China turns cyber-espionage eyes to Russia as Ukraine invasion grinds on

China appears to be entering a raging cyber-espionage battle that's grown in line with Russia's unprovoked attack on Ukraine, deploying advanced malware on the computer systems of Russian officials.

Bronze President, a China-linked threat group that typically targeted government entities and non-governmental organizations (NGOs) in Southeast Asia to collect information for the Chinese government, is shifting its focus, Secureworks' Counter Threat Unit wrote in today's report.

"Changes to the political landscape can impact the collection requirements" of state-sponsored threat groups, the researchers wrote. "The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations. This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'"

In the case of Bronze President – an advanced persistent threat (APT) group also known as Mustang Panda, RedDelta, and TA416 – "targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the PRC [People's Republic of China]."

China has tried to play a neutral role since Russia began its invasion of Ukraine on February 24, with government officials saying they want to see a peaceful resolution. That said, China has not condemned the attack and has spoken out against the mounting sanctions from the United States and Western allies on Russia and its oligarchs.

The Middle Kingdom has long been a key Russian trading partner while also a rival for authority in that region. Now China is turning some of its extensive cyber capabilities on its neighbor.

CTU threat hunters in March analyzed a malicious executable file that appeared to be a Russian-language document with a file name of "Blagoveshchensk Border Detachment.exe" written in Russian. According to the researchers, Blagoveshchensk is a Russian city near the border with China that houses the 56th Blagoveshchenskiy Red Banner Border Guard Detachment.

"This connection suggests that the filename was chosen to target officials or military personnel familiar with the region," they wrote.

Default settings on Windows systems didn't display the .exe extension of the decoy file, which instead uses a PDF icon to appear credible. The document is written in English and appears to be legitimate, outlining the pressures on Lithuania, Latvia, and Poland – which border Russian ally Belarus – created by mass migration of Ukrainians fleeing the war and seeking asylum.

The document also addresses sanctions the European Union placed on Belarus in early March for its role in supporting Russia's aggression. The Secureworks researchers said they were unsure why a file that carries a Russian name comes with a document written in English.

• Chinese drone-maker DJI suspends ops in Russia, Ukraine
• Study: How Amazon uses Echo smart speaker conversations to target ads
• Who is exploiting VMware right now? Probably Iran's Rocket Kitten, to name one
• Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft

If clicked on, the executable file, which is heavily obfuscated to evade detection, downloads three other files from a staging server that are typical of Bronze President, particularly the use of DLL search order hijacking to execute what are likely PlugX malware payloads.

A DLL search order hijack is an attack that exploits how Windows manages DLLs to enable a hacker to load malicious code into a legitimate computing process. PlugX is a remote access trojan (RAT) designed to give bad actors access to and control over a compromised device. Once installed, the RAT malware can steal sensitive system information, upload and download files, and run a remote command shell, giving the attacker control of the system.

There are features in the attacks on Russia that are similar to others launched over the past few years that were attributed to Bronze President. The domain used by the staging server was used in campaigns that targeted European diplomatic entities, including attacks in 2020 on the Vatican, that CTU analysts linked to Bronze President. Those attacks also used customized decoy documents and downloaded PlugX files loaded by DLL search order hijack.

In addition, Bronze President used a similar IP range during a 2020 campaign aimed at Hong Kong, Myanmar, and Vietnam.

The attacks on Russian officials aren't the first time Bronze President looked to take advantage of the Ukraine invasion. Cybersecurity firm ESET in late March reported a months-long campaign that used a variant of the Korplug malware and targeted European diplomats, internet service providers, and research institutions.

That campaign used phishing lures that referred to not only Russia's attack but also COVID-19 travel restrictions. The use by the threat group – which ESET referred to as Mustang Panda – of a real European Council document showed that it "is following current affairs and is able to successfully and swiftly react to them," the cybersecurity vendor wrote.

Entities targeted were from eight countries, including Russia. Others were Cyprus, South Africa, South Sudan, and Mongolia. ®