Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Cyberspies Targeting Russian Military

A China-linked state-sponsored cyberespionage group has started targeting the Russian military in recent attacks, which aligns with China’s interests in the Russia-Ukraine war, Secureworks reports.

A China-linked state-sponsored cyberespionage group has started targeting the Russian military in recent attacks, which aligns with China’s interests in the Russia-Ukraine war, Secureworks reports.

Tracked as Mustang Panda, Bronze President, RedDelta, and TA416, the government-backed hacking group previously focused mainly on the Southeast Asian region, with some attacks targeting Europe and the United States.

Over the past several months, however, in line with the escalating tensions between Russia and Ukraine, Mustang Panda switched to targeting European diplomats with an updated variant of the PlugX backdoor.

According to Secureworks, a recently captured malicious file shows that Mustang Panda has started targeting Russian military personnel close to the Chinese border.

The malicious file has the Russian name of “Blagoveshchensk – Blagoveshchensk Border Detachment,” uses a PDF icon for credibility, but has an EXE extension.

“Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region,” a new Secureworks report reads.

[ READ: China’s Hacking of European Diplomats Aligns With Russia-Ukraine Conflict ]

When launched, the malicious file fetches four files from a staging server, including a decoy document written in English, a legitimate executable from UK-based Global Graphics Software Ltd, a malicious DLL downloader, and an encrypted payload, which the researchers believe is the PlugX malware.

Advertisement. Scroll to continue reading.

The decoy document, which appears legitimate, discusses the current situation in countries around Belarus (Lithuania, Latvia, and Poland), as well as the sanctions that the European Union (EU) has imposed on Belarus starting March 2022.

Secureworks points out that the remaining three files are typically used by Mustang Panda to execute PlugX on the victim’s machine, via DLL search order hijacking.

Once installed on a victim’s machine, PlugX allows attackers to harvest and exfiltrate sensitive information, download and upload files, and execute a remote command shell.

The staging server the malicious file connects to was previously used in attacks on European diplomats, as well as in another campaign attributed to the cyberespionage group, which can also be linked to Mustang Panda activity from 2020.

“Bronze President appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine. […] Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the PRC,” Secureworks notes.

Related: Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese Threat Actor

Related: 17 Malware Frameworks Target Air-Gapped Systems for Espionage

Related: Chinese Cyber-Espionage Group Targeted NGOs for Years

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...