Check Point Research (CPR) detects an ongoing, cyber espionage operation targeting Russian defense research institutes. Attributed to Chinese nation-state actors, the operation uses spear-phishing emails sent under the guise of the Russian Ministry of Health to collect sensitive information. Emails caught by CPR contained malicious documents that used the Western sanctions against Russia as a decoy, among other social engineering techniques. The threat actors were able to evade detection for nearly 11 months by using new and undocumented tools that CPR now details for the first time. CPR has named the campaign “Twisted Panda” to reflect the sophistication of the tools observed and traced to China.
- Russian victims belong to a holding company within the Russian state-owned defense conglomerate called Rostec Corporation, Russia’s largest holding company in the radio-electronics industry.
- Emails contained subject lines “List of <target institute name> persons under US sanctions for invading Ukraine” and “US Spread of Deadly Pathogens in Belarus”
- Campaign bears multiple overlaps with Chinese advanced and long-standing cyberespionage actors, including APT10 and Mustang Panda
Check Point Research (CPR) has spotted an ongoing cyber espionage operation targeting Russian defense research institutes. Attributed to Chinese nation-state threat actors, the operation relies on social engineering techniques, specifically sanction-related baits, to collect sensitive information. The threat actors were able to evade detection for nearly 11 months by using new and undocumented tools, a sophisticated multi-layered loader and a backdoor dubbed SPINNER. CPR has named this campaign “Twisted Panda” to reflect the sophistication of the tools observed and the attribution to China.
CPR identified three defense research targets, two in Russia and one in Belarus. The Russian victims belong to a holding company within the Russian state-owned defense conglomerate called Rostec Corporation, which is Russia’s largest holding company in the radio-electronics industry. The primary business of the Russian victims is in the development and manufacturing of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based radar stations, and means of state identification. The research entities are also involved in avionics systems for civil aviation, the development of a variety of civil products such as medical equipment and control systems for energy, transportation, and engineering industries.
First, the attackers send their targets a specially crafted phishing email. The email contains a document using the Western sanctions against Russia as a decoy. When the victim opens the document, it downloads the malicious code from the attacker-controlled server, which installs and covertly runs a backdoor on the victim’s machine. This backdoor collects the data about the infected machine and sends it back to the attacker. Then based on this information, the attacker can further use the backdoor to execute additional commands on the victim’s machine or collect sensitive data from it.
The threat actors leverage malicious spear-phishing emails that use social engineering techniques. On March 23, malicious emails were sent to several defense research institutes based in Russia. The emails, which had the subject “List of <target institute name> persons under US sanctions for invading Ukraine”, contained a link to an attacker-controlled site mimicking the Health Ministry of Russia and had a malicious document attached. On the same day, a similar email was also sent to an unknown entity in Minsk, Belarus with the subject “US Spread of Deadly Pathogens in Belarus.” All the attached documents are crafted to look like official documents from the Russian Ministry of Health, bearing its official emblem and title.
The Tactics, Techniques, and Procedures (TTPs) of this operation allows CPR to make an attribution to Chinese APT activity. The Twisted Panda campaign bears multiple overlaps with Chinese advanced and long-standing cyberespionage actors, including APT10 and Mustang Panda.
Itay Cohen, Head of Research at Check Point Software, said, “We exposed an ongoing espionage operation against Russian defense research institutes that have been carried out by experienced and sophisticated Chinese-backed threat actors. Our investigation shows that this is a part of a larger operation that has been ongoing against Russia-related entities for around a year. We discovered two targeted defense research institutions in Russia and one entity in Belarus.
Perhaps the most sophisticated part of the campaign is the social engineering component. The timing of the attacks and the lures used are clever. From a technical point of view, the quality of the tools and their obfuscation is above average, even for APT groups. I believe our findings serve as more evidence of espionage being a systematic and long-term effort in the service of China’s strategic objectives to achieve technological superiority. In this research, we saw how Chinese state-sponsored attackers are taking advantage of the ongoing war between Russia and Ukraine, unleashing advanced tools against who is considered a strategic partner — Russia.”