Chinese Attacks On Russian Government Agencies 

Cyber security researchers have uncovered an apparently new Advanced Persistent Threat (APT) group  targeting Russian government entities, known as CloudSorcerer. 

They use a sophisticated cyber espionage tool, discovered by Kaspersky and reported is an advisory they published,  in June, is designed for covert data collection and exfiltration, using Microsoft Graph, Yandex Cloud and Dropbox for its command and control (C2) infrastructure. 

In late July 2024, a series of targeted cyber attacks on dozens of computers at Russian government organisations and IT companies was detected. This campaign was described in detail by Kaspersky, who named  it EastWind. 

The threat actors infected devices using phishing emails with malicious shortcut attachments. These shortcuts were used to deliver malware that received commands via the Dropbox cloud service. Attackers used this malware to download additional payloads onto infected computers, in particular tools previously that have been used before by the Chinese APT31 group.

Interesting features about the implants used in this campaign:-

 

  • The malware downloaded by the attackers from Dropbox has been used by APT31 since at least 2021. 
  • The attackers updated the The CloudSorcerer backdoor and it currently uses LiveJournal (a social network popular in Russia) and Quora profiles as initial C2 servers.
  • The attacks additionally deploy a previously unknown implant with a classic backdoor functionality. It is loaded via the CloudSorcerer backdoor, and its command set is quite extensive. It supports three different protocols for communicating with C2.

The attackers used spear phishing to gain an initial foothold into the organisations and they sent malicious emails with attached RAR archives to target organisational email addresses. After running the tool, the attackers downloaded the following files to the infected machine:-

  • A file with the .ini extension, containing the encrypted payload. The name of this file varied across infected machines.
  • The renamed legitimate application dbgsrv.exe (example name: WinDRMs.exe), signed by Microsoft.
  • The malicious library dll.

The implants identified during the attack significantly differ from each other and, because of this complicating feature, experts advise that it is necessary to use a separate set of Indicators of Compromise (IoCs) to identify each malware used in any compromise.

In attacks on government organisations, threat actors often use toolkits that implement a wide variety of techniques and tactics. In developing these tools, they go to the greatest lengths possible to hide malicious activity in network traffic. The attackers behind the EastWind campaign used popular network services (GitHub, Dropbox, Quora, LiveJournal and Yandex.Disk) as C2 servers. 

Notably, the EastWind campaign bore traces of malware from two different Chinese-speaking groups: APT27 and APT31.

This clearly shows that APT groups very often team up, actively sharing knowledge and tools. To successfully counter such collaborations, there are now monitors of the techniques and tactics of APT groups operating around the world.

Kaspersky   |   Fortinet   |    Securelist   |    Reuters   |   Profero.io  |   Industrial Cyber   |   Infosecurity-magazine    | 

Hacker News

Image: Ideogram

You Might Also Read: 

Chinese Hackers Have A Global Impact:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Predictions For The Fourth Industrial Revolution [extract]
China & Russia In Technology Collaboration »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Sophos

Sophos

Sophos is a worldwide leader in next-generation cybersecurity, protecting more than 400,000 organizations of all sizes in more than 150 countries from today’s most advanced cyberthreats.

Panaseer

Panaseer

Panaseer is an enterprise cybersecurity automation and data analytics company that helps organizations stop preventable breaches by ensuring security controls are working effectively.

Communications Authority of Kenya

Communications Authority of Kenya

The Authority is responsible for facilitating the development of the information and communications sectors including; broadcasting, telecommunications, electronic commerce and cybersecurity.

Tigera

Tigera

Tigera provides zero-trust network security and continuous compliance for Kubernetes platforms that enables enterprises to meet their security and compliance requirements.

Stratus Cyber

Stratus Cyber

Stratus Cyber is a premier Cyber Security company specializing in Managed Security Services. Our services include Blockchain Security, Pentesting, and Compliance Assessments.

OnDefend

OnDefend

OnDefend delivers information security solutions that improve overall security posture, reduce risks and defend against continually evolving and persistent cyber adversaries.

NetApp Excellerator

NetApp Excellerator

NetApp Excellerator is NetApp’s global start-up program that aims to fuel innovation by partnering with deep-tech start-ups.

Bolster

Bolster

Bolster (formerly RedMarlin) is an AI-based cyber-security platform designed to detect phishing and fraudulent sites in real-time.

Datenschutz Schmidt

Datenschutz Schmidt

Datenschutz Schmidt is a service provider with many years of experience, we support you in complying with numerous data protection guidelines, requirements and laws.

ImmuniWeb

ImmuniWeb

We Simplify, Accelerate and Reduce Costs of Security Testing, Protection and Compliance.

Mage Data

Mage Data

Mage (formerly Mentis Software) is a leading solutions provider for data security and data privacy software for global enterprises.

Secfix

Secfix

Secfix helps companies get secure and compliant in weeks instead of months. We are on a mission to automate security and compliance for small and medium-sized businesses.

Mindsprint

Mindsprint

Mindsprint (formerly Olam Technology and Business Services - OTBS) are a leading edge technology and business services firm.

CLEAR

CLEAR

With more than 17 million members and a growing network of partners across the world, CLEAR's identity platform is transforming the way people live, work, and travel.

RST Cloud

RST Cloud

RST Cloud is a cutting-edge technology company that specialises in threat intelligence solutions for businesses of all sizes.

ZENDATA

ZENDATA

ZENDATA are an innovative provider of intelligent, tailored cybersecurity solutions to global companies and public sector institutions.