China’s APT31 linked to hacks on Russian tech firms

Steven

China’s APT31 linked to hacks on Russian tech firms

Summary

Russia’s tech sector was quietly infiltrated for years by a China-linked group tracked as APT31, according to research from Moscow-based Positive Technologies. The campaign — which ran into 2025 — targeted companies involved in government contracting and systems integration, exfiltrating data while remaining largely undetected.

The attackers used a mix of public tools and custom malware, routed commands through legitimate social-media and web-platform profiles to evade detection, and timed intrusions for weekends and holidays. In one case access persisted from late 2022 and resumed over the 2023 New Year period; in another, a December 2024 phishing lure deployed malware and data was exfiltrated via Yandex Cloud.

Positive Technologies links the activity to APT31 (aka Zirconium/Judgement Panda) but does not explicitly name Beijing. The finding echoes earlier reporting from Symantec and Kaspersky that also tied China-linked actors to operations affecting Russian targets. The report notes APT31 has expanded its toolkit with new backdoors while continuing to use older methods.

Key Points

  • Positive Technologies reports a multi-year intrusion campaign in Russia’s technology sector attributed to APT31.
  • Targets included companies doing government contracting and systems integration; stolen data was exfiltrated to Yandex Cloud.
  • Attackers used a combination of publicly available tools and bespoke malware, plus social-media/web-profile routing to blend traffic with legitimate activity.
  • Operations were timed for low-staff periods (weekends, public holidays) to reduce detection risk, with persistent access noted since late 2022.
  • Positive Technologies — a Moscow firm previously sanctioned by the US in 2021 — did not explicitly attribute the campaign to the Chinese state, though Western governments commonly link APT31 to China.
  • Other security firms (Symantec, Kaspersky) have reported similar China-linked intrusions against Russian organisations, suggesting a broader pattern of activity.

Context and Relevance

This report is notable because public accounts of Chinese cyber operations targeting Russian entities are uncommon — the two countries are generally viewed as strategic partners. That makes these findings important for anyone tracking state-aligned cyber espionage and geopolitical cyber behaviour.

Tactically, the operation highlights persistent threats to supply-chain and systems-integration firms, the use of legitimate platform routing to evade detection, and timing intrusions to exploit low staffing periods. Strategically, it underscores the fluidity of state-level cyber activity and raises questions about cross-border espionage even among partners.

Why should I read this

Quick and blunt: if you care about cyber security, defence supply chains or state-backed espionage, this is worth five minutes. It’s a neat example of a stealthy, long-running campaign that uses everyday platforms and holiday windows to sneak out data — the sort of stuff defenders need on their radar now. We skimmed the dense bits so you don’t have to.

Source

Source: https://therecord.media/russia-report-apt31-china-linked-hacks