{"id":36342,"date":"2022-05-20T07:00:00","date_gmt":"2022-05-20T07:00:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36342"},"modified":"2022-05-20T07:00:00","modified_gmt":"2022-05-20T07:00:00","slug":"chinese-cyber-spooks-exploit-western-sanctions-on-russia","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36342","title":{"rendered":"Chinese cyber spooks exploit western sanctions on Russia"},"content":{"rendered":"
<\/div>\n

A Chinese nation-state threat actor<\/a> has been caught conducting cyber espionage operations against two Russian defence research institutes using phishing emails that spoof the Russian Ministry of Health and contain malicious documents that exploit western sanctions against Russia as a lure.<\/p>\n

The campaign was detected by threat analysts at Check Point Research<\/a> and has been attributed to a Chinese nation-state actor. CPR found that the campaign has been running since the summer of 2021, long before the crisis in Ukraine escalated into war, and the threat actor used new and previously undocumented tools to evade detection.<\/p>\n

CPR\u2019s research head Itay Cohen said the campaign bore multiple overlaps with other Chinese cyber espionage campaigns, such as those carried out by APT10<\/a> (aka Stone Panda, MenuPass and Red Apollo) and Mustang Panda<\/a> (aka TA416, Bronze President and Red Delta).<\/span><\/p>\n

\u201cWe exposed an ongoing espionage operation against Russian defense research institutes that have been carried out by experienced and sophisticated Chinese-backed threat actors,\u201d said Cohen.<\/p>\n

\u201cOur investigation shows that this is a part of a larger operation that has been ongoing against Russia-related entities for around a year. We discovered two targeted defense research institutions in Russia and one entity in Belarus.\u201d<\/p>\n

The threat actor is using some new and previously undocumented tools to conduct their intrusions, including a multi-layered loader and a backdoor that has been dubbed Spinner. Reflecting this relative sophistication, the researchers have named the campaign Twisted Panda.<\/p>\n

Two of the known victims belong to a holding company within the Russian state-owned Rostec defence conglomerate, which is on the UK\u2019s list of sanctioned institutions<\/a>, specialising in radio-electronics, electronic warfare and avionics. A third victim in the Russian puppet state of Belarus has not been named.<\/p>\n

The email subject lines include \u201cList of <target name> persons under US sanctions for invading Ukraine\u201d and in the third instance \u201cUS spread of deadly pathogens in Belarus\u201d, which is likely a reference to an ongoing campaign of misinformation on the subject of chemical weapons.<\/p>\n

On opening the attached documents, the malicious code is downloaded from the attacker-controlled server to install and covertly run a backdoor that enables them to obtain data about the infected system. This data can then be used to further execute additional commands on the system.<\/p>\n

\u201cPerhaps the most sophisticated part of the campaign is the social engineering component. The timing of the attacks and the lures used are clever. From a technical point of view, the quality of the tools and their obfuscation is above average, even for APT groups,\u201d said Cohen.<\/p>\n

\u201cI believe our findings serve as more evidence of espionage being a systematic and long-term effort in the service of China\u2019s strategic objectives to achieve technological superiority. In this research, we saw how Chinese state-sponsored attackers are taking advantage of the ongoing war between Russia and Ukraine, unleashing advanced tools against who is considered a strategic partner \u2013 Russia,\u201d he added.<\/p>\n","protected":false},"excerpt":{"rendered":"

A Chinese nation-state threat actor has been caught conducting cyber espionage operations against two Russian defence research institutes using phishing emails that spoof the Russian Ministry of Health and contain malicious documents that exploit western sanctions against Russia as a lure. The campaign was detected by threat analysts at Check Point Research and has been […]<\/p>\n","protected":false},"author":1,"featured_media":36343,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36342","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36342","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36342"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36342\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36343"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}