China ramps up its cyber espionage efforts against Russia


State-sponsored hackers with ties to Beijing are increasingly focusing their cyber espionage effort on Moscow, an analysis suggests.

A cluster of China-linked threat activity has been observed to target Russian organizations, researchers at SentinelLabs claim.

The group known as Mustang Panda has targeted Russian organizations since the beginning of the war in Ukraine, while a novel hacker group dubbed 'Space Pirates' penetrated Russia's space tech industry.

According to a recent report, attackers use a phishing email to deliver Remote Access Trojans (RATs) via infected Microsoft Office documents. Threat actors use Royal Road builder to drop Bisonal backdoor. Both pieces of software are often used by China-linked hackers, suggesting Beijing was behind the attacks.

"While the overlap of publicly reported actor names inevitably muddies the picture, it remains clear that the Chinese intelligence apparatus is targeting a wide range of Russian-linked organizations," reads the report.

As with the attacks by Mustang Panda and Space Pirates, recent attacks also saw threat actors crafting the documents to be relevant to victim organizations.

An infected document spotted mid-June masqueraded as a RU-CERT memo on phishing attacks. The document appears to have targeted Russia's Foreign Ministry. Another fake document was themed around telecommunication organizations.

SentinelLabs researchers believe the tools used in the attack point to the Chinese threat group Tonto Team as prime suspects behind the campaign.

"However, we assess that link with only medium confidence due to the potential for shared attacker resources that could muddy attribution based on the currently available data.," reads the report.

While the attacker is known to have targeted government and private organizations in Northeast Asia, a recent focus on Russia might suggest a peaked interest in Moscow's dealings following the invasion of Ukraine.

Report's authors conclude that while it's not possible to be 100% sure that the attacks originate in China, the evidence points to Beijing.

"Based on our observations, there's been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations, "claims the report.