China-linked Twisted Panda caught spying on Russian defense R&D

Because Beijing isn't above covert ops to accomplish its five-year goals


Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

Check Point Research also noted that around the same time that they observed the Twisted Panda attacks, another Chinese advanced persistent threat (APT) group Mustang Panda was observed exploiting the invasion of Ukraine to target Russian organizations.

In fact, Twisted Panda may have connections to Mustang Panda or another Beijing-backed spy ring called Stone Panda, aka APT10, according to the security researchers.

In addition to the timing of the attacks, other tools and techniques used in the new campaign overlap with China-based APT groups, they wrote. Because of this, the researchers attributed the new cyberspying operation "with high confidence to a Chinese threat actor."

During the the course of the research, the security shop also uncovered a similar loader that contained that looked like an easier variant of the same backdoor. And based on this, the researchers say they expect Twisted Panda has been active since June 2021.

Phishing for defense R&D

The new campaign started on March 23 with phishing emails sent to defense research institutes in Russia. All of them had the same subject: "List of [target institute name] persons under US sanctions for invading Ukraine", a malicious document attached, and contained a link to an attacker-controlled site designed to look like the Health Ministry of Russia.

An email went out to an organization in Minsk, Belarus, on the same day with the subject: "US Spread of Deadly Pathogens in Belarus". 

Additionally, all of the attached documents looked like official Russian Ministry of Health documents with the official emblem and title.

Downloading the malicious document drops a sophisticated loader that not only hides its functionality, but also avoids detection of suspicious API calls by dynamically resolving them with name hashing. 

By using DLL sideloading, which Check Point noted is "a favorite evasion technique used by multiple Chinese actors," the malware evades anit-virus tools. The researchers cited PlugX malware, used by Mustang Panda, and a more recent APT10 global espionage campaign that used the VLC player for side-loading.

In this case of the Twisted Panda campaign, "the actual running process is valid and signed by Microsoft," according to the analysis.

According to the security researchers, the loader contains two shellcodes. The first one runs the persistence and cleanup script. And the second is a multi-layer loader. "The goal is to consecutively decrypt the other three fileless loader layers and eventually load the main payload in memory," Check Point Research explained.

New Spinner backdoor detected

The main payload is a previously undocumented Spinner backdoor, which uses two types of obfuscations. And while the backdoor is new, the researchers noted that the obfuscation methods have been used together in earlier samples attributed to Stone Panda and Mustang Panda. These are control-flow flattening, which makes the code flow non-linear, and opaque predicates, which ultimately causes the binary to perform needless calculations. 

"Both methods make it difficult to analyze the payload, but together, they make the analysis painful, time-consuming, and tedious," the security shop said.

The Spinner backdoor's main purpose is to run additional payloads sent from a command-and-control server, although the researchers say they didn't intercept any of these other payloads. However, "we believe that selected victims likely received the full backdoor with additional capabilities," they noted.

Tied to China's five-year plan?

The victims — research institutes that focus on developing electronic warfare systems, military-specialized onboard radio-electronic equipment, avionics systems for civil aviation, and medical equipment and control systems for energy, transportation, and engineering industries — also tie the Twisted Panda campaign to China's five-year plan, which aims to expand the country's scientific and technical capabilities. 

And, as the FBI has warned [PDF], the Chinese government isn't above using cyberespionage and IP theft to accomplish these goals.

As Check Point Research concluded: "Together with the previous reports of Chinese APT groups conducting their espionage operations against the Russian defense and governmental sector, the Twisted Panda campaign described in this research might serve as more evidence of the use of espionage in a systematic and long-term effort to achieve Chinese strategic objectives in technological superiority and military power." ®


Other stories you might like

  • TikTok: Yes, some staff in China can access US data
    We thought you guys were into this whole information hoarding thing

    TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.

    "100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."

    That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

    Continue reading
  • China is trolling rare-earth miners online and the Pentagon isn't happy
    Beijing-linked Dragonbridge flames biz building Texas plant for Uncle Sam

    The US Department of Defense said it's investigating Chinese disinformation campaigns against rare earth mining and processing companies — including one targeting Lynas Rare Earths, which has a $30 million contract with the Pentagon to build a plant in Texas.

    Earlier today, Mandiant published research that analyzed a Beijing-linked influence operation, dubbed Dragonbridge, that used thousands of fake accounts across dozens of social media platforms, including Facebook, TikTok and Twitter, to spread misinformation about rare earth companies seeking to expand production in the US to the detriment of China, which wants to maintain its global dominance in that industry. 

    "The Department of Defense is aware of the recent disinformation campaign, first reported by Mandiant, against Lynas Rare Earth Ltd., a rare earth element firm seeking to establish production capacity in the United States and partner nations, as well as other rare earth mining companies," according to a statement by Uncle Sam. "The department has engaged the relevant interagency stakeholders and partner nations to assist in reviewing the matter.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022