A group of cyber-spies suspected of having connections to China has been accused of compromising dozens of computers belonging to Russian government agencies and IT providers since late July, according to Kaspersky.
The attackers, tracked as APT27 and APT31, gained initial access to their victims’ devices via phishing emails. They then used cloud services and websites like GitHub, Dropbox, Quora, LiveJournal, and Yandex.Disk to direct their remote-control malware to download additional payloads onto compromised computers.
Once infected, the backdoors fetch instructions from their masters, execute commands, conduct reconnaissance, and download additional malware. The malware includes a trojan named GrewApacha, which has been linked to APT31 in previous campaigns.
In addition to GrewApacha, the attackers also downloaded the CloudSorcerer backdoor, which was previously spotted in a May attack against a US-based organization. Kaspersky discovered that the criminals were using this backdoor to download a previously unknown implant called PlugY, which can perform various tasks such as manipulating files, executing shell commands, and logging keystrokes.
The EastWind campaign has been linked to two China-nexus groups tracked as APT27 and APT31, with similarities to samples used by both APT27 and APT29. This suggests that nation-state backed crews often team up, actively sharing knowledge and tools.
Source: https://www.theregister.com/2024/08/15/suspected_chinese_attackers_hacked_russia/