Chinese APT groups are increasingly targeting Russian organizations following the war in Ukraine, according to research by SentinelLabs.
The latest investigation indicated that a Chinese state-sponsored cyber espionage group launched a “cluster” of phishing emails to deliver remote access Trojan (RAT) malware, most commonly Bisonal, against Russian targets in recent weeks. SentinelLabs researchers attributed this threat activity “with high confidence” to a Chinese state-backed group, although “specific actor attribution is unclear at this time.”
The new analysis follows other campaigns by Chinese APT groups targeting Russia in recent months. These include Scarab, Mustang Panda and Space Pirates, which were also identified by SentinelLabs. Additionally, in May, Google’s Threat Analysis Group (TAG) highlighted the growing targeting of Russia by Chinese threat groups.
The latest campaign has also been noted by CERT-UA, Ukraine’s National Computer Emergency Response Team. On June 22, the organization reported several RTF documents containing malicious code exploiting one or more vulnerabilities in MS Office. It believes that these documents were built with the Royal Road builder and dropped the Bisonal backdoor, both of which are strongly associated with Chinese APT groups: Royal Road is a malicious document builder used widely by such groups, while Bisonal is a backdoor RAT unique to Chinese threat actors.
SentinelLabs added that it had identified associated activity targeting telecommunication organizations in Pakistan, using similar attack techniques.
The cybersecurity firm noted that “it remains clear that the Chinese intelligence apparatus is targeting a wide range of Russian-linked organizations.”
It continued: “SentinelLabs assessed with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributed to Chinese threat actors. Based on SentinelLabs’ observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods – the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations. Overall, the objectives of these attacks appear espionage-related, but the broader context remains unavailable from our standpoint of external visibility.”
Earlier this week, MI5 and FBI leaders warned business leaders and academics of the “massive” cyber-espionage threat from China.