But the emails were actually sent by
state-sponsored hackers in China seeking to entice their Russian targets to
download and open a document with malware, according to a new report to be
released Thursday by the Israeli American cybersecurity firm Check Point.
The report provides new evidence of Chinese
efforts to spy on Russia, pointing to the complexity of the relations between
two countries that have drawn closer in solidarity against the United States.
It also underscores the sprawling and increasingly sophisticated tactics
China’s cyberspies have used to collect information on an ever-expanding array
of targets, including countries it considers friends, such as Russia.
Despite the growing global outrage over
Russia’s war in Ukraine, China has refused to criticise Moscow and has echoed
Russian propaganda to depict the United States and NATO as aggressors in the
conflict. But Check Point’s research showed that despite the countries’
deepening ties, China appeared to view Russia as a legitimate target for the
theft of sensitive military technological information.
The Chinese campaign targeted Russian
institutes that research airborne satellite communications, radar and
electronic warfare, Check Point said in its report. The institutes belong to
Rostec Corp., the Russian military conglomerate that is one of the largest and
most powerful entities in Russia’s defence establishment.
The Chinese espionage operation began as
early as July 2021, before Russia invaded Ukraine, the Check Point report said.
The March emails revealed that China’s hackers had quickly exploited narratives
about the war in Ukraine for their purposes.
“This is a very sophisticated attack,” said
Itay Cohen, head of cyberresearch at Check Point, adding that it demonstrated
capabilities “usually reserved for state-backed intelligence services.” The
hackers used methods and codes similar to those used in previous attacks
attributed to hacking groups affiliated with the Chinese state, he said.
For example, by referring to the US
sanctions on Russian officials over the war in Ukraine, the attacks used “smart
social engineering” that exploited a sensitive topic to try to induce their
targets, including skilled defence officials, to open the email, Cohen said.
The hackers also used advanced tactics that better concealed their intrusions
in the computers that were attacked, he said.
Under China’s authoritarian leader, Xi
Jinping, Beijing has refined its approach to cyberspying, transforming over the
past decade into a far more sophisticated actor. China’s premier spy agency,
borrowing a page from Russia, has recruited beyond its ranks, pulling from the
country’s growing pool of tech workers. The strategy has made its attacks more
scattershot and unpredictable, but analysts say it has also helped strengthen
the country’s efforts, enabling spies to run stealthy attacks that target
intellectual property as well as political and military intelligence around the
Xi has made improving China’s scientific
and technical capabilities a priority in the coming years, with ambitions of
becoming a global leader in high-tech fields such as robotics, medical
equipment and aviation. The campaign targeting Russian defence research
institutes “might serve as more evidence of the use of espionage in a
systematic and long-term effort to achieve Chinese strategic objectives in
technological superiority and military power,” Check Point’s report said.
More recently, hackers based in China, like
their counterparts elsewhere, have taken advantage of the war in Ukraine to
break into the computer systems of organisations across Europe. Hackers have
preyed upon heightened anxiety about the invasion, tricking their victims into
downloading documents that falsely claim to contain information about the war
or pose as aid organisations raising money for charity.
Many of the attacks originating from China
appear to be focused on gathering information and intellectual property, rather
than on causing chaos or disruption that could sway the conflict in favour of
Ukraine or Russia, security researchers said.
In late March, Chinese hackers began going
after Ukrainian organisations, according to security researchers and an
announcement from Ukraine’s cybersecurity agency. A hacking team known as
Scarab sent a document to Ukrainian organisations that offered instructions on
how to film evidence of Russian war crimes but also contained malware that
could extract information from infected computer systems, researchers at the
security firm SentinelOne said.
Also in March, another hacking team
affiliated with China, which security researchers have called Mustang Panda,
created documents that purported to be European Union reports on conditions at
the borders of Ukraine and Belarus, and emailed them to potential targets in
Europe. But the documents contained malware, and victims who were tricked into
opening them inadvertently allowed the hackers to infiltrate their networks,
researchers at Google and the security firm Cisco Talos said.
The Mustang Panda hacking group had
previously attacked organisations in India, Taiwan and Myanmar, but when the
war started, it turned its focus to the EU and Russia. In March, the hackers also
pursued agencies in Russia, emailing them a document that appeared to contain
information about the placement of border guards in Russia, Cisco Talos
“One thing remains consistent across all
these campaigns — Mustang Panda is clearly looking to conduct espionage
campaigns,” Cisco Talos researchers said in a report this month about that
In this latest report on Chinese hacking
efforts, Check Point said it was calling the group behind the recently
identified campaign Twisted Panda “to reflect the sophistication of the tools
observed and the attribution to China.”
The Rostec institutes that have been
attacked are mainly engaged in the development of airborne radar and in the
development of devices that can, among other things, disrupt the radar and
identification systems used by an enemy.
Rostec Corp. was founded by President
Vladimir Putin of Russia in 2007 and has become one of the nation’s largest
military corporations, controlling hundreds of research and manufacturing
facilities for high-end defence technology, electronic warfare tools and
Shortly after the Russian invasion of
Ukraine in 2014, Rostec was blacklisted by the United States, and its CEO,
Sergey Chemezov, was sanctioned by the EU. Immediately after the Russian
invasion of Ukraine this year, the United States imposed additional sanctions
on companies and entities associated with Rostec.
© 2022 The New York Times Company