At least two Russia-based defence research institutes and another entity in Belarus likely related to the research field have been a target of a long-running cyber-espionage campaign conducted by China-linked state-sponsored hackers.
The campaign targeted defence research institutes focused belonging the Russian state-owned defense conglomerate Rostec Corporation, Russia’s largest holding company in the radio-electronics industry. The primary focus of the institutes in question is the development of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based radar stations and means of state identification.
Security researchers at Israeli cybersecurity firm Check Point, who discovered the campaign, has attributed this operation with high confidence to a group they dubbed “Twisted Panda,” which they say may be connected to another Chinese state-backed hacker group Stone Panda (aka APT10).
According to the researchers, Twisted Panda has been targeting a holding company within the Russian state-owned Rostec Corporation with spear-phishing attacks since at least June 2021, with the latest activity observed in April 2022.
Phishing emails ostensibly containing information related to Western sanctions against Russia over its invasion of Ukraine carried links to an attacker-controlled site disguised as a domain belonging to the Health Ministry of Russia, and a malicious Word document attachment.
Another spear-phishing email with the subject “US Spread of Deadly Pathogens in Belarus” also purporting to be from the Russian Ministry of Health was sent to an unknown entity in the Belarus capital Minsk.
A decoy Microsoft Word document attached to the phishing email was designed to trigger the infection and drop a sophisticated multi-layered loader and a backdoor dubbed “Spinner”, which:
-
Collects information about the infected machine (enumerate disks, files).
-
Exfiltrates files from the infected machine and manipulates the local files.
-
Runs OS commands and executes downloaded payload, as part of typical backdoor capabilities.
“As a part of this investigation, we uncovered the previous wave of this campaign, also likely targeting Russian or Russia-related entities, active since at least June 2021. The evolution of the tools and techniques throughout this time period indicates that the actors behind the campaign are persistent in achieving their goals in a stealthy manner. In addition, the Twisted Panda campaign shows once again how quickly Chinese espionage actors adapt and adjust to world events, using the most relevant and up-to-date lures to maximize their chances of success,” the researchers concluded.
Cybersecurity Help statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!