Chinese cyberspies snoop on Russian IT biz in rare east-on-east attack
Summary
Broadcom-owned Symantec’s Threat Hunter Team has identified a Chinese APT group known as “Jewelbug” (also tracked as REF7707 / CL-STA-0049 / Earth Alux) compromising a Russian IT service provider in a rare case of Chinese actors targeting Russian infrastructure. The intrusion lasted from early 2025 through May, giving attackers months of undetected access to build servers, code repositories and other critical infrastructure.
The intruders used a renamed Microsoft cdb.exe (appearing as “7zup.exe”) — a tactic previously linked to Jewelbug — and deployed credential dumps, scheduled-task persistence, and event-log clearing. Data exfiltration was routed through Yandex Cloud, a channel likely to blend in inside Russian networks. Symantec warns the compromise had the hallmarks of a potential supply-chain attack, which could have exposed many of the provider’s customers.
Researchers also observed a new cloud-native backdoor using Microsoft Graph APIs and OneDrive as command-and-control in parallel campaigns, indicating Jewelbug’s push toward stealthier, cloud-based C2 techniques.
Key Points
- Symantec attributed the intrusion to Jewelbug (REF7707 / CL-STA-0049 / Earth Alux).
- Compromise spanned early 2025 to May, allowing prolonged access to build servers and code repositories.
- Attack methods included a renamed cdb.exe (“7zup.exe”), credential dumping, scheduled-task persistence and event log clearing.
- Exfiltration leveraged Yandex Cloud to avoid detection inside Russian networks.
- Researchers warn the operation had clear potential to become a software supply-chain attack affecting many downstream customers.
- Jewelbug is also using cloud-native C2 (Microsoft Graph + OneDrive) in other campaigns, signalling increased sophistication and stealth.
Context and Relevance
This incident breaks the informal taboo of Chinese and Russian state-linked actors avoiding each other’s networks. It dovetails with previous reporting (including a New York Times investigation) suggesting China has targeted Russian state and corporate systems since 2022 for military and technical intelligence. For defenders, especially suppliers to Russian organisations or firms with links to Russian infrastructure, this highlights heightened supply-chain risk and the need to scrutinise trusted partners and build environments.
On a broader level, the move to cloud-native C2 channels (Graph/OneDrive) is part of an industry-wide trend: attackers are increasingly abusing legitimate cloud services to blend malicious activity with normal traffic, making detection harder.
Why should I read this?
Quick and blunt: if you care about supply-chain risk, trusted partnerships or nation-state threat trends, this is proper alarm-bell material. It shows Chinese operators are now willing to probe Russian infra and use living-off-the-land and cloud services to hide in plain sight — so if you manage builds, repositories or third‑party suppliers, you should pay attention and act.