Chinese Attacks On Russian Government Agencies 

Cyber security researchers have uncovered an apparently new Advanced Persistent Threat (APT) group  targeting Russian government entities, known as CloudSorcerer. 

They use a sophisticated cyber espionage tool, discovered by Kaspersky and reported is an advisory they published,  in June, is designed for covert data collection and exfiltration, using Microsoft Graph, Yandex Cloud and Dropbox for its command and control (C2) infrastructure. 

In late July 2024, a series of targeted cyber attacks on dozens of computers at Russian government organisations and IT companies was detected. This campaign was described in detail by Kaspersky, who named  it EastWind. 

The threat actors infected devices using phishing emails with malicious shortcut attachments. These shortcuts were used to deliver malware that received commands via the Dropbox cloud service. Attackers used this malware to download additional payloads onto infected computers, in particular tools previously that have been used before by the Chinese APT31 group.

Interesting features about the implants used in this campaign:-

 

  • The malware downloaded by the attackers from Dropbox has been used by APT31 since at least 2021. 
  • The attackers updated the The CloudSorcerer backdoor and it currently uses LiveJournal (a social network popular in Russia) and Quora profiles as initial C2 servers.
  • The attacks additionally deploy a previously unknown implant with a classic backdoor functionality. It is loaded via the CloudSorcerer backdoor, and its command set is quite extensive. It supports three different protocols for communicating with C2.

The attackers used spear phishing to gain an initial foothold into the organisations and they sent malicious emails with attached RAR archives to target organisational email addresses. After running the tool, the attackers downloaded the following files to the infected machine:-

  • A file with the .ini extension, containing the encrypted payload. The name of this file varied across infected machines.
  • The renamed legitimate application dbgsrv.exe (example name: WinDRMs.exe), signed by Microsoft.
  • The malicious library dll.

The implants identified during the attack significantly differ from each other and, because of this complicating feature, experts advise that it is necessary to use a separate set of Indicators of Compromise (IoCs) to identify each malware used in any compromise.

In attacks on government organisations, threat actors often use toolkits that implement a wide variety of techniques and tactics. In developing these tools, they go to the greatest lengths possible to hide malicious activity in network traffic. The attackers behind the EastWind campaign used popular network services (GitHub, Dropbox, Quora, LiveJournal and Yandex.Disk) as C2 servers. 

Notably, the EastWind campaign bore traces of malware from two different Chinese-speaking groups: APT27 and APT31.

This clearly shows that APT groups very often team up, actively sharing knowledge and tools. To successfully counter such collaborations, there are now monitors of the techniques and tactics of APT groups operating around the world.

Kaspersky   |   Fortinet   |    Securelist   |    Reuters   |   Profero.io  |   Industrial Cyber   |   Infosecurity-magazine    | 

Hacker News

Image: Ideogram

You Might Also Read: 

Chinese Hackers Have A Global Impact:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Predictions For The Fourth Industrial Revolution [extract]
China & Russia In Technology Collaboration »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ASIS International

ASIS International

ASIS International is a global community of security practitioners with a role in the protection of assets - people, property, and/or information.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

Clearwater Security & Compliance

Clearwater Security & Compliance

Clearwater Compliance specialize in Privacy, Security, Compliance and Risk Management Solutions for Health Care, Law Firms and other businesses.

Cyber Risk Agency

Cyber Risk Agency

Cyber Risk Agency is a cybersecurity consulting firm specializing in managing cyber risks for SMEs.

Jobsora

Jobsora

Jobsora is an innovative job search platform in the UK and more than 35 other countries around the world. Sectors covered include IT and cybersecurity.

PeckShield

PeckShield

PeckShield is a blockchain security company which aims to elevate the security, privacy, and usability of entire blockchain ecosystem by offering top-notch, industry-leading services and products.

Privacyware

Privacyware

Privacyware's ThreatSentry combines a state-of-the-art Web Application Firewall and port-level firewall with advanced behavioral filtering to block unwanted IIS traffic and web application threats.

Stefanini Group

Stefanini Group

Stefanini is a global IT services company providing a broad range of solutions for digital transformation including automation, cloud, IoT and cybersecurity.

BluescreenIT (BIT)

BluescreenIT (BIT)

BluescreenIT is an IT Security Consultancy and IT and Cyber Security Training company supporting industry, local authorities, MoD and governmental IT departments.

Pathway Communications

Pathway Communications

Established in 1995, Pathway Communications – is part of the Pathway Group of Companies, a Canadian IT Managed Services organization.

Mosyle

Mosyle

Businesses and educational institutions rely on Mosyle to manage and secure their Apple devices and networks.

Bastion Networks

Bastion Networks

Bastion are a security-focussed managed solution provider and consultancy. We work with advanced cyber security vendors to produce managed security solutions to protect from online threats.

Codezero Technologies

Codezero Technologies

Codezero is at the forefront of microservices development, employing an identity-aware overlay network that delivers zero-trust security to DevOps.

Camms

Camms

Camms are a team of experienced professionals dedicated to providing innovative GRC software solutions that help organizations manage risk, make informed decisions, and drive positive change.

aiComply

aiComply

aiComply's AI-driven platform offers automated intelligence for an efficient cybersecurity compliance workflow, eliminating onerous manual and time-consuming paperwork.

DarkHorse Security

DarkHorse Security

DarkHorse exists to make it easy and affordable for organizations to be able to identify their cybersecurity vulnerabilities.