China-linked cyber-spies breach Russian government, IT networks
MOSCOW, RUSSIA — A sophisticated cyber-espionage campaign, allegedly linked to Chinese state-sponsored groups, has infiltrated Russian government agencies and IT providers.
The Russia-based cybersecurity firm Kaspersky has identified “dozens” of compromised computers infected with backdoors and trojans since late July.
This ongoing operation, dubbed “EastWind,” involves malware associated with two notorious China-linked groups, APT27 and APT31.
Phishing tactics and cloud-based command centers
The attackers initially gained access through phishing emails containing RAR archive attachments. These attachments included a Windows shortcut, a decoy document, and both legitimate and malicious files.
The malicious components utilized DLL sideloading to deploy a backdoor that communicated with Dropbox. Once communication was established, the backdoor executed commands, conducted reconnaissance and downloaded additional malware.
The cyber-spies cleverly used popular cloud services and websites such as GitHub, Dropbox, Quora, LiveJournal, and Yandex.Disk as command-and-control (C2) servers to manage their operations. This approach allowed them to direct their malware to download further payloads onto compromised systems.
Advanced malware tools
Among the malware deployed was the GrewApacha trojan, which was linked to APT31 in past campaigns. The latest version of GrewApacha uses two C2 servers and obfuscates the server address in a Base64-encoded GitHub profile bio.
In addition, the attackers deployed the CloudSorcerer backdoor, which Kaspersky previously reported in July. This backdoor has been updated to use LiveJournal and Quora as initial C2 servers.
PlugY implant as a new threat
Kaspersky’s analysis revealed that CloudSorcerer was used to download a new implant named PlugY. This implant connects to C2 servers via TCP and UDP protocols or named pipes and can execute a wide range of commands, including file manipulation, shell command execution, keystroke logging, screen monitoring, and clipboard snooping.
“Analysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code of the DRBControl (aka Clambling) backdoor was used to develop it,” Kaspersky’s researchers noted.
Implications of the EastWind campaign
The EastWind campaign highlights the collaboration among nation-state-backed cyber groups, with malware similarities observed between APT27 and APT29.
Kaspersky’s findings highlight the complex and increasing number of cyberattacks, emphasizing the need for strong cybersecurity measures to protect sensitive information from such sophisticated attacks.
This incident serves as a stark reminder of cyber espionage’s persistent and evolving nature, urging governments and organizations worldwide to bolster their defenses against such threats.
