Check Point Research (CPR) has spotted an ongoing cyber espionage operation targeting Russian defence research institutes. Attributed to Chinese nation-state threat actors, the operation relies on social engineering techniques, specifically sanction-related baits, to collect sensitive information. The threat actors were able to evade detection for nearly 11 months by using new and undocumented tools, a sophisticated multi-layered loader and a backdoor dubbed SPINNER. CPR has named this campaign "Twisted Panda" to reflect the sophistication of the tools observed and the attribution to China.
CPR identified three defence research targets, two in Russia and one in Belarus. The Russian victims belong to a holding company within the Russian state-owned defence conglomerate called Rostec Corporation, which is Russia's largest holding company in the radio-electronics industry. The primary business of the Russian victims is in the development and manufacturing of electronic warfare systems, military-specialised onboard radio-electronic equipment, air-based radar stations, and means of state identification. The research entities are also involved in avionics systems for civil aviation, the development of a variety of civil products such as medical equipment, and control systems for the energy, transportation and engineering industries.
First, the attackers send their targets a specially crafted phishing email. The email contains a document using the Western sanctions against Russia as a decoy. When the victim opens the document, it downloads the malicious code from the attacker-controlled server, which installs and covertly runs a backdoor on the victim's machine. This backdoor collects the data about the infected machine and sends it back to the attacker. Then, based on this information, the attacker can further use the backdoor to execute additional commands on the victim's machine or collect sensitive data from it.
The threat actors leverage malicious spear-phishing emails that use social engineering techniques. On March 23, malicious emails were sent to several defence research institutes based in Russia. The emails, which had the subject “List of <target institute name> persons under US sanctions for invading Ukraine”, contained a link to an attacker-controlled site mimicking the Health Ministry of Russia and had a malicious document attached. On the same day, a similar email was also sent to an unknown entity in Minsk, Belarus with the subject “US Spread of Deadly Pathogens in Belarus.” All the attached documents are crafted to look like official documents from the Russian Ministry of Health, bearing its official emblem and title.
The tactics, techniques, and procedures (TTPs) of this operation allows CPR to make an attribution to Chinese APT activity. The Twisted Panda campaign bears multiple overlaps with Chinese advanced and long-standing cyber espionage actors, including APT10 and Mustang Panda.
"We exposed an ongoing espionage operation against Russian defence research institutes that have been carried out by experienced and sophisticated Chinese-backed threat actors,” said Itay Cohen, head of research at Check Point Software. “Our investigation shows that this is part of a larger operation that has been ongoing against Russia-related entities for about a year. We discovered two targeted defence research institutes in Russia and one entity in Belarus.”
“Perhaps the most sophisticated part of the campaign is the social engineering component. The timing of the attacks and the lures used are clever. From a technical point of view, the quality of the tools and their obfuscation is above average, even for APT groups. I believe our findings serve as more evidence of espionage being a systematic and long-term effort in the service of China's strategic objectives to achieve technological superiority. In this research, we saw how Chinese state-sponsored attackers are taking advantage of the ongoing war between Russia and Ukraine, unleashing advanced tools against who is considered a strategic partner — Russia."