Google TAG sees China PLA group go after multiple Russian defence contractors

Parts of the People's Liberation Army are conducting cyber campaigns against the Russian Ministry of Foreign Affairs and compromising multiple Russian defence contractors.
Written by Chris Duckett, Contributor
russia data center

Google's Threat Analysis Group (TAG) has provided an update on cyber activity in Eastern Europe, which follows on from its March missive.

Overall, TAG said threat actors were increasingly using the Russian invasion of Ukraine as a phishing and malware lure, and were targeting critical infrastructure such as oil and gas, telecommunications, and manufacturing.

"Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links," TAG said.

"Financially motivated and criminal actors are also using current events as a means for targeting users."

Proving that any target is fair game, TAG detailed the case of the Chinese People's Liberation Army Strategic Support Force-linked Curious Gorge group, which has been hunting targets in Russia, Ukraine, and Central Asia.

"In Russia, long running campaigns against multiple government organisations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers, and a Russian logistics company," it said.

Another Chinese group known as either Bronze President, Mustang Panda, TA416, or RedDelta has recently turned its attention to Russia.

"This suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the People's Republic of China (PRC)," researchers from Secureworks said.

From the Russian side, TAG said state-backed Fancy Bear group went after targets in Ukraine with malware built using .Net to email cookies and passwords from Chrome, Edge, and Firefox browsers to a compromised account.

Meanwhile, the FSB-aligned Turla group was conducting campaigns against defence and cybersecurity entities from Baltic nations using malicious docx files, and Coldriver continued to use compromised Gmail accounts to target government and defence officials, politicians, NGOs, think tanks, and journalists with malicious files intended to get them onto a phishing domain.

Not to be left out, the Belarusian actor Ghostwriter has resumed phishing to go after Gmail accounts, but has so far come up empty, TAG said. The group also conducted a Facebook phishing campaign mainly targeting Lithuanians.

"Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also send all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity," TAG said.

Last week, Microsoft said it had seen six Russian state-sponsored groups launch 237 cyberattacks against Ukraine in the weeks leading up to the invasion.

Related Coverage

Editorial standards