Latest news with #APT27
Time of India
a day ago
- Politics
- Time of India
China-Russia trust erodes as Beijing's hackers go rogue, launch cyberattacks to steal Ukraine war secrets
China hackers target Russia despite alliance, seeking war secrets and battlefield data- China hackers targeting Russia have raised serious concerns as multiple cyberattacks linked to Chinese state-sponsored groups have reportedly breached Russian military and defense systems since the Ukraine war began. Despite public declarations of friendship between Moscow and Beijing, cyber analysts say the Chinese government has been actively spying on Russian technologies, including nuclear submarines, drone systems, and battlefield tactics. The breach highlights a growing undercurrent of distrust and strategic intelligence gathering even among so-called allies. Cyber groups tied to Beijing—like APT27 and APT31—are believed to be behind these stealthy operations, using phishing emails and malware to infiltrate sensitive Russian networks. Why are China hackers targeting Russia amid growing friendship? Despite a publicly strong relationship between China and Russia, cybersecurity experts say China hackers have been quietly breaching Russian systems since May 2022 — just months after Russia launched its full-scale invasion of Ukraine. These hacking attempts have continued steadily, with Chinese-linked groups digging into Russia's defense and military data. by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links You May Like Air conditioners without external unit. (click to see prices) Air Condition | Search Ads Search Now Undo According to cybersecurity researchers from TeamT5, one group named Sanyo impersonated a Russian engineering firm's email to seek data on nuclear submarines. The intention behind these cyber intrusions appears to be collecting information about Russia's battlefield operations, modern warfare tactics, and Western weapon technologies seen in Ukraine. Che Chang, a TeamT5 researcher, stated, 'China likely seeks to gather intelligence on Russia's military operations, defense progress, and geopolitical strategies.' This information could help China boost its own military readiness for future conflicts — particularly in regions like Taiwan, which remains a hotbed of geopolitical tension. Live Events What exactly did China's hackers target in Russia? According to cybersecurity researchers at SentinelLabs and Recorded Future, Chinese Advanced Persistent Threat (APT) groups , including APT27 (Emissary Panda) and APT31 (Zirconium) , have been aggressively targeting: Russian military contractors Government departments involved in defense R&D Email servers and document archives linked to Ukraine war planning The hackers reportedly used spear-phishing campaigns , spoofing Russian Ministry of Health notices to plant malware into classified internal systems. One malware strain, called PlugX , known for remote access and data exfiltration, was flagged in these Russian environments—previously used by China in espionage campaigns across Southeast Asia and the Middle East. What kind of information are Chinese hackers after in Russia? The China hackers targeting Russia campaign has been aimed at extracting sensitive military intelligence, especially battlefield-tested insights. Russian defense firms, including Rostec , were among the major targets. Cyber experts from Palo Alto Networks revealed that Chinese hacking groups have sought data on radar systems, satellite communications, drone warfare, and electronic warfare technology. Another method used by these hackers involved Microsoft Word-based malware files, which exploited software vulnerabilities to breach aviation and defense sectors. One particularly dangerous tool spotted in these attacks was Deed RAT , malware considered 'proprietary' among Chinese state-sponsored groups. According to Russian cybersecurity firm Positive Technologies, this malware has been used to attack Russian aerospace, security, and military sectors. Though Russian authorities have not officially acknowledged these attacks, a leaked classified document from Russia's FSB — the domestic security agency — described China as an 'enemy,' confirming internal concerns about Chinese espionage. While China and Russia continue to cooperate publicly, including military drills and joint diplomatic efforts, cyber experts say Beijing has long pursued a "friend-but-watcher" strategy . This means China often spies on both allies and adversaries to: Gauge battlefield conditions in Ukraine Evaluate Russia's military capabilities and vulnerabilities Shape its own geopolitical strategies, including Taiwan preparations According to Recorded Future, China increased cyber-espionage targeting Russia by 87% since early 2023 , focusing particularly on regions near Ukraine and Crimea . Who are the major Chinese hacking groups involved? Several well-known Chinese hacking groups have been identified by cybersecurity teams as being behind these operations. Mustang Panda , one of China's most active state-backed cyber espionage groups, expanded its activities after the war in Ukraine began. TeamT5 and Sophos researchers found that Mustang Panda targeted Russian government agencies and military officials — particularly near the China-Russia Siberian border. According to Rafe Pilling from Sophos, the group's operations often follow China's political or economic interests. 'Wherever China invests — whether West Africa, Southeast Asia, or Russia — Mustang Panda follows with targeted hacking,' said Pilling. He and U.S. intelligence sources believe Mustang Panda operates under the Chinese Ministry of State Security. The group even drew attention from American law enforcement. In January, the U.S. Justice Department indicted individuals tied to Mustang Panda for infecting thousands of systems worldwide, including government networks and devices used by Chinese dissidents. Another Chinese hacking group, Slime19 , has been consistently attacking Russia's energy, government, and defense infrastructure, according to TeamT5's Chang. Has China broken its cybersecurity pact with Russia? In 2009 and 2015, China and Russia publicly agreed not to hack each other's systems. However, analysts have long viewed those agreements as symbolic, lacking enforcement or trust. The evidence emerging since Russia's invasion of Ukraine proves that those deals hold little practical weight. The FSB document accessed by The New York Times shows that Russian intelligence views China's digital espionage as a serious threat. China, while outwardly cooperative with Russia in forums and bilateral trade, appears unwilling to rely on Moscow for open sharing of battlefield learnings. Instead, cyber intrusions have become the preferred route for collecting war data. 'The war in Ukraine shifted the priorities of both countries,' said Itay Cohen from Palo Alto Networks. 'Even though the public narrative was one of close ties, in reality, espionage increased.' How is Russia reacting to these cyber intrusions? Thus far, the Kremlin has not officially condemned China, possibly to avoid diplomatic fallout. However, anonymous Russian cybersecurity sources have told investigative outlet iStories that internal firewalls have been tightened and communications protocols are under review. The Federal Security Service (FSB) reportedly issued an internal memo warning of 'unusual East Asian-origin threats' in mid-2024. Still, no public attribution has been made. This silence may signal Russia's reluctance to publicly challenge China at a time when it faces intense pressure from NATO and the West. What does this mean for future China-Russia relations? While China remains one of Russia's most crucial trade partners — especially with the West largely isolating Moscow — the depth of China hackers targeting Russia reveals a fragile foundation beneath this alliance. The relationship, often described by Presidents Xi and Putin as a 'no-limits' partnership, is evidently full of limits when it comes to trust. China's hunger for military intelligence, especially regarding real-time warfare experience, is pushing it to take bold steps. For China, Russia's war offers a rare, real-world military case study that it can't afford to ignore — especially with tensions rising in the Taiwan Strait. Cyber intrusions are likely to continue, if not grow. As Russian officials stay silent and Chinese hackers grow more sophisticated, the digital battlefield between these two "allies" is already active — and evolving quickly. FAQs: Q1: Why are China hackers targeting Russia during the Ukraine war? To secretly collect Russian military intelligence and battlefield data. Q2: Who is Mustang Panda in the China hacking campaign? Mustang Panda is a top Chinese state-backed hacking group targeting Russia.
The National
13-03-2025
- Politics
- The National
Cyber crime: Five hacking groups and syndicates to be aware of
Following an alleged cyber attack on Elon Musk's platform X this week, speculation over the perpetrators has been rife and generated a renewed interest in hacker and cyber threat groups around the world. Mr Musk said the IP addresses that caused X to be offline for almost an entire day originated near Ukraine but has not elaborated on that accusation. Morey Haber, a chief security adviser at cybersecurity firm BeyondTrust, said while he does not have strong feelings about Mr Musk's Ukraine claims, determining where cyber attacks originate is complicated. 'I would advise caution when blaming the attack on Ukraine, simply based on source IP address,' he said. 'Threat actors typically use bots, virtual private networks and bastion hosts to conduct attacks and obfuscate their identity, so the cyberattack of X/Twitter, if true, should have easily been defendable against an attack based on IP address or geolocation.' Associating a potential cyber attack with an IP address should never be used in a public statement without additional indicators or proof, Mr Haber added. Though it might be tempting to name and shame hackers and cyber threat actors, Mr Haber told The National that by the time the groups become widely known, they've already caused a lot of damage. 'Crime syndicates perform the most damage when they are unnamed, unknown and can operate from the deep shadows of the internet,' he said. Once they have been found and details around their operations leaked, Mr Haber added, their strength and ability to hack diminishes substantially. 'This doesn't negate their threat, but once indicators of compromise, methods of attack and malware become publicly documented, that should allow organisations to strengthen cybersecurity defences.' Mr Haber pointed out that hacking attracts a wide spectrum, with some perpetrators fuelled by politics and others by financial gain, some state-sponsored and others working alone. Here's a look at five of some of the more prominent groups currently on cybersecurity experts' radar and that have made headlines around the world: 'I only believe one cybersecurity syndicate poses the biggest threat worldwide,' said Mr Haber. 'Silk Typhoon, also known as APT27 and has been linked to the US Treasury Department breach in late 2024.' According to the US Cybersecurity and Infrastructure Security Agency and the FBI, Silk Typhoon has been linked to the Chinese government. Microsoft has also echoed that notion. 'Silk Typhoon is an espionage-focused Chinese state actor whose activities indicate that they are a well-resourced and technically efficient group with the ability to quickly operationalise exploits for discovered zero-day vulnerabilities in edge devices,' Microsoft's threat intelligence group has said. China has repeatedly denied the accusations. According to cybersecurity risk-mitigation company Cobalt, Anonymous is perhaps the most well-known hacking group. It first made headlines during the Occupy Wall Street protests in 2011, and Cobalt notes Anonymous has 'targeted PayPal, Visa and MasterCard'. 'Authorities have arrested hackers who claim to be part of Anonymous over the years, but the group's decentralised nature makes tracking down or prosecuting members challenging,' Cobalt wrote on its website. The group has also been known to use distributed denial-of-service (DDoS) attacks that have led to massive website disruptions. Both Norton and Cobalt list Morpho, a group of hackers dedicated to financially motivated cyber attacks, as a worrisome entity. The geographic origins of the group are largely unknown but, according to Norton, Morpho has previously targeted X, Meta, Microsoft and Apple to try to steal confidential information. There are some clues that Morpho has left behind in the cyber mess it causes. 'It's said that they may be of English-speaking origin because the code is entirely composed of English and their encryption keys are named after memes in American pop culture,' Norton said on its website. According to Cobalt, Morpho has also been known to seek intellectual property from health care and technology companies. Cybersecurity firms and technology analysts routinely list Darkside as one of the more prominent hacking groups. It rose to prominence in 2021 when it claimed responsibility for the Colonial Pipeline cyber attack that caused fuel shortages and price increases across the US. Darkside has also been known to run affiliate programmes to help other hacker groups in infiltration attempts. It has been known to use a 'ransomware-as-a-service model', meaning it sells or leases ransomware to others to carry out attacks. According to cybersecurity firm Norton, Darkside likely originates in Eastern Europe. 'This group is known for targeting high-profile corporations worldwide with stolen credentials and manual jacking with testing tools,' Norton said. Though it doesn't necessarily have the same history or name recognition of other hacking groups or cyber threat actors, Mint Sandstorm is quickly stoking fears in the technology security world. Microsoft's threat intelligence group said that Mint Sandstorm is an Iran-affiliated group 'known to primarily target dissidents protesting the Iranian government, as well as activist leaders, the defence industrial base, journalists, think tanks, universities, and multiple government agencies and services, including targets in Israel and the US'. It has been widely speculated that Mint Sandstorm was behind the attempted hack and potential breach of communications within Donald Trump's 2024 presidential campaign. 'Also uses credential harvesting to obtain access to official work accounts as well as personal accounts,' said Microsoft.
Voice of America
07-03-2025
- Politics
- Voice of America
ກະຊວງຍຸຕິທຳໄດ້ຟ້ອງຊາວຈີນ 12 ຄົນ ທີ່ຖືກກ່າວຫາວ່າ ລັກເຈາະຂໍ້ມູນ ຫຼື hacking
ເມື່ອວັນພຸດວານນີ້ ກະຊວງຍຸຕິທຳຂອງສະຫະລັດ ປະກາດການຟ້ອງຮ້ອງຊາວຈີນ 12 ຄົນທີ່ຖືກກ່າວຫາວ່າ ລັກເຈາະຂໍ້ມູນ ຫຼື ແຮັກກິ້ງ ໃນຄວາມພະຍາຍາມລະດັບໂລກ ທີ່ແນເປົ້າໝາຍໃສ່ນັກຕໍ່ຕ້ານລັດຖະບານ ທີ່ມີຫ້ອງການຢູ່ໃນສະຫະລັດ, ອົງການຂ່າວ, ອົງການລັດຖະບານ ແລະ ອົງການສາດສະໜາຂະໜາດໃຫຍ່ໃນສະຫະລັດ. ອີງຕາມການລາຍງານຂອງອົງການຂ່າວ ວີໂອເອ. ຕາມເອກະສານຂອງສານ ກະຊວງປ້ອງກັນຄວາມສະຫງົບ ແລະ ກະຊວງຄວາມໝັ້ນຄົງແຫ່ງລັດຂອງຈີນ ໃຊ້ເຄືອຂ່າຍຂອງບໍລິສັດເອກະຊົນ ແລະພວກແຮັກເກີ້ ຮັບຈ້າງເພື່ອລັກຂໍ້ມູນ ແລະຊ່ວຍຄົ້ນຫາຜູ້ຕໍ່ຕ້ານລັດຖະບານ ແລະວິພາກວິຈານຢູ່ທົ່ວໂລກ. ' ການປະກາດໃນມື້ນີ້ ເປີດເຜີຍໃຫ້ເຫັນວ່າ ກະຊວງປ້ອງກັນຄວາມສະຫງົບຂອງຈີນ ວ່າຈ້າງພວກແຮັກເກີ້ ເພື່ອສ້າງອັນຕະລາຍທາງລະບົບດິດຈິດໂຕລ ໃຫ້ກັບຊາວອາເມຣິກັນທີ່ວິພາກວິຈານພັກຄອມມູນິດຈີນ ຫຼື (CCP)' ໄບຣອັນ ວອນດຣານ (Bryan Vorndran) ຜູ້ຊ່ວຍອຳນວຍການຝ່າຍໄຊເບີ້ຂອງອົງການສັນຕິບານກາງ ຫຼື FBI ກ່າວໃນຖະແຫຼງການ. ຜູ້ຕ້ອງສົງໄສທັງ 12 ຄົນ ໄດ້ແກ່ເຈົ້າໜ້າທີ່ 2 ຄົນ ໃນກະຊວງປ້ອງກັນຄວາມສະຫງົບຂອງຈີນ ແລະ ພະນັກງານ 8 ຄົນ ຂອງບໍລິສັດທີ່ຮູ້ຈັກກັນໃນຊື່ i-Soon ແລະ ອີກ 2 ຄົນ ເປັນສະມາຊິກຂອງກຸ່ມທີ່ເອີ້ນວ່າ Advanced Persistent Threat 27 (APT27). ໂຄສົກຂອງສະຖານທູດຈີນ ໃນນະຄອນຫຼວງວໍຊິງຕັນ ທ່ານ ຫຼີວ ເຜີງຢູ ກ່າວກັບອົງການຂ່າວເອພີ ເມື່ອວັນພຸດວານນີ້ວ່າ ຂໍ້ກ່າວຫາດັ່ງກ່າວ ເປັນພຽງການໃສ່ຮ້າຍ ແລະ ກ່າວວ່າ ' ເຮົາຫວັງວ່າ ຝ່າຍທີ່ກ່ຽວຂ້ອງຈະສະແດງທ່າທີເປັນມືອາຊີບ ແລະມີຄວາມຮັບຜິດຊອບແລະສະຫຼຸບເຫດການທາງໄຊເບີ້ ໂດຍໃຊ້ຫຼັກຖານທີ່ພຽງພໍແທນທີ່ຈະໃຊ້ການຄາດເດົາ ແລະກ່າວຫາທີ່ບໍ່ມີມູນຄວາມຈິງ.' ຜູ້ຖືກຕັ້ງຂໍ້ກ່າວຫາທັງໝົດມີຈຳນວນຫຼາຍ ແລະກະຊວງຍຸຕິທຳສະເໜີລາງວັນສູງສຸດ 10 ລ້ານໂດລາສຳລັບຂໍ້ມູນກ່ຽວກັບເຈົ້າໜ້າທີ່ຕຳຫຼວດ MPS ແລະ i-Soon ຊຶ່ງເປັນບໍໍລິສັດຂອງຈີນ ທີ່ຈ້າງພວກແຮັກເກີ້ສ່ວນຫຼາຍ. ບໍລິສັດດັ່ງກ່າວ ຖືກກ່າວຫາວ່າ ຂາຍຂໍ້ມູນທີ່ລັກມາ ' ໃຫ້ກັບໜ່ວຍງານສືບຂ່າວລັບ ແລະຄວາມໝັ້ນຄົງຂອງຈີນ ເພື່ອປາບປາມເສລີພາບໃນການປາກເວົ້າແລະຂະບວນການປະຊາທິປະໄຕທົ່ວໂລກ ແລະກຸ່ມເປົ້າໝາຍທີ່ຖືກມອງວ່າເປັນໄພຄຸກຄາມຕໍ່ລັດຖະບານຈີນ' ຕາມຂ່າວປະຊາສຳພັນຈາກອົງການສັນຕິບານກາງ FBI. ອ່ານຂ່າວເປັນພາສາອັງກິດ The U.S. Justice Department announced indictments Wednesday against a dozen Chinese nationals accused in a global hacking campaign targeting U.S.-based dissidents, news organizations, government agencies and a large religious organization. According to court documents, China's Ministry of Public Security and Ministry of State Security used a network of private companies and hackers-for-hire to steal information and help locate dissidents and critics throughout the world. 'Today's announcements reveal that the Chinese Ministry of Public Security has been paying hackers-for-hire to inflict digital harm on Americans who criticize the Chinese Communist Party (CCP),' said Assistant Director Bryan Vorndran of the FBI's Cyber Division in a statement. The 12 suspects include two officers in China's Ministry of Public Security and eight employees of a company known as i-Soon and two members of a group known as Advanced Persistent Threat 27 (APT27). A spokesperson for the Chinese Embassy in Washington, Liu Pengyu, told The Associated Press Wednesday that the allegations were a 'smear' and said, 'We hope that relevant parties will adopt a professional and responsible attitude and base their characterization of cyber incidents on sufficient evidence rather than groundless speculation and accusations.' All of those indicted are at large, and the Justice Department is offering a reward of up to $10 million for information about the MPS officers and i-Soon, the Chinese company that employed most of the hackers. The company is accused of selling stolen information 'to China's intelligence and security services to suppress free speech and democratic processes worldwide, and target groups deemed a threat to the Chinese government,' according to a news release from the FBI.
Politico
05-03-2025
- Politics
- Politico
DOJ announces charges, sanctions against 12 Chinese hackers for Treasury breaches
The Trump administration on Wednesday announced a series of charges and sanctions against a dozen Chinese nationals — including two tied to the Chinese government — for hacking critical U.S. government systems. These steps were taken on a day when two House committees held hearings about ongoing Chinese intrusions into U.S. networks — a major concern in the wake of several massive Chinese-linked breaches into U.S. critical infrastructure, including the recent Salt Typhoon infiltration into U.S. telecommunication networks and a separate hack of the Treasury Department. As part of the overall measures, the Justice Department brought charges against 12 Chinese nationals for the Treasury breach and other attacks on groups or individuals critical of the Chinese government. These included attacks on an unnamed large religious group in the U.S. that sent missionaries to China, foreign ministries of Asian nations and other unnamed U.S. federal and state agencies. Those charged included Chinese nationals Yin Kecheng and Zhou Shuai for their involvement in cyberattacks as far back as 2013. Both were identified as members of the APT27 hacking group, a prolific Chinese hacking operation that has targeted dozens of organizations globally, including U.S. defense contractors. The group is also known as Silk Typhoon by Microsoft, which published findings Wednesday about the hacking group shifting its tactics to go after IT tools across U.S. sectors. Eight members of the Chinese company Anxun Information Technology Co. Ltd., or i-Soon, and two members of the Chinese Ministry of Public Security were charged by the DOJ for email and website hacks between 2016 and 2023. In addition, the Justice Department announced the seizure of internet domains used by i-Soon. In many cases, the Justice Department alleged that the Chinese government was using a hackers-for-hire system by paying private Chinese companies to hack and steal information in order to obscure government connections to the hacks. The moves by the Justice Department come more than two months after Treasury Department officials told members of Congress that the agency's networks had been compromised by Chinese hackers obtaining a key used by a third-party vendor to provide the agency with remote technical support. The Treasury Department immediately began investigating and responding to the incident with the help of the Cybersecurity and Infrastructure Security Agency and other federal agencies. Actions taken by the Trump administration on Wednesday also included the State Department offering a reward of up to $10 million for information leading to the identification and location of the individuals charged, as well as a separate reward of $2 million for information on Shuai and Yin. In addition, the Treasury Department sanctioned Shuai and his group, the Shanghai Heiying Information Technology Company. Yin was previously sanctioned by the Treasury Department in January for their involvement in hacking the agency. 'To those victims who bravely came forward with evidence of intrusions, we thank you for standing tall and defending our democracy,' Bryan Vorndran, assistant director of the FBI's cyber division, said in a statement Wednesday. 'To those who choose to aid the CCP in its unlawful cyber activities, these charges should demonstrate that we will use all available tools to identify you, indict you, and expose your malicious activity for all the world to see.'
