Specialists from SentinelLabs identified a new cyber threat activity that has been recently targeting Russian organizations. They assessed that the Chinese APT group is behind these attacks as also it was reported by Ukraine CERT (CERT-UA).
Threat actors have used phishing emails to deliver Office documents which infected its victims with Bisonal, the most commonly used RAT. The similar attack techniques were also used in targeting Pakistani organizations as SentinelLabs observed the associated activity.
Specialists observed numerous China’s involvement in numerous campaigns against Russia following its invasion of Ukraine.
On June 22nd 2022 CERT-UA made a public release of Alert #4860 that presents several documents built with the help of Royal Road malicious document builder and constructed to reflect Russian government interests. Specialists from SentinelLabs analyzed further the report by CERT-UA and confirmed the involvement of a Chinese APT group.
The malicious activity comes amidst other Chinese attacks against Russia such as Space Pirates, Mustang Panda, Scarab, but here it is separate Chinese activity. The specific actor’s identity is unclear so far, although it remains clear that Chinese APT groups aim to target a wide range of different Russian organizations.
Who may be behind the attack?
Specialists from SentinelLabs assume that the possible group behind the attacks could be the Tonto Team APT (“Earth Akhlut”, “CactusPete”) group which has been reported for almost ten years. But they also say it’s too early to make any definite assumptions based on currently available data.
The malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted by CERT-UA, is unique to Chinese groups, including Tonto Team. Bisonal has a uniquely long history of use and continued development by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection techniques, and maintaining generally unrestricted system control,” goes in a report published by SentinelLabs.
Tonto Team APT group also targeted multiple victims across the globe including the targets of their particular interest in Northeast Asia such as private businesses, critical infrastructure, governments, etc. The group has been particular in their interests in Russian targets for the past years but recently in this direction specialists observed a significant spike of activity.
We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations,” also goes in a report by researchers.
On the whole the purpose of the attacks seems to be espionage-related, but that’s a limited assumption because of external visibility of the researchers’ standpoint.