A year-long Chinese Cyber Espionage Campaign in Russia now targets Defense Research Institutes
Check Point Research (CPR) detects an ongoing, cyber espionage operation targeting Russian defense research institutes. Attributed to Chinese nation-state actors, the operation uses spear-phishing emails sent under the guise of the Russian Ministry of Health to collect sensitive information. Emails caught by CPR contained malicious documents that used the Western sanctions against Russia as a decoy, among other social engineering techniques. The threat actors were able to evade detection for nearly 11 months by using new and undocumented tools that CPR now details for the first time. CPR has named the campaign "Twisted Panda" to reflect the sophistication of the tools observed and traced to China.
Russian victims belong to a holding company within the Russian state-owned defense conglomerate called Rostec Corporation, Russia's largest holding company in the radio-electronics industry.
Emails contained subject lines “List of
Campaign bears multiple overlaps with Chinese advanced and long-standing cyberespionage actors, including APT10 and Mustang Panda
Check Point Research (CPR) has spotted an ongoing cyber espionage operation targeting Russian defense research institutes. Attributed to Chinese nation-state threat actors, the operation relies on social engineering techniques, specifically sanction-related baits, to collect sensitive information. The threat actors were able to evade detection for nearly 11 months by using new and undocumented tools, a sophisticated multi-layered loader and a backdoor dubbed SPINNER. CPR has named this campaign "Twisted Panda" to reflect the sophistication of the tools observed and the attribution to China.
CPR identified three defense research targets, two in Russia and one in Belarus. The Russian victims belong to a holding company within the Russian state-owned defense conglomerate called Rostec Corporation, which is Russia's largest holding company in the radio-electronics industry. The primary business of the Russian victims is in the development and manufacturing of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based radar stations, and means of state identification. The research entities are also involved in avionics systems for civil aviation, the development of a variety of civil products such as medical equipment and control systems for energy, transportation, and engineering industries.
First, the attackers send their targets a specially crafted phishing email. The email contains a document using the Western sanctions against Russia as a decoy. When the victim opens the document, it downloads the malicious code from the attacker-controlled server, which installs and covertly runs a backdoor on the victim's machine. This backdoor collects the data about the infected machine and sends it back to the attacker. Then based on this information, the attacker can further use the backdoor to execute additional commands on the victim's machine or collect sensitive data from it.
The threat actors leverage malicious spear-phishing emails that use social engineering techniques. On March 23, malicious emails were sent to several defense research institutes based in Russia. The emails, which had the subject “List of
The Tactics, Techniques, and Procedures (TTPs) of this operation allows CPR to make an attribution to Chinese APT activity. The Twisted Panda campaign bears multiple overlaps with Chinese advanced and long-standing cyberespionage actors, including APT10 and Mustang Panda.
Quote: Itay Cohen, Head of Research at Check Point Software
"We exposed an ongoing espionage operation against Russian defense research institutes that have been carried out by experienced and sophisticated Chinese-backed threat actors. Our investigation shows that this is a part of a larger operation that has been ongoing against Russia-related entities for around a year. We discovered two targeted defense research institutions in Russia and one entity in Belarus.
Perhaps the most sophisticated part of the campaign is the social engineering component. The timing of the attacks and the lures used are clever. From a technical point of view, the quality of the tools and their obfuscation is above average, even for APT groups. I believe our findings serve as more evidence of espionage being a systematic and long-term effort in the service of China's strategic objectives to achieve technological superiority. In this research, we saw how Chinese state-sponsored attackers are taking advantage of the ongoing war between Russia and Ukraine, unleashing advanced tools against who is considered a strategic partner — Russia."
Al Faisal Holding Company implements Ramco Systems’ Global Payroll & HR Solution
Qatar based Al Faisal Holding announces that it has chosen to implement Ramco Systems&rsqu...
Capgemini helps Dassault Aviation accelerate its digital transformation
Dassault Aviation and Capgemini have announced the successful deployment and commissioning...
Intel hosts the Safety Pioneers Conference to boost road safety in India
Intel reinforces its goal to use technology to enhance road safety in India. At the Safety...
Prama Excellence Meet conducted in Mumbai to showcase its surveillance products
Prama India has organized its third part of ‘PRAMA EXCELLENCE MEET’ event in M...
PRAMA hosts its EXCELLENCE MEET in New Delhi
Prama India has organized its Pan India Roadshows with its second event recently at New De...