CPR has named this campaign “Twisted Panda” to reflect the sophistication of the tools observed.
CheckPoint said it identified three defence research targets, two in Russia and one in Belarus. The Russian victims belong to Rostec Corporation, which is Russia’s largest holding company in the radio-electronics industry.
Their primary business is in the development and manufacturing of electronic warfare systems, military-specialised onboard radio-electronic equipment, air-based radar stations, and means of state identification.
The research entities are also involved in avionics systems for civil aviation, the development of a variety of civil products such as medical equipment and control systems for energy, transportation, and engineering industries.
“We exposed an ongoing espionage operation against Russian defence research institutes that have been carried out by experienced and sophisticated Chinese-backed threat actors. Our investigation shows that this is a part of a larger operation that has been ongoing against Russia-related entities for around a year. We discovered two targeted defence research institutions in Russia and one entity in Belarus,” said Itay Cohen, Head of Research at Check Point Software.
On March 23, malicious emails were sent to several defence research institutes based in Russia. The emails, which had the subject “List of (target institute name) persons under US sanctions for invading Ukraine”, contained a link to an attacker-controlled site mimicking the Health Ministry of Russia and had a malicious document attached.