China spied on Russian defence research institutes

Despite being notional allies, Chinese state-sponsored hackers are believed to have attacked Russian defence research organisations with malware, as part of a long-running espionage campaign.

Researchers at security vendor Check Point Software attributed the campaign with high confidence to a Chinese threat actor, which they have named Twisted Panda.

The researchers' investigation showed that Twisted Panda has been targeting a holding company within the Russian state-owned Rostec Corporation since at least June 2021, with the latest activity observed in April this year.

Check Point said the Rostec defence institutes were subject to spearphishing campaigns that sought to exploit the severe sanctions placed on Russia by Western nations.

Malicious emails sent to the defence research organisations carried links to an attacker-controlled site that spoofed the Health Ministry of Russia, and a malicious Word document attachment.

The subject of the emails was "List of [target institution] persons under US sanctions for invading Ukraine".

Another email with a document also purporting to be from the Russian Ministry of Health was sent to an unknown entity in the Belarus capital Minsk.

New malware found in the documents comprise what Check Point says is a sophisticated multi-layered loader and a backdoor payload named SPINNER.

The malware users advanced evasion and anti-analysis techniques to make it harder to detect, and Check Point said it is in continuous development.

Twisted Panda's target specialises in electronic warfare systems, military radio equipment and air-based radar stations.