China-linked hackers could be behind cyberattacks on Russian state agencies, researchers say

Hackers have targeted dozens of computers belonging to Russian state agencies and tech companies with malicious tools linked to Chinese threat actors, according to a new report.

In a campaign dubbed EastWind discovered late last month by researchers at Russian cybersecurity firm Kaspersky, the attackers used the GrewApacha remote access trojan (RAT), an unknown PlugY backdoor and an updated version of CloudSorcerer malware, which was previously used to spy on Russian organizations. 

The GrewApacha RAT has been used by the Beijing-linked hacking group APT31 since at least 2021, the researchers said, while PlugY shares many similarities with tools used by the suspected Chinese threat actor known as APT27.

According to Kaspersky, the hackers sent phishing emails containing malicious archives. In the first stage of the attack, they exploited a dynamic link library (DLL), commonly found in Windows computers, to collect information about the infected devices and load the additional malicious tools.

While Kaspersky didn’t explicitly attribute the recent attacks to APT31 or APT27, they highlighted links between the tools that were used.

Although PlugY malware is still being analyzed, it is highly likely that it was developed using the DRBControl backdoor code, the researchers said. This backdoor was previously linked to APT27 and bears similarities to PlugX malware, another tool typically used by hackers based in China.

APT27 has been active since at least 2010 and has targeted organizations in sectors including aerospace, government, defense, technology, energy, manufacturing and gambling. In 2022, it attacked a U.S. state legislature using a Log4j vulnerability.

Earlier in July, the U.K. government accused APT31, which overlaps with the group RedBravo, of breaching the servers of the Electoral Commission and accessing the personal information of nearly 40 million people.

According to Kaspersky, PlugY was deployed using an updated version of the CloudSorcerer backdoor. This tool has previously been deployed to steal data from Russian government agencies.

Researchers described CloudSorcerer as “a sophisticated cyber espionage tool” that relied on legitimate cloud services such as Yandex Cloud and Dropbox for stealth monitoring and data collection.

Its updated variant used a popular Russian blogging platform, LiveJournal, and a social question-and-answer website, Quora, as initial command and control servers.

Earlier in July, researchers at cybersecurity firm Proofpoint discovered a malicious tool that shared many similarities with CloudSorcerer and was used to target a U.S.-based organization.

In the EastWind campaign, the hackers used a similar infection method as described by Proofpoint in their attack on the U.S. organization, researchers at Kaspersky said.

In a comment to Recorded Future News, Proofpoint stated that they “do not have any additional details to share at this stage.”