Cybercriminals linked to China are going after Russian targets

A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
(Image credit: Getty Images)

It would seem China and Russia aren’t exactly allies when it comes to cyberspace, as the latter has apparently spotted malware associated with the former on devices belonging to its government and IT providers.

Cybersecurity researchers from Kaspersky claim since late July, they spotted “dozens” of infected computers, all compromised in a campaign they called EastWind. These malware samples obtained in their analysis seem to have been developed by two China-nexus groups, called APT27, and APT31.

Kaspersky said the initial compromise was done via phishing emails. The crooks would send emails with two attachments, one legitimate, and one malicious. The latter would communicate with DropBox, GitHub, Quora, LiveJournal, and Yandex.Disk, which the threat actors used as a command & control (C2) server of sorts.

Multiple payloads

Through these cloud services, the hackers would instruct the malware to download stage two payloads, including a trojan called GrewApacha, and a backdoor called CloudSorcerer.

The latter was also spotted in attacks against American organizations in late May 2024, The Register reports. Furthermore, CloudSorcerer was used to download a previously unseen implant dubbed PlugY, which can manipulate files, run shell commands, log keystrokes, monitor screens, edit clipboard contents, and more.

"Analysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code of the DRBControl (aka Clambling) backdoor was used to develop it," Kaspersky said in its report. DRBControl was apparently developed by APT27. Since the malware used in the EastWind campaign was similar to variants used by both APT27 and APT29, Kaspersky believes this “clearly shows” how Chinese state-sponsored actors "very often team up, actively sharing knowledge and tools."

On the surface, China and Russia often act as allies, supporting each other’s political and military aspirations. China, for example, supports Russia’s invasion of Ukraine, while Russia repeats China’s statements of “one China” - a term used to deny Taiwan’s sovereignty and territorial integrity. However, when it comes to the fight for information, it would seem that there are no alliances.

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.