A cyber espionage campaign targeting government organizations in Russia has been uncovered by researchers at Kaspersky. The threat actor, believed to have a China-nexus connection, is utilizing popular cloud services like Dropbox, GitHub, Quora, and Yandex as command-and-control (C2) servers in their malicious activities.
Known as “EastWind,” the campaign was first identified by Kaspersky during an investigation into devices infected via phishing emails containing malicious shortcuts attachments. Upon analysis, Kaspersky discovered that the malware involved in the campaign was communicating with a C2 server on Dropbox. Further investigation revealed that the attackers were using the initial payload to download additional malware associated with two different China-sponsored groups — APT31 and APT27, on the infected systems. Additionally, the threat actor used the C2 servers to download a modified version of “CloudSorcerer,” a sophisticated cyber espionage tool previously observed by Kaspersky in attacks targeting Russian government entities.
The collaboration and sharing of malware tools and knowledge among APT groups was highlighted by Kaspersky as a notable aspect of the EastWind campaign. The use of tools from different threat actors in the campaign underscores the intricate network of cyber threats and the variety of techniques employed by malicious actors.
APT31, identified as an advanced persistent threat group working on behalf of China’s Ministry of State Security in Wuhan, was indicted by the US Department of Justice earlier this year for their involvement in cyber-spy campaigns spanning over a decade. Mandiant, a security vendor tracking APT31, described the group’s mission as gathering information from rival nations that could benefit China economically, militarily, and politically. Government and financial organizations, aerospace companies, and entities in defense, telecommunication, and high tech sectors have been frequent targets of APT31.
On the other hand, APT27, also known as Emissary Panda, is another China-linked threat group focused on stealing intellectual property from organizations in sectors deemed strategically important by China. Similar to APT31, APT27 relies heavily on malware delivered via phishing emails for initial access.
While Kaspersky did not directly attribute APT31 or APT27 to the EastWind campaign targeting Russian government entities, the presence of malware associated with these groups in the attacks was noted by the researchers.
The specific malware used in the EastWind campaign was identified by Kaspersky as “GrewApacha,” a Trojan utilized by APT31 since at least 2021. The threat actor engaged in the campaign employed GrewApacha to gather information about infected systems and install additional malicious payloads. Furthermore, the adversary used CloudSorcerer to download PlugY, an implant with code that overlaps with APT27.
Communication between the implant and the Dropbox hosted C2 servers was observed by Kaspersky via TCP and UDP protocols, as well as named pipes — a Windows method for inter process communications. The implant was found to have a wide range of commands at its disposal, from manipulating files and executing shell commands to logging keystrokes and monitoring the screen or clipboard.
The EastWind campaign serves as a stark reminder of the evolving and collaborative nature of cyber threats, with threat actors leveraging advanced techniques and tools to target government entities and other high-value organizations. As cybersecurity continues to be a pressing issue, organizations must remain vigilant and proactive in their defenses against such sophisticated attacks.