China-linked cyber-spies infect Russian govt, IT sector

Cyber-spies with suspected ties to China have compromised numerous computers within Russian government agencies and IT sectors, deploying malware known as EastWind. Kaspersky, a cybersecurity firm based in Russia, reported that the attacks began in late July and involved phishing emails that contained malicious attachments. The attackers utilized various cloud services, including GitHub and Dropbox, as command-and-control servers to facilitate the download of additional malware onto the infected systems. The malware includes a trojan named GrewApacha, previously linked to Chinese cyber groups APT31 and APT27, and a backdoor called CloudSorcerer. The latter has been modified to use social media and question-and-answer platforms as initial command servers. Kaspersky's analysis revealed that the attackers also introduced a new implant, dubbed PlugY, which can execute a wide range of commands, including file manipulation and keystroke logging. The ongoing investigation suggests that the EastWind campaign demonstrates collaboration among state-sponsored hacking groups, sharing tools and techniques to enhance their cyber operations.

- Chinese cyber-spies have infected Russian government and IT systems with malware.

- The attacks began in late July and involved phishing emails with malicious attachments.

- Cloud services were used as command-and-control servers for malware deployment.

- The malware includes the GrewApacha trojan and the CloudSorcerer backdoor.

- The campaign highlights collaboration among state-sponsored hacking groups.