Chinese hackers targeting Russian government, telecoms: report

Chinese hacking groups are targeting the Russian government and organizations in the telecommunications industry, according to a new report from cybersecurity company SentinelOne.

The report found that there has been a noticeable increase in Russian targeting by suspected Chinese threat actors. Tom Hegel, senior threat researcher at SentinelOne, attributed the targeting to state-sponsored espionage groups deploying a decade-old Remote Access Trojan (RAT) called Bisonal. 

The RAT has long been associated with Chinese hackers who have previously been seen targeting organizations in Russia, Japan, South Korea and others. 

In the latest campaign, SentinelOne found Microsoft Office documents and phishing emails spoofing RU-CERT — the country's cybersecurity incident response center — as well as Russian government bodies regulating the telecommunications industry. 

Hegel said the attacks are “likely unique to the particular organization they compromise.”

The documents both exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office, to install the embedded malware.

“While direct information collection may be the objected, we also observe them targeting to do further attacks — such as with the Pakistan account compromise to do further phishing,” Hegel said, noting that telecommunications companies in Pakistan have also been targeted.  

"The exploits used in these attacks are quite old and well known. The organizations being compromised in these cases are vulnerable to the most simple attacks out there. It may speak to the ease of compromising such organizations, even while actively engaged in a war.”

SentinelOne obtained some of the malicious documents from Ukraine's CERT, which shared the files in alert #4860 on June 22. 

Ukrainian security researchers said the malicious documents were built with a tool called “Royal Road” and were “themed around Russian government interests.”

From those documents, SentinelOne said it found “supplemental Chinese threat activity.”

“China’s recent intelligence objectives against Russia can be observed in multiple campaigns following the invasion of Ukraine, such as Scarab, Mustang Panda, ‘Space Pirates’, and now the findings here,” SentinelOne said. 

“While the overlap of publicly reported actor names inevitably muddies the picture, it remains clear that the Chinese intelligence apparatus is targeting a wide range of Russian-linked organizations. Our findings currently offer only an incomplete picture of this threat cluster’s phishing activity, but they serve to provide perspective into an attacker’s ongoing operational objectives and a framework for our ongoing research.”

Royal Road is allegedly used widely among Chinese APT groups and SentinelOne said Bisonal is a backdoor RAT “unique to Chinese threat actors.”

One of the malicious documents purporting to be from RU-CERT is a memo on increased phishing attacks.

There is some evidence tying the activity to an APT group SentinelOne referred to as Tonto Team, with alternate names like “CactusPete” and “Earth Akhlut.” The group was previously accused of targeting a portion of India’s power sector.

They are unsure if the group potentially shares its tools with others, making it difficult to confidently tie Tonto Team to the latest Russia campaign. But SentinelOne noted that they have previously seen Tonto Team target governments, critical infrastructure, and other private businesses in several northeast Asian countries and Russia. 

“These documents often contain metadata indicating the document creator's operating system was using simplified Chinese, a trait we observed in our previous analysis of Scarab APT activity,” the report added. 

“Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods – the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations.”

The researchers previously saw campaigns from this group targeting the Pakistan Telecommunication Authority through a potentially compromised account in the Cabinet Division of the Pakistani government in May. 

Last year, researchers with cybersecurity company Cybereason found other Chinese state-backed hacking groups using the same vulnerability – CVE-2018-0798 – in attacks on a Russian defense contractor involved in designing nuclear submarines for the Russian Navy.

That campaign similarly used malicious documents created with Royal Road. 

On Wednesday, ​​deputy director of Russia’s National Coordination Center for Computer Incidents Nikolay Murashov said the country is facing an “unprecedented cyber campaign” since it began its invasion of Ukraine earlier this year. 

"On average, a government agency in charge of detecting, thwarting and neutralizing cyberattacks has been registering more than 200 hacking attacks on a daily basis," Murashov said.

"These have been conducted from around the globe, and are well-coordinated at that."