China’s APT31 linked to hacks on Russian tech firms

The China-linked hacking group known as APT31 infiltrated Russia’s technology sector for years and quietly exfiltrated data from companies involved in government contracting and systems integration, according to a new report.

The campaign, which ran into this year, was “well-planned” and allowed intruders to remain undetected, Russian cybersecurity firm Positive Technologies said in research published on Thursday.

Public reports of Chinese cyber operations against Russia are rare, given the countries are widely seen as strategic partners. In October, U.S.-based cybersecurity firm Symantec attributed an espionage attack on an unnamed Russian IT service provider to Jewelbug, another China-linked group.

The report by Moscow-based Positive Technologies comes from a company much closer to the Kremlin. The firm was sanctioned by the United States in 2021 for allegedly providing IT support to Russia's civilian and military intelligence agencies.

Last August, Russian cybersecurity firm Kaspersky said hackers had targeted dozens of computers belonging to Russian state agencies and tech companies with malicious tools tied to Chinese threat actors, including APT31 and APT27.

A range of tools

According to Positive Technologies, the attackers used a mix of publicly available tools and custom malware. 

The hackers masked their activity by routing commands through profiles on popular social-media and web platforms, helping them evade detection because the traffic appeared legitimate, the researchers said. 

The group also timed key phases of the operation to coincide with weekends and public holidays, including large-scale intrusions during New Year celebrations, when corporate infrastructure remained online but staffing was minimal.

In one case, researchers said the attackers had maintained access to a Russian IT company’s systems since late 2022 and resumed activity during the 2023 New Year holidays. Another incident in December 2024 involved a phishing email containing a fake procurement request that deployed malware on victims’ computers. Stolen data was exfiltrated via Yandex Cloud, Russia’s domestic cloud service.

APT31, also known as Zirconium or Judgement Panda, has been repeatedly linked by Western governments to China’s state-sponsored espionage efforts, though Positive Technologies did not reference Beijing in its report.

In July, the U.K. government accused APT31 of breaching the country’s Electoral Commission and accessing personal data belonging to nearly 40 million people.

“APT31 remains active today,” Positive Technologies said, adding that the group continues to evolve. “Alongside older tools, the group has expanded its arsenal this year with a significant number of new backdoors.”