Check Point Research (CPR) identifies an ongoing cyber espionage operation targeting Russian defense research institutes. The business, attributed to Chinese national state agencies, uses spear-phishing e-mails sent under the pretext of the Russian Ministry of Health to collect sensitive information.
The CPR e-mails contained malicious documents that used Western sanctions against Russia as bait, among other social engineering techniques. The menacing agents managed to avoid detection for almost 11 months using new and undocumented tools, which CPR now describes in detail for the first time. CPR called the campaign "Twisted Panda" to reflect the complexity of the tools observed and located in China.
The Russian victims belong to a management company of the Russian state defense group Rostec Corporation, Russia's largest management company in the radio electronics industry.
Τα μηνύματα ηλεκτρονικού ταχυδρομείου περιείχαν τις γραμμές themeτος “Κατάλογος των προσώπων που τελούν υπό αμερικανικές κυρώσεις για την εισβολή στην Ουκρανία” και “ΗΠΑ εξάπλωση θανατηφόρων παθογόνων στη Λευκορωσία”
The campaign has multiple overlaps with Chinese cyber espionage operators, including APT10 and Mustang Panda
Check Point Research (CPR) has spotted an ongoing cyber espionage operation targeting Russian defense research institutes. The operation, which is being attributed to Chinese national government threat agencies, is based on social engineering techniques, specifically sanctions-related baits, to gather sensitive information. The threatening agents managed to avoid detection for almost 11 months using new and undocumented tools, an advanced multi-level loader and a backdoor called SPINNER. CPR called this campaign "Twisted Panda" to reflect the complexity of the tools observed and the performance in China.
Goals
CPR identified three defense research targets, two in Russia and one in Belarus. The Russian victims are owned by a holding company of the Russian state defense group Rostec Corporation, which is Russia's largest holding company in the radio electronics industry. The main activity of the Russian victims is the development and manufacture of electronic warfare systems, military specialized radio electronic equipment on board, airborne radar stations and state media. recognitions. The research entities are also engaged in avionics systems for civil aviation, the development of a variety of civil products such as medical equipment and control systems for the energy, transport and engineering industries.
Attack methodology
First, attackers send their targets a specially crafted message email Phishing. The email contains a document that uses Western sanctions against Russia as bait. When the victim opens the document, it downloads the malicious code from the attacker-controlled server, which secretly installs and executes a backdoor on the victim's machine. This backdoor collects the data about the infected machine and sends it back to the attacker. Then, based on this information, the attacker can further use the backdoor cuts to execute additional commands on the victim's machine or collect sensitive data from it.
Malicious emails
The perpetrators use malicious spear-phishing emails that use social engineering techniques. On March 23, malicious e-mails were sent to various defense research institutes based in Russia. The e-mails, entitled "List of persons under US sanctions for invading Ukraine", contained a link to a website controlled by the attackers that imitates the Ministry of Health of Russia and had attached a malicious document. The same day, a similar e-mail was also sent to an unknown entity in Minsk, Belarus, stating "Spread of deadly pathogens in the US to Belarus." All the attached documents are made to look like official documents of the Russian Ministry of Health, which bear the official emblem and its title.
Report
This Company Tactics, Techniques and Procedures (TTP) allow CPR to translate action into Chinese APT activity. The Twisted Panda campaign features multiple overlays with Chinese advanced and long-standing cyber espionage operators, including APT10 and Mustang Panda.
Ita Cohen, Head of Research at Check Point Software said:
"We have uncovered an ongoing espionage operation against Russian defense intelligence institutes, which is being carried out by experienced and sophisticated Chinese-backed threat operators. "Our research shows that this is part of a larger operation that has been going on against entities affiliated with Russia for about a year now."
"We have discovered two targeted defense research institutes in Russia and one entity in Belarus. Perhaps the most sophisticated part of the campaign is the social engineering component. Synchronizing attacks and the tricks used are smart. From a technical point of view, the quality of the tools and their concealment is above average, even for APT teams. I believe that our findings serve as further evidence that espionage is a systematic and long-term effort to serve China's strategic goals of achieving technological superiority. "In this investigation, we have seen Chinese state-funded aggressors take advantage of the ongoing war between Russia and Ukraine, launching advanced tools against what is considered a strategic partner - Russia."