Security Experts:

Connect with us

Hi, what are you looking for?



Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China

A recent cyberespionage operation aimed at industrial enterprises and public institutions in Eastern Europe and Afghanistan has been linked to a threat actor that is likely sponsored by the Chinese government.

A recent cyberespionage operation aimed at industrial enterprises and public institutions in Eastern Europe and Afghanistan has been linked to a threat actor that is likely sponsored by the Chinese government.

The campaign, detailed on Monday by Kaspersky, is believed to be the work of TA428, a group that has been tracked by cybersecurity companies since at least 2019. TA428 activities and the malware used by the group were previously detailed by Recorded Future, Group-IB, Proofpoint, Cybereason, Dr.Web, and NTT Security. The group is also known as Colourful Panda and Bronze Dudley.

Some of TA428’s more recent attacks, ones disclosed in 2021, focused on Russia, targeting government and military organizations. The attacks analyzed by Kaspersky’s ICS CERT unit were first seen in January 2022 and they are likely an extension of that campaign.

The attacks seen by Kaspersky were aimed at more than a dozen organizations in Russia, Ukraine, Belarus and Afghanistan. Victims included military industrial complex enterprises and public institutions. Specifically, the attacks were aimed at industrial plants, design bureaus, research institutes, and various types of government organizations.

According to Kaspersky, six different backdoor malware families were used in the attacks, most of which were previously linked to TA428. This includes threats known as PortDoor, nccTrojan, Cotx, DNSep, and Logtu. The cybersecurity firm also spotted what appears to be a new piece of malware, which it has named CotSam due to similarities with Cotx.

The malware is delivered using phishing emails that carry Word documents designed to exploit an older vulnerability for arbitrary code execution.

The attackers have been observed searching for sensitive data on compromised systems and exfiltrating it, which has led researchers to believe that the likely goal is espionage.

Kaspersky also pointed out that in at least one case, the attacker managed to gain access to a server hosting a system that controls cybersecurity solutions. This allowed them to modify settings for the endpoint security solutions used by the victim organization. In addition, the hackers have been seen using DLL hijacking and process hollowing in an effort to protect their malware from security software.

Similar to other cybersecurity companies, Kaspersky believes it’s very likely that the hackers are Chinese. They are using hacking tools that are popular in China, they are leveraging Chinese services, and their work hours match the typical workday in China.

“The attack series that we have discovered is not the first in the campaign and, given that the attackers achieve a certain degree of success, we believe it is highly likely that they will continue to conduct similar attacks in the future. Industrial enterprises and public institutions should take extensive measures to repel such attacks successfully,” Kaspersky said.

Related: ICS Vendors Targeted in Espionage Campaign Focusing on Renewable Energy

Related: Mac Malware Used in Attacks Targeting Industrial Organizations in Middle East

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.