Chinese Attacks On Russian Government Agencies 

Cyber security researchers have uncovered an apparently new Advanced Persistent Threat (APT) group  targeting Russian government entities, known as CloudSorcerer. 

They use a sophisticated cyber espionage tool, discovered by Kaspersky and reported is an advisory they published,  in June, is designed for covert data collection and exfiltration, using Microsoft Graph, Yandex Cloud and Dropbox for its command and control (C2) infrastructure. 

In late July 2024, a series of targeted cyber attacks on dozens of computers at Russian government organisations and IT companies was detected. This campaign was described in detail by Kaspersky, who named  it EastWind. 

The threat actors infected devices using phishing emails with malicious shortcut attachments. These shortcuts were used to deliver malware that received commands via the Dropbox cloud service. Attackers used this malware to download additional payloads onto infected computers, in particular tools previously that have been used before by the Chinese APT31 group.

Interesting features about the implants used in this campaign:-

 

  • The malware downloaded by the attackers from Dropbox has been used by APT31 since at least 2021. 
  • The attackers updated the The CloudSorcerer backdoor and it currently uses LiveJournal (a social network popular in Russia) and Quora profiles as initial C2 servers.
  • The attacks additionally deploy a previously unknown implant with a classic backdoor functionality. It is loaded via the CloudSorcerer backdoor, and its command set is quite extensive. It supports three different protocols for communicating with C2.

The attackers used spear phishing to gain an initial foothold into the organisations and they sent malicious emails with attached RAR archives to target organisational email addresses. After running the tool, the attackers downloaded the following files to the infected machine:-

  • A file with the .ini extension, containing the encrypted payload. The name of this file varied across infected machines.
  • The renamed legitimate application dbgsrv.exe (example name: WinDRMs.exe), signed by Microsoft.
  • The malicious library dll.

The implants identified during the attack significantly differ from each other and, because of this complicating feature, experts advise that it is necessary to use a separate set of Indicators of Compromise (IoCs) to identify each malware used in any compromise.

In attacks on government organisations, threat actors often use toolkits that implement a wide variety of techniques and tactics. In developing these tools, they go to the greatest lengths possible to hide malicious activity in network traffic. The attackers behind the EastWind campaign used popular network services (GitHub, Dropbox, Quora, LiveJournal and Yandex.Disk) as C2 servers. 

Notably, the EastWind campaign bore traces of malware from two different Chinese-speaking groups: APT27 and APT31.

This clearly shows that APT groups very often team up, actively sharing knowledge and tools. To successfully counter such collaborations, there are now monitors of the techniques and tactics of APT groups operating around the world.

Kaspersky   |   Fortinet   |    Securelist   |    Reuters   |   Profero.io  |   Industrial Cyber   |   Infosecurity-magazine    | 

Hacker News

Image: Ideogram

You Might Also Read: 

Chinese Hackers Have A Global Impact:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Predictions For The Fourth Industrial Revolution [extract]
China & Russia In Technology Collaboration »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

GlobalSign

GlobalSign

GlobalSign is an identity services company providing cloud-based, PKI solutions for enterprises needing to conduct safe commerce, communications, content delivery and community interactions.

Payload Security

Payload Security

Payload Security's VxStream Sandbox is a fully automated malware analysis system.

Consult Hyperion

Consult Hyperion

Consult Hyperion is an independent strategic and technical consultancy specialising in digital identity and secure electronic transactions.

Veriato

Veriato

Veriato develops intelligent solutions that provide companies with visibility into the human behaviors and activities occurring within their network, making them more secure and productive.

Moxa

Moxa

Moxa is a leading provider of industrial networking, computing, and automation solutions for enabling the Industrial Internet of Things.

Cyber Police of Ukraine

Cyber Police of Ukraine

Cyber Police of Ukraine is a law enforcement agency within the the Ministry of Internal Affairs of Ukraine dedicated to combating cyber crime.

ICS-CSR

ICS-CSR

ICS-CSR is a research conference bringing together researchers with an interest in the security of industrial control systems.

Google for Startups

Google for Startups

Google for Startups is Google’s initiative to help startups thrive across every corner of the world.

Noventiq

Noventiq

Noventiq (the brandname of Softline Holding plc) is a leading global solutions and services provider in digital transformation and cybersecurity.

ThreatX

ThreatX

ThreatX provides complete web application & API protection to address expanding app footprints and complex attacks.

SafeStack Academy

SafeStack Academy

SafeStack Academy is an online cyber security and privacy education platform. Our content is designed by experts to suit small businesses, growing companies, and development teams.

gener8tor

gener8tor

The gener8tor Cybersecurity Accelerator offers a cutting-edge program in San Antonio, home to the second-largest concentration of cybersecurity experts in the United States.

Resilience Cyber insurance

Resilience Cyber insurance

Resilience helps to improve cyber resilience by connecting cyber insurance coverage with advanced cybersecurity visibility and a shared plan to reinforce great cyber hygiene.

Avalor

Avalor

Avalor are on a mission to help security teams make faster, more accurate decisions by making sense of their data. With Avalor you can bring in data from anywhere, normalize it and analyze it.

AT&T Cybersecurity

AT&T Cybersecurity

AT&T Cybersecurity’s Edge-to-Edge technologies provide threat intelligence, collaborative defense, security without the seams, and solutions that fit your business.

12Port

12Port

12Port network security solutions help companies tackle modern cybersecurity threats cost-effectively while implementing zero-trust architectures.