With Friends Like These: China Spies on Russian IT Orgs

Steven

With Friends Like These: China Spies on Russian IT Orgs

Summary

Researchers at Positive Technologies uncovered a multi-year espionage campaign by APT31 (aka Judgment Panda) that targeted Russia’s IT sector and IT contractors for government agencies. The group used targeted phishing, DLL sideloading and a mix of commercial and bespoke malware to steal credentials and exfiltrate data. Notably, APT31 abused everyday cloud services as covert command-and-control (C2) channels — including OneDrive, Dropbox, Yandex Cloud and even VirusTotal comment features — to stay under the radar.

The activity dates back to late 2022, with the bulk of operations observed in 2024–2025. Tools highlighted include OneDriveDoor, CloudSorcerer, YaLeak and VtChatter, plus utilities that harvest browser credentials, local files and Windows Sticky Notes. The targeting appears to include government contractors and integrators, blurring the line between commercial theft and state espionage.

Key Points

  • APT31 targeted Russia’s IT organisations and contractors from 2022 through 2025, focusing heavily in 2024–25.
  • Attack vector: targeted phishing with archive attachments containing decoys and DLL-sideloaded malware.
  • Abuse of legitimate cloud services (OneDrive, Dropbox, Yandex Cloud, VirusTotal) for C2 and exfiltration made detection difficult.
  • Malware suite included credential stealers (browsers, local files, Sticky Notes) and OS-specific backdoors for Windows and Linux.
  • Campaign suggests dual commercial and government intelligence aims — targeting contractors gives access to hardened government networks.
  • Defence is hard: cloud C2 abuses exploit legitimate service design, limiting what providers can block without heavy-handed actions (geo-blocking, shutdowns).

Context and relevance

This investigation shows that nation-state espionage increasingly leverages mainstream cloud platforms to hide activity, complicating detection for defenders who rely on usual network indicators. The campaign also underlines the supply-chain and contractor risk: compromising integrators gives attackers pathways into government and critical-technology projects. For security teams, threat hunters and cloud architects, the story emphasises the need for stronger cloud telemetry, tighter controls on third-party integrations and targeted monitoring for unusual legitimate-service usage.

Author style

Punchy: the reporting cuts straight to the dangerous novelty here — APT31 weaponised the everyday cloud to spy on an ally, turning trusted services into stealthy spy pipes. If you care about supply-chain or cloud security, read the details — they point to where you should harden first.

Why should I read this?

Short version: spies used your everyday cloud apps as secret walkie-talkies. If you run or secure IT organisations, contractors or government integrations, this article saves you reading time by flagging where to focus — phishing, DLL sideloading, cloud C2 patterns and contractor protections. It’s practical heads-up stuff, not just geopolitics.

Source

Source: https://www.darkreading.com/cyberattacks-data-breaches/china-spies-russian-it-orgs