State-run Chinese hackers have attacked Russian defense research organizations with malware as part of a long-running espionage campaign. Researchers from Check Point Software confidently attribute this campaign to a Chinese group called Twisted Panda. The new grouping is associated with Stone Panda (aka APT 10, Cicada or Potassium) and Mustang Panda (aka Bronze President, HoneyMoon or RedDelta).
An investigation by experts showed that Twisted Panda had been attacking holding companies within Rostec since at least June 2021, and the last attack attempt was seen in April 2022. Check Point stated that the defense institutions of the state corporation were subjected to phishing campaigns.
Phishing emails sent to defense research organizations contained a link to the attackers’ website disguised as the website of the Russian Ministry of Health and an attachment in the form of a malicious Word document. The subject of the letter looked like this: “List of persons [название учреждения-жертвы]who are under US sanctions for the invasion of Ukraine.”
Another letter with a malicious document, also passed off as a letter from the Russian Ministry of Health, was sent to an unknown organization in Minsk.
According to Check Point, the malware found in the documents includes a complex multi-level loader and a backdoor SPINNER payload. Malware is constantly updated and uses advanced methods of evading protection systems and anti-analysis.
Experts consider Twisted Panda’s goal to be data on electronic warfare systems, military radio equipment and air-based radar stations.