A China-linked hacking group known as APT31 has infiltrated Russia’s technology sector for years and quietly exfiltrated data from companies involved in government contracting and systems integration, according to a new report. The campaign, which ran into this year, was “well-planned” and allowed intruders to remain undetected, Russian cybersecurity firm Positive Technologies said in research published on last week.
Public reports of Chinese cyber operations against Russia are rare, given the countries are widely seen as strategic partners. In October, US-based cybersecurity firm Symantec attributed an espionage attack on an unnamed Russian IT service provider to Jewelbug, another China-linked group.[1]
The report by Moscow-based Positive Technologies comes from a company much closer to the Kremlin. The firm was sanctioned by the United States in 2021 for allegedly providing IT support to Russia's civilian and military intelligence agencies.
Last August, Russian cybersecurity firm Kaspersky said hackers had targeted dozens of computers belonging to Russian state agencies and tech companies with malicious tools tied to Chinese threat actors, including APT31 and APT27.
A range of tools - According to Positive Technologies, the attackers used a mix of publicly available tools and custom malware. The hackers masked their activity by routing commands through profiles on popular social-media and web platforms, helping them evade detection because the traffic appeared legitimate, the researchers said.
The group also timed key phases of the operation to coincide with weekends and public holidays, including large-scale intrusions during New Year celebrations, when corporate infrastructure remained online, but staffing was minimal.
In one case, researchers said the attackers had maintained access to a Russian IT company’s various systems since late 2022 and resumed activity during the 2023 New Year holidays. Another incident in December 2024 involved a phishing email containing a fake procurement request that deployed malware on victims’ computers. Stolen data was exfiltrated via Yandex Cloud, Russia’s domestic cloud service.
APT31, also known as Zirconium or Judgement Panda, has been repeatedly linked by Western governments to China’s state-sponsored espionage efforts, though Positive Technologies did not reference Beijing in its report.
In July, the UK government accused APT31 of breaching the country’s Electoral Commission and accessing personal data belonging to nearly 40 million people. “APT31 remains active today,” Positive Technologies said, adding that the group continues to evolve. “Alongside older tools, the group has expanded its arsenal this year with a significant number of new backdoors.”
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://therecord.media/russia-report-apt31-china-linked-hacks/
Comments