Home / News / Technology / China-Linked Hackers Breach Russian Agencies With Sophisticated Malware, Kaspersky Reveals Widespread Espionage Campaign
Technology
3 min read

China-Linked Hackers Breach Russian Agencies With Sophisticated Malware, Kaspersky Reveals Widespread Espionage Campaign

Published August 15, 2024 10:30 AM
Giuseppe Ciccomascolo
Published August 15, 2024 10:30 AM

Key Takeaways

  • Russian government agencies and tech companies have been targeted in a complex cyberattack.
  • The attack is strongly linked to Chinese threat actors, specifically APT31 and APT27.
  • The hack’s reach extends beyond Russia, as evidenced by the targeting of a US-based think tank. 

A newly discovered cyber espionage campaign has compromised Russian government agencies and tech companies. Linked to Chinese threat actors, the attack involved a complex series of malicious tools and techniques.

Kaspersky researchers have named the campaign “EastWind ” and detailed its methods, including phishing, malware deployment, and data exfiltration. As the investigation unfolds, the full extent of the attack remains unclear.

Breach Of Russian Agencies

A coordinated cyberattack targeting Russian government agencies and technology companies has been linked to Chinese threat actors. The attackers employed a sophisticated arsenal of malicious tools, including the GrewApacha RAT, PlugY backdoor, and updated CloudSorcerer malware.

The campaign, dubbed “EastWind” by Kaspersky researchers, involved phishing emails that delivered malicious code to collect system information and deploy additional malware.

CloudSorcerer attack example
CloudSorcerer attack example. l Credit: Kaspersky

While direct attribution to specific Chinese hacking groups like APT31 and APT27 is still under investigation, the tools’ characteristics strongly suggest their involvement.

Preliminary analysis suggests that the newly discovered PlugY malware shares striking similarities with the DRBControl backdoor, previously linked to the Chinese hacking group APT27. This connection and the malware’s resemblance to the PlugX tool, commonly used by Chinese cybercriminals, implies a Chinese origin.

The Hack Process

The “EastWind” campaign employed a multi-stage attack process involving a series of malicious tools.

The initial infection vector was a phishing email containing a RAR archive. Once opened, a DLL side-loading technique deployed a backdoor named GrewApacha on the victim’s system. This malware, previously associated with the APT31 group, has been updated to use two command servers for increased resilience.

A phishing email containing a RAR archive
All starts with a phishing email containing a RAR archive. l Credit: Kaspersky

Subsequently, the attackers introduced an updated version of the CloudSorcerer backdoor, equipped with enhanced anti-analysis techniques. This malware now employs Quora and LiveJournal profiles as command-and-control servers, demonstrating the attackers’ adaptability.

A previously unseen backdoor, “PlugY”, was also deployed during the attacks. This versatile malware possesses a wide range of capabilities, including data exfiltration, remote code execution, and keylogging.

Previous Similar Attacks

The CloudSorcerer hacking group has previously targeted Russian government agencies and a US think tank  this year. The group’s advanced malware, which leverages legitimate cloud services for covert operations, has raised alarms within the cybersecurity community.

Researchers at Kaspersky had linked the group’s tactics to the previously observed CloudWizard, another APT targeting Russian-occupied Ukrainian territories. However, key differences in the malware suggest CloudSorcerer is a distinct entity.

In fact, CloudSorcerer’s use of GitHub for command-and-control infrastructure, coupled with its ability to adapt its behavior dynamically, underscores more advanced capabilities.

While the malware’s specific origins remain unclear, the convergence of Kaspersky’s findings with independent research by Proofpoint, which linked the group to a campaign targeting a US-based organization, suggests a broader scope of operations.

Was this Article helpful? Yes No