China’s cybercriminals are targeting Russian defence research institutes, according to a report released by cybersecurity firm CheckPoint Research (CPR) on Friday.

The report attributed the cyberespionage operation to Chinese nation-state actors and said it uses spear-phishing emails sent under the guise of the Russian Ministry of Health to collect sensitive information.

Emails caught by CPR contained malicious documents that used the Western sanctions against Russia as a decoy. The operation also relies on social engineering techniques, specifically sanction-related baits.

According to the report, the threat actors were able to evade detection for nearly 11 months by using new and undocumented tools — a sophisticated multi-layered loader and a backdoor dubbed SPINNER.

CPR has named this campaign “Twisted Panda” to reflect the sophistication of the tools observed.

CheckPoint said it identified three defence research targets, two in Russia and one in Belarus. The Russian victims belong to Rostec Corporation, which is Russia’s largest holding company in the radio-electronics industry.

Their primary business is in the development and manufacturing of electronic warfare systems, military-specialised onboard radio-electronic equipment, air-based radar stations, and means of state identification.

The research entities are also involved in avionics systems for civil aviation, the development of a variety of civil products such as medical equipment and control systems for energy, transportation, and engineering industries.

“We exposed an ongoing espionage operation against Russian defence research institutes that have been carried out by experienced and sophisticated Chinese-backed threat actors. Our investigation shows that this is a part of a larger operation that has been ongoing against Russia-related entities for around a year. We discovered two targeted defence research institutions in Russia and one entity in Belarus,” said Itay Cohen, Head of Research at Check Point Software.

READ
Flagstar Bank Data Breach Exposes 1.5 Million Customers' Info

On March 23, malicious emails were sent to several defence research institutes based in Russia. The emails, which had the subject “List of (target institute name) persons under US sanctions for invading Ukraine”, contained a link to an attacker-controlled site mimicking the Health Ministry of Russia and had a malicious document attached.

On the same day, a similar email was also sent to an unknown entity in Minsk, Belarus, with the subject “US Spread of Deadly Pathogens in Belarus”. All the attached documents are crafted to look like official documents from the Russian Ministry of Health, bearing its official emblem and title.

The tactics, techniques, and procedures (TTPs) of this operation allows CPR to make an attribution to Chinese APT activity. The Twisted Panda campaign bears multiple overlaps with Chinese advanced and long-standing cyberespionage actors, including APT10 and Mustang Panda.

Cohen noted that the social engineering component is perhaps the most sophisticated part of the campaign.

“The timing of the attacks and the lures used are clever. From a technical point of view, the quality of the tools and their obfuscation is above average, even for APT groups,” he said.

“I believe our findings serve as more evidence of espionage being a systematic and long-term effort in the service of China’s strategic objectives to achieve technological superiority. In this research, we saw how Chinese state-sponsored attackers are taking advantage of the ongoing war between Russia and Ukraine, unleashing advanced tools against who is considered a strategic partner – Russia,” Cohen added.