Researchers Analyze Chinese Malware Used Against Russian Government

At least two Chinese cyberespionage groups targeted Russian federal executive authorities in 2020, security researchers with threat hunting and intelligence firm Group-IB reveal.

Chinese threat actors have been known to conduct cyberattacks in various countries worldwide, including Russia, targeting military contractors, research institutes, state agencies, and other entities, with a focus on cyberespionage.

An in-depth analysis of the employed malware families suggests that Chinese hacker groups TA428 and TaskMasters were behind a series of attacks that targeted Russian government agencies in 2020, Group-IB says. Both groups are linked to the Chinese government.

Believed to have been active since at least 2020, TaskMasters (which is also referred to as BlueTraveller) is mainly focused on the targeting of organizations in Russia and CIS, with a focus on sectors such as government agencies, industrial and energy firms, and transport companies.

Operating since 2013, TA428 has been targeting government agencies in East Asia, with a focus on those that have connections with domestic and foreign policy, governmental information technology, and economic development.

As part of last year’s attacks against Russian authorities, the Chinese hackers used malware families Webdav-O and Mail-O to gain remote access to targeted systems and exfiltrate data of interest.

During their investigation into the attacks, Group-IB’s security researchers discovered code similarities between Webdav-O and the BlueTraveller Trojan (also referred to as RemShell), which eventually led them to the conclusion that TaskMasters might have used the malware in the 2020 attacks.

Group-IB’s investigation also revealed a connection between BlueTraveller and Albaniiutas, a relatively new malware family in TA428’s portfolio, suggesting that “Albaniiutas is nothing but a logic continuation of the malware belonging to the BlueTraveller family.”

The security researchers also note that some of the 2020 attacks against the Russian government might have been conducted by TA428, especially with Mail-O believed to be part of this group’s portfolio and with Webdav-O being linked to BlueTraveller, which is in turn linked to TA428’s Albaniiutas.

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out.

The researchers also note that evidence suggests that a large hacking group consisting of intelligence units of the People’s Liberation Army of China might be operating out of the country, with the various Chinese APT groups tracked by threat intelligence organizations being nothing more than subgroups.

“Each unit attacks to the fullest, according to a strict timeline and order. This means that one Trojan can be configured and modified by hackers from different departments with different levels of training and with various objectives,” Group-IB concludes.

Related: Chinese Cyberspy Group APT31 Starts Targeting Russia

Related: DeadRinger: A Three-Pronged Attack by Chinese Military Actors against Major Telcos

Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms