A Chinese nation-state threat actor has been caught conducting cyber espionage operations against two Russian defence research institutes using phishing emails that spoof the Russian Ministry of Health and contain malicious documents that exploit western sanctions against Russia as a lure.
The campaign was detected by threat analysts at Check Point Research and has been attributed to a Chinese nation-state actor. CPR found that the campaign has been running since the summer of 2021, long before the crisis in Ukraine escalated into war, and the threat actor used new and previously undocumented tools to evade detection.
CPR’s research head Itay Cohen said the campaign bore multiple overlaps with other Chinese cyber espionage campaigns, such as those carried out by APT10 (aka Stone Panda, MenuPass and Red Apollo) and Mustang Panda (aka TA416, Bronze President and Red Delta).
“We exposed an ongoing espionage operation against Russian defense research institutes that have been carried out by experienced and sophisticated Chinese-backed threat actors,” said Cohen.
“Our investigation shows that this is a part of a larger operation that has been ongoing against Russia-related entities for around a year. We discovered two targeted defense research institutions in Russia and one entity in Belarus.”
The threat actor is using some new and previously undocumented tools to conduct their intrusions, including a multi-layered loader and a backdoor that has been dubbed Spinner. Reflecting this relative sophistication, the researchers have named the campaign Twisted Panda.
Two of the known victims belong to a holding company within the Russian state-owned Rostec defence conglomerate, which is on the UK’s list of sanctioned institutions, specialising in radio-electronics, electronic warfare and avionics. A third victim in the Russian puppet state of Belarus has not been named.
The email subject lines include “List of <target name> persons under US sanctions for invading Ukraine” and in the third instance “US spread of deadly pathogens in Belarus”, which is likely a reference to an ongoing campaign of misinformation on the subject of chemical weapons.
On opening the attached documents, the malicious code is downloaded from the attacker-controlled server to install and covertly run a backdoor that enables them to obtain data about the infected system. This data can then be used to further execute additional commands on the system.
“Perhaps the most sophisticated part of the campaign is the social engineering component. The timing of the attacks and the lures used are clever. From a technical point of view, the quality of the tools and their obfuscation is above average, even for APT groups,” said Cohen.
“I believe our findings serve as more evidence of espionage being a systematic and long-term effort in the service of China’s strategic objectives to achieve technological superiority. In this research, we saw how Chinese state-sponsored attackers are taking advantage of the ongoing war between Russia and Ukraine, unleashing advanced tools against who is considered a strategic partner – Russia,” he added.