Essential Insights
- A Chinese state-aligned group, APT31, has reportedly been spying on Russia’s IT sector for years, reflecting espionage even among ostensibly allied nations.
- The campaign, detailed by Russian IT security firm Positive Technologies, involved sophisticated tactics using legitimate cloud services for malicious activities and communication.
- APT31’s attacks targeted not only IT companies but also contractors working with government agencies, indicating a potential broader agenda beyond commercial espionage.
- Notably, evidence suggests similar tactics have been used against other countries, highlighting the challenges in countering such sophisticated, covert cyber espionage efforts.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘China Spies on Russian IT Orgs’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
A Chinese state-aligned threat actor may have been spying on Russia’s government for years through its IT sector.
For all of the adversarial intelligence gathering going on in the world today, there’s also plenty of spying among friends. Friendly nations, and friendly-ish nations like China and Russia, regularly use cyberspace against their allies in order to glean potentially valuable political or economic intelligence, gain advantages in strategic negotiations, or simply steal technology.
On Nov. 20, Russian IT security vendor Positive Technologies detailed a longstanding espionage campaign against Russia’s IT sector. The culprit: China’s APT31 — also known as Judgment Panda, TA412, Violet Typhoon — an advanced persistent threat (APT) of a decade and a half, well-known for performing industrial espionage and intellectual property (IP) theft against thousands of worldwide organizations.
APT31’s trick this time around, the researchers found, was a sophisticated manipulation of legitimate cloud services for malicious command-and-control (C2).
APT31’s Cloud Services Abuse
The first known evidence of APT31’s campaign against Russia’s IT sector dates back to the end of 2022, though the meat of the campaign appears to have occurred in 2024 and 2025.
In many ways, the attacks have unfolded as most Chinese espionage campaigns do: APT31 distributed targeted phishing emails with archive files attached, containing decoy documents and its malware, executed in victims’ systems using dynamic link library (DLL) sideloading.
APT31 uses both commercial software and custom malware programs for various stages of its attack chain. For instance, the group can steal victims’ authentication data using a tool that culls Google Chrome and Microsoft Edge, and another that searches through local files, and a third that scrapes Windows Sticky Notes, just in case victims leave their passwords on digital Post-its instead of physical ones.
Most notably, APT31 employs a variety of backdoors customized to the victim’s operating system — Windows and Linux call for different choices — and its own chosen means of C2 communication. For example, its “OneDriveDoor” backdoor uses Microsoft OneDrive for C2 communication, but “CloudSorcerer” can use OneDrive, Dropbox, or the Russian Yandex Cloud service. Its “YaLeak” tool uses the Russian Yandex Cloud service for data exfiltration, and its most tongue in cheek malware, “VtChatter,” uses the commenting system on threat intelligence platform VirusTotal (VT) as a covert C2 channel.
Bugcrowd founder Casey Ellis laments just how difficult it is to prevent hackers from abusing legitimate cloud services to conceal their malicious activity. “Aside from playing whack-a-mole when a campaign like this bubbles up, there is very little that cloud services can do to stop this type of C2 abuse,” he explains. “This is deliberate exploitation of intentional design, and the fact that it flies under the radar for this reason is being deliberately abused by the threat actors. This type of C2 is notoriously difficult to prevent, aside from adding coarse features like geo-blocking entire regions, or shutting the whole service down.”
Commercial or Government Espionage?
Certain circumstantial evidence suggests that APT31’s campaign might have been aimed at more than just IT companies, commercial data, and possibly beyond Russia.
Importantly, its attacks were concentrated not just against Russia’s IT sector broadly, but against contractors and integrators of IT solutions for government agencies specifically. Russia itself has used this backdoor approach to breach the US government in the past.
The researchers also spotted a version of APT31’s very same attack chain in Peru. In that case, an unidentified victim was served malware alongside a decoy document crafted to appear like an official financial report from the Ministry of Foreign Affairs of Peru, a more direct indication that the hackers may have been seeking out government victims.
“Geopolitical relations are dynamic by nature,” Ellis notes, and “the idea that ‘knowing what your friends are up to is as important as knowing what your enemies are planning’ predates the current geopolitical environment, and technology environment, by a few thousand years.”
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Expand Your Tech Knowledge
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Explore past and present digital transformations on the Internet Archive.
CyberRisk-V1
