Both the kinetic war and the cyberwar in Ukraine have dominated both the traditional media and the InfoSec media. Unfortunately, hackers whether financially motivated or state-sponsored have not stopped on account of the war, and for many, it's just business as usual like the rest of us not involved in the war. In the realm of cyber espionage this rings doubly true, even for nations who claim to be allies or share a special relationship like China and Russia purport to have.
Over the last few months, several reports have emerged of Chinese state-sponsored hackers targeting Russian interests and Russian organizations.
The first of these incidents to be discussed in this article involves Bronze President, who is described by Malpedia as a possible Chinese stated backed threat actor known for targeting networks belonging to Non-Governmental Organizations (NGO).
Bronze President will also use a collection of original malware and third-party applications to complete objectives. That being said given the rapidly changing geopolitical landscape Bronze President’s modus operandi may be changing as well.
As reported in an article by security firm Secureworks, security researchers detected what appears to be an attempt by China to deploy advanced malware to computer systems of Russian officials. Researchers further stated,
“In March 2022, CTU [Counter Threat Unit] researchers analyzed a malicious executable file masquerading as a Russian-language document. The filename is Благовещенск - Благовещенский пограничный отряд.exe ("Blagoveshchensk - Blagoveshchensk Border Detachment.exe"), but the default settings on Windows system do not display the .exe file extension. The file uses a portable document file (PDF) icon for credibility. Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.”
The executable file mentioned above is heavily obfuscated and when initiated will download several other malicious files from a staging server. While the document that contains the executable is written in English and appears to be legitimate, researchers could not determine the source.
That being said the other files downloaded from the staging server are what indicate that Bronze President is the likely face behind the mask. Three files downloaded are used to complete a DLL search order hijacking which in turn is used to download a PlugX variant.
PlugX is categorized as Remote Access Trojan (RAT) which effectively gives the attacker control over the infected device. PlugX boasts the following features a full management suite including system management granting access to personal files, applications, and connected devices.
The malware is also capable of data exfiltration and writing or overwriting existing data stored on the device. The malware also has a functioning keylogger and can reboot the infected device as well as log out the current user. In the past, the malware has been seen to target Afghan, American, Russian, Belorussian, Tajikistani, Kazakhstani, and Kyrgyzstani users.
“BRONZE PRESIDENT appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine. The threat group has primarily focused on Southeast Asia, gathering political and economic intelligence valuable to the People's Republic of China (PRC). Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the PRC.”
Other Recent Incidents
At the start of May Google’s Threat Analysis Group (TAG) published an update on state-sponsored activity in and around Eastern Europe. While much of the article dealt with activity related to Russian and Belorussian state-sponsored threat actors, the last one dealt with a Chinese one. TAG stated,
“Curious Gorge, a group TAG attributes to China's PLA SSF [China's People's Liberation Army Strategic Support Force], has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.”
Foreign Affairs, the greater Russian defense industry, and contractors, as well as other Russian interests, have proven to be of interest to Russia’s special ally China. Another industry is Russia’s space industry.
According to Russian security firm Positive Technologies a previously unknown Chinese hacking group known as “Space Pirates” has been targeting organizations in the Russian aerospace industry with phishing emails to install novel malware on their systems.
Researchers for Positive Technologies discovered Space Pirates’ hand in attacks against government agencies and enterprises involved in IT services, aerospace, and electric power industries located in Russia, Georgia, and Mongolia. It appears that attacks on Russian interests began in 2019.
In two incidents against organizations with links to the Kremlin hackers successfully compromised their networks. In the first case, the attackers maintained their access to 20 servers for ten months, stealing over 1,500 documents, employee details, and other sensitive data.
In the second, the Chinese hackers stayed in the network of the compromised company for over a year, siphoning confidential information and installing their malware to 12 corporate network nodes in three distinct regions.
It would be naive to think that even allies will not keep tabs on one another. Cyber espionage has proven time and again to be an effective method of doing this without the high risks associated with other espionage tactics.
However, the theft of intellectual property critical to a state's interests may place undue pressure on “special” relationships if found to be true.