State-Backed Chinese Hackers Target Russia

Financially motivated and state-sponsored actors around the globe continue to use the war in Ukraine as a lure for phishing campaigns, with Chinese groups targeting Russia of late, according to Google.

The tech giant’s Threat Analysis Group (TAG) claimed in its new quarterly bulletin that the usual governments of China, Iran, North Korea and Russia were responsible for many of the attacks recorded over the period.

Interestingly, Chinese People’s Liberation Army (PLA) actors continue to target Russian assets, despite Beijing’s tacit approval of the invasion of Ukraine and an increasingly close geopolitical relationship between the two autocracies.

The PLA attacks targeted government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia, according to TAG.

“In Russia, long-running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs,” it added. “Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.”

Elsewhere, TAG observed the infamous Russian APT28/Fancy Bear group targeting users in Ukraine with new password-stealing malware delivered via booby-trapped email attachments.

It also claimed to have detected the Turla group, thought to be part of Russia’s FSB, continue running phishing campaigns against targets in the Baltics.

A third Russian state actor, Coldriver/Callisto, continued to use Gmail accounts to send phishing emails to government and defense officials, politicians, NGOs and think tanks and journalists, TAG added.

Elsewhere, it noted that the Belarusian Ghostwriter group resumed targeting Gmail accounts via credential phishing, particularly “high-risk” individuals in Ukraine.

Last week, Microsoft released new threat intelligence claiming that Russian state-aligned actors had launched 237 campaigns against Ukrainian targets since just before the invasion and that more were likely on their way.

Pre-positioning for such attacks began as far back as March 2021, it noted.

What’s Hot on Infosecurity Magazine?