Chinese state-sponsored threat groups been behind a series of targeted attacks on the Russian federal executive authority. A virus known as “Webdav-O” that was discovered in the intrusions, with the cybersecurity firm noticing similarities between the tool and a popular Trojan known as BlueTraveller, linked to a Chinese threat group known as TaskMasters and used in malicious activities with the aim of espionage and plundering confidential documents.
The report revealed a malware called “Mail-O” that was also observed in attacks against Russian federal executive authorities to access the cloud service Mail.ru,linking it to a variant of another well-known malicious software called PhantomNet used by a threat actor dubbed TA428.
TA428 has been targeting government entities involved in domestic and foreign policy, government information technology, and economic development. Attackers used the Microsoft Equation Editor exploit CVE-2018-0798 to deploy a custom malware called Cotx RAT. This APT gang also employs Poison Ivy payloads, which share (C&C) infrastructure.
The main goal of the hackers was to completely compromise the IT infra and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities remains undeletable.
The researchers also point out that evidence implies a big hacking force made up of People’s Liberation Army intelligence units may be operating out of China, with the numerous Chinese APT groups tracked by threat intelligence agencies being little more than subgroups.