Russian Organizations Under Attack By Chinese APTs

Chinese APTs Increasingly Target Russian Organizations
Chinese APTs Increasingly Target Russian Organizations

Unveiling a recent cyber saga, the experts at SentinelLabs have unearthed a menacing digital force, strategically honing in on Russian organizations. In their detective work, they’ve traced the sinister trail back to the notorious Chinese APT group, a revelation corroborated by the vigilant eyes at Ukraine CERT (CERT-UA).

The plot thickens as the adversaries deploy cunning tactics, leveraging phishing emails as Trojan horses, delivering malevolent Office documents armed with Bisonal—the underworld’s go-to Remote Access Trojan (RAT). Like a cyber echo, these same techniques reverberated across borders, targeting unsuspecting victims in Pakistani organizations, a sinister symphony meticulously observed by the sharp minds at SentinelLabs.

In the grand theater of digital warfare, China takes center stage, orchestrating a myriad of campaigns against Russia, a retaliatory crescendo following its invasion of Ukraine.

On June 22nd 2022 CERT-UA made a public release of Alert #4860 that presents several documents built with the help of Royal Road malicious document builder and constructed to reflect Russian government interests. Specialists from SentinelLabs analyzed further the report by CERT-UA and confirmed the involvement of a Chinese APT group.

Chinese APTs Increasingly Target Russian Organizations
One Of Malicious Documents Distributed In A Campaign – Russia Telecom Theme – “Пояснительная записка к ЗНИ.doc”
Chinese APTs Increasingly Target Russian Organizations
Translation Of The Previous Document Example

The malicious activity comes amidst other Chinese attacks against Russia such as Space Pirates, Mustang Panda, Scarab, but here it is separate Chinese activity. The specific actor’s identity is unclear so far, although it remains clear that Chinese APT groups aim to target a wide range of different Russian organizations.

Who may be behind the attack?

SentinelLabs specialists speculate that the Tonto Team APT (“Earth Akhlut”, “CactusPete”) group, reported for nearly a decade, might be the potential culprit behind the attacks. However, they emphasize that it is premature to draw definitive conclusions based on the current available data.

The malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted by CERT-UA, is unique to Chinese groups, including Tonto Team. Bisonal has a uniquely long history of use and continued development by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection techniques, and maintaining generally unrestricted system control,” goes in a report published by SentinelLabs.

Tonto Team APT group also targeted multiple victims across the globe including the targets of their particular interest in Northeast Asia such as private businesses, critical infrastructure, governments, etc. The group has been particular in their interests in Russian targets for the past years but recently in this direction specialists observed a significant spike of activity.

We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations,” also goes in a report by researchers.

On the whole the purpose of the attacks seems to be espionage-related, but that’s a limited assumption because of external visibility of the researchers’ standpoint.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *