Google announced today that Russian government entities are being targeted by a Chinese-sponsored hacking organization affiliated to China’s People’s Liberation Army Strategic Support Force (PLA SSF).
In a study focused on Eastern Europe cyber activities, Google’s Threat Analysis Organization (TAG), a team of security specialists that functions as a defense force for Google users against state-sponsored attacks, stated that the APT group has also successfully hacked several Russian companies.
This threat actor has been targeting government and military institutions in Russia, as well as those in other nations in the region, such as Ukraine, Kazakhstan, and Mongolia, as disclosed in prior Google TAG reports.
“Long-running efforts against several government entities, including the Ministry of Foreign Affairs, have continued in Russia,” stated Google TAG Security Engineer Billy Leonard.
“In the last week, TAG discovered new compromises affecting a number of Russian defense contractors and manufacturers, as well as a Russian logistics firm.”
Mustang Panda, a Chinese-backed state actor, was recently discovered targeting “officials or military individuals familiar with the region” by cybersecurity firm Secureworks.
The study released today follows another one released in late March, which revealed widespread phishing assaults against NATO and the European military organized by Russian-based threat groups.
Another revelation from early March revealed Russian, Chinese, and Belarus government hackers’ continuous efforts to compromise Ukrainian and European organizations and officials involved to the Russian war in Ukraine.
Cyberattacks on Ukraine serve as a backdrop
State-sponsored threat actors from China, Iran, North Korea, and Russia, according to Leonard, are still actively targeting critical infrastructure, such as oil and gas, telecommunications, and manufacturing.
Google discovered credential phishing campaigns and attacks against military and cybersecurity businesses by the Russian-backed APT28 and Turla hacker groups.
Coldriver (aka Callisto), a Russian APT outfit, exploits Gmail accounts to send phishing emails to government and defense personnel, NGOs, think tanks, and journalists.
Google’s Safe Browsing program has so far thwarted their attacks after their phishing domains were recognized and labeled as malicious.
In phishing attacks targeting Gmail accounts, Ghostwriter, a Belarusian-backed threat actor, is also seeking to steal credentials from “high risk persons in Ukraine.”
“No accounts were compromised as a result of this campaign,” Leonard continued, “and Google will notify all targeted users of these attempts through our monthly government-backed attacker alerts.”
Microsoft also exposed the full scope of Russia’s cyberattacks against Ukraine on Wednesday, with various Russian threat groups tied to Russian intelligence services such as the GRU, SVR, and FSB attacking the country’s infrastructure and citizens.
