Chinese Attacks On Russian Government Agencies 

Uploaded on 2024-08-24 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Russia, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

Cyber security researchers have uncovered an apparently new Advanced Persistent Threat (APT) group  targeting Russian government entities, known as CloudSorcerer. 

They use a sophisticated cyber espionage tool, discovered by Kaspersky and reported is an advisory they published,  in June, is designed for covert data collection and exfiltration, using Microsoft Graph, Yandex Cloud and Dropbox for its command and control (C2) infrastructure. 

In late July 2024, a series of targeted cyber attacks on dozens of computers at Russian government organisations and IT companies was detected. This campaign was described in detail by Kaspersky, who named  it EastWind. 

The threat actors infected devices using phishing emails with malicious shortcut attachments. These shortcuts were used to deliver malware that received commands via the Dropbox cloud service. Attackers used this malware to download additional payloads onto infected computers, in particular tools previously that have been used before by the Chinese APT31 group.

Interesting features about the implants used in this campaign:-

 

  • The malware downloaded by the attackers from Dropbox has been used by APT31 since at least 2021. 
  • The attackers updated the The CloudSorcerer backdoor and it currently uses LiveJournal (a social network popular in Russia) and Quora profiles as initial C2 servers.
  • The attacks additionally deploy a previously unknown implant with a classic backdoor functionality. It is loaded via the CloudSorcerer backdoor, and its command set is quite extensive. It supports three different protocols for communicating with C2.

The attackers used spear phishing to gain an initial foothold into the organisations and they sent malicious emails with attached RAR archives to target organisational email addresses. After running the tool, the attackers downloaded the following files to the infected machine:-

  • A file with the .ini extension, containing the encrypted payload. The name of this file varied across infected machines.
  • The renamed legitimate application dbgsrv.exe (example name: WinDRMs.exe), signed by Microsoft.
  • The malicious library dll.

The implants identified during the attack significantly differ from each other and, because of this complicating feature, experts advise that it is necessary to use a separate set of Indicators of Compromise (IoCs) to identify each malware used in any compromise.

In attacks on government organisations, threat actors often use toolkits that implement a wide variety of techniques and tactics. In developing these tools, they go to the greatest lengths possible to hide malicious activity in network traffic. The attackers behind the EastWind campaign used popular network services (GitHub, Dropbox, Quora, LiveJournal and Yandex.Disk) as C2 servers. 

Notably, the EastWind campaign bore traces of malware from two different Chinese-speaking groups: APT27 and APT31.

This clearly shows that APT groups very often team up, actively sharing knowledge and tools. To successfully counter such collaborations, there are now monitors of the techniques and tactics of APT groups operating around the world.

Kaspersky   |   Fortinet   |    Securelist   |    Reuters   |   Profero.io  |   Industrial Cyber   |   Infosecurity-magazine    | 

Hacker News

Image: Ideogram

You Might Also Read: 

Chinese Hackers Have A Global Impact:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Predictions For The Fourth Industrial Revolution [extract]
China & Russia In Technology Collaboration »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

SiteLock

SiteLock

SiteLock is a global leader in website security solutions. We provide affordable, cybersecurity software solutions designed to allow small to midsize businesses to operate without fear of an attack.

Norton Rose Fulbright

Norton Rose Fulbright

Norton Rose Fulbright is a global business law firm. Practice areas include Data protection, Privacy and Cybersecurity.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

QSecure

QSecure

QSecure specializes in the provision of information security and risk management services.

Yaana Technologies

Yaana Technologies

Yaana is a leading provider of intelligent compliance solutions including lawful interception, data retention & disclosure, and advanced security analytics.

Dual Layer IT Solutions (DLIT)

Dual Layer IT Solutions (DLIT)

Dual Layer offer a full range of IT Services and Solutions for businesses from IT infrastructure design to cloud/hosted solutions, cybersecurity, disaster recovery and IT training.

Syber Technology

Syber Technology

Syber Technology is an IT project implementer empowering IT systems of Small to Medium Enterprises in the Middle East.

Cybriant

Cybriant

Cybriant Strategic Security Services provide a framework for architecting, constructing, and maintaining a secure business with policy and performance alignment.

Mindsight

Mindsight

Mindsight is a technology consulting firm with expertise from cybersecurity to cloud, disaster recovery to infrastructure, and collaboration to contact center.

Tangible Security

Tangible Security

Tangible employs the most sophisticated cyber security tools and techniques available to protect our clients’ sensitive data, infrastructure and competitive advantage.

DoControl

DoControl

DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation.

Navisite

Navisite

Navisite is a combination of eight respected IT consulting and managed service providers that were brought together under the Navisite brand.

PhishFirewall

PhishFirewall

PhishFirewall is an advanced AI-driven CyberSecurity Awareness Education, Threat Emulation, and Human Security Analytics Platform.

Tryaq

Tryaq

Tryaq are a group of cybersecurity experts and enthusiasts who share the mission to make the world feel safer online.

Praxis Security Labs

Praxis Security Labs

Praxis Security Labs is a research driven cybersecurity company that helps our customers to reduce risk and improve security.

Slide

Slide

Slide is a modern, security-first Business Continuity & Disaster Recovery (BCDR) company built exclusively for Managed Service Providers.