China-linked Twisted Panda caught spying on Russian defense R&D

Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

Check Point Research also noted that around the same time that they observed the Twisted Panda attacks, another Chinese advanced persistent threat (APT) group Mustang Panda was observed exploiting the invasion of Ukraine to target Russian organizations.

In fact, Twisted Panda may have connections to Mustang Panda or another Beijing-backed spy ring called Stone Panda, aka APT10, according to the security researchers.

In addition to the timing of the attacks, other tools and techniques used in the new campaign overlap with China-based APT groups, they wrote. Because of this, the researchers attributed the new cyberspying operation “with high confidence to a Chinese threat actor.”

During the the course of the research, the security shop also uncovered a similar loader that contained that looked like an easier variant of the same backdoor. And based on this, the researchers say they expect Twisted Panda has been active since June 2021.

Phishing for defense R&D

The new campaign started on March 23 with

Read more

Explore the site

More from the blog

Latest News