Following Russia’s invasion of Ukraine, China’s intelligence objectives have been observed in multiple cyber campaigns

Russian President Vladimir Putin meets with his Chinese counterpart, Xi Jinping, at the Kremlin, June 2019. Photo: REUTERS/Evgenia Novozhenina/Pool

SentinelLabs, the research arm of Israeli-American cybersecurity company, SentinelOne, has identified a new cluster of threat activity targeting Russian organizations and assesses, with high confidence, that the threat actor is a Chinese state-sponsored espionage group.

In a new blog post, SentinelLabs’ Senior Threat Researcher, Tom Hegel, specifies that, “the attacks use phishing emails to deliver office documents to exploit targets in order to deliver their RAT (remote access trojan) of choice.” The documents are built with Royal Road's malicious document builder.

The threat group’s activity was also noted by the Ukrainian CERT (CERT-UA) in late June. Hegel notes that following Russia’s invasion of Ukraine, China’s intelligence objectives against the former have been observed in multiple cyber campaigns.

The targets are themed around Russian government interests – for example, mimicking the Russian CERT or Russian telecom. The malicious emails sent include a warning against potential security breaches, as well as a link to a supposed program that would implement some necessary security measures – but clicking on the link would, of course, promote the malware’s installation on the victim’s computer.

“Overall, the objectives of these attacks appear espionage-related, but the broader context remains unavailable from our standpoint of external visibility,” the report concludes.