Russian analysts point finger at China, North Korea over cyber activity

The majority of state-sponsored cyberattacks against Russia originate from North Korea and China, Russian researchers claimed in a report released this week.

The findings from cybersecurity firm Solar — owned by the country’s largest telecom provider, Rostelecom — come as a surprise, given the long-standing political partnership between Russia, China, and North Korea. Last month, Russian President Vladimir Putin visited Beijing to meet with his Chinese counterpart, Xi Jinping, and on Thursday, Russia reached an agreement with North Korea to expand cooperation in trade, science, and technology.

The state-backed hackers from these countries primarily focus on spying and data theft from Russia's telecom and government services, the researchers said.

“The findings in the report are not what I would expect,” said Pascal Geenens, director at the cybersecurity firm Radware. However, nation-state threat actors do have an incentive to hunt forward in allied networks, he added. “They would want to have a heads up when an ally is about to go rogue or maintains relations with a state that is regarded as unfriendly.”

Limited visibility

Reports on cyberattacks against Russia are rare, given that many Western companies have limited visibility into computer systems in the region.

This week, Russian state officials and cybersecurity companies, including Solar, provided some insights into what's happening in the country's cyberspace during a major information security event called SOC Forum. Given the high level of propaganda in the country, Russian reports should be taken with a grain of salt.

Some of the claims presented during the forum appear contradictory. While Solar claims that the majority of state-sponsored cyberattacks against Russia originate from Asia, the country's cybersecurity authorities blame "Western enemies" for coordinating cyberattacks against Moscow.

The Solar researchers especially singled out Chinese nation-state advanced persistent threat (APT) groups as posing the main threat to Russian systems. In September of this year, they said, hackers linked to China launched a large-scale cyberespionage campaign against Russia, infecting the systems of 20 to 40 Russian organizations daily, researchers claim. Their activity only subsided a month later after security vendors noticed the attacks.

Last year, researchers at the cybersecurity company Check Point detected an attack by the China-linked threat actor Twisted Panda on state-owned Russian defense institutes.

“Our assumption is that the main goal in this, and in many other cases of China-affiliated APTs operating against Russia, is commercial espionage with a focus on sensitive defense industries,” said Check Point researcher Sergey Shykevich.“This tendency accelerated since the start of the Russia-Ukrainian war,” he added.

Another hacker group actively attacking Russia, according to Solar, is the North Korea-backed Lazarus.

Over the past two years, Solar said it has investigated several incidents related to the group, including those targeting government agencies. As of the beginning of November, researchers claim, Lazarus hackers still have access to a number of Russian systems.

Some instances of Pyongyang's intrusions into Russia have been publicly reported.

In August, SentinelLabs — the research arm of cybersecurity firm SentinelOne — identified an intrusion by North Korean hackers into a Russian missile engineering organization. The researchers attributed the hack to the North Korean cyberespionage group ScarCruft, which breached the enterprise's email server, as well as Lazarus, which installed digital backdoors into its systems.

According to SentinelLabs threat researcher Tom Hegel, this attack “underscores a pattern rather than an isolated incident.”

Hegel told Recorded Future News that the increased activity from China's and North Korea's threat groups can be attributed to their “extensive and fast-paced global campaigns, not exclusively targeting Russia.”

“Moreover, it is crucial to recognize that threat actors from China and North Korea transcend both financial and espionage objectives, often intertwining the two,” he added.

Cyberattacks from ‘enemy’ countries

Amid the ongoing war with Ukraine, Russia faces frequent cyberattacks from politically motivated Ukrainian hackers, such as IT Army, which carry out distributed denial-of-service (DDoS) attacks on Russian websites or leak data from state and private companies. There are hardly any reports about the activities of Ukrainian nation-state hacking groups on Russian networks.

Solar researchers said that identifying Ukrainian state-backed hackers in Russian cyberspace is hard as there are many “politically motivated cybercriminals from different regions acting in their interests.”

Among the campaigns researchers linked to Ukrainian threat actors was a cyberattack on one of Russia’s internet providers, resulting in the destruction of some of its infrastructure. The report didn’t specify the provider, but it likely refers to the cyberattack on the Russian satellite communications provider Dozor-Teleport.

The hackers behind this incident claim they damaged some satellite terminals, and leaked and destroyed confidential information stored on the company's servers. Ukraine hasn’t officially claimed responsibility for the attack.

SentinelLabs’ Hegel said that Ukraine-backed threat actors “are simply quite rare, more strategic and isolated to high-value targets, and not heavily tracked through public threat intelligence.”

At the SOC Forum, Russia’s National Computer Incident Coordination Center reiterated that it deems Western countries as Russia’s main “enemy” in cyberspace. The agency's deputy director, Peter Belov, said that countries involved in supplying weapons to Ukraine “are also actively coordinating the activities of hackers.”

According to Belov, some “enemy” hacker groups are looking for vulnerabilities in Russian systems, while others have gained initial access to them, and some are stealing sensitive data from already compromised networks.

He also said that attackers are now focusing less on media attention and more on stealing data and causing maximum harm to Russia’s digital systems.

While it’s hard to determine who poses the main threat to Russian systems, Hegel said that “Russia encounters a threat landscape comparable to that of the rest of the world.”

“This encompasses a substantial and ongoing influx of financially motivated criminal actors, alongside the dynamic presence of APTs in the region.”