. However, key differences in the malware suggest CloudSorcerer is a distinct entity.
In fact, CloudSorcerer’s use of GitHub for command-and-control infrastructure, coupled with its ability to adapt its behavior dynamically, underscores more advanced capabilities.
While the malware’s specific origins remain unclear, the convergence of Kaspersky’s findings with independent research by Proofpoint, which linked the group to a campaign targeting a US-based organization, suggests a broader scope of operations.