Actu
Chinese APT groups are increasingly targeting a wide range of Russian-linked organisations using phishing emails
July 2022 by SentinelLabs
SentinelLabs has identified a cluster of Chinese threat activity targeting Russian organisations, noting a particular increase in Russian targeting by suspected Chinese threat actors. After assessing the activity, SentinelLabs assumes with high-confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber espionage group, as also recently noted by Ukraine CERT (CERT-UA).
The attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their remote access trojan (RAT) of choice, most commonly Bisonal. Additionally, SentinelLabs has also identified associated activity targeting telecommunication organisations in Pakistan leveraging similar attack techniques.
On 22 June 2022, Ukraine’s CERT-UA reported several RTF documents containing malicious code exploiting one or more vulnerabilities in MS Office. CERT-UA assessed that the documents, "Vnimaniyu.doc", "17.06.2022_Protokol_MRG_Podgruppa_IB.doc", and "remarks table 20.06.2022_obraza", were likely built with the Royal Road builder and dropped the Bisonal backdoor. Royal Road is a malicious document builder used widely by Chinese APT groups, while Bisonal is a backdoor RAT unique to Chinese threat actors.
China’s recent intelligence objectives against Russia can be observed in multiple campaigns following the invasion of Ukraine, such as Scarab, Mustang Panda, Space Pirates, and now the findings here. SentinelLabs’ analysis indicates this is a separate Chinese campaign, but specific actor attribution is unclear at this time.
While the overlap of publicly-reported actor names inevitably muddies the picture, it remains clear that the Chinese intelligence apparatus is targeting a wide range of Russian-linked organisations. SentinelLabs’ findings currently offer only an incomplete picture of this threat cluster’s phishing activity, but they serve to provide perspective into an attacker’s ongoing operational objectives and a framework for our ongoing research.
It’s also worth noting that there are still ongoing related attacks focused on non-Russian organisations, such as those against Pakistan. For example, one file uploaded to VirusTotal from Pakistan is a May 2022 email message file to the Pakistan Telecommunication Authority, sent from a potentially compromised account in the Cabinet Division of the Pakistani government. This email contains the Royal Road attachment “Please help to Check.doc”, which is dropping and beaconing outbound.
Conclusion
SentinelLabs assessed with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributed to Chinese threat actors. Based on SentinelLabs’ observations, there’s been a continued effort to target Russian organisations by this cluster through well-known attack methods – the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organisations. Overall, the objectives of these attacks appear espionage-related, but the broader context remains unavailable from our standpoint of external visibility.
Unsubscribe from this list
