Chinese APT espionage operation Twisted Panda targets Russia’s state-owned defense institutes

Check Point researchers reveal details of a targeted campaign that has been using sanctions-related baits to attack at least two Russian defense research institutes. The activity was attributed with high confidence to a Chinese threat actor, with possible connections to Stone Panda (aka APT10), a nation-state-backed hacker, and Mustang Panda, another proficient China-based cyber espionage threat actor. The campaign has been named ‘Twisted Panda’ to reflect the sophistication of the tools observed and the attribution to China.

Research suggests that another target in Belarus, likely also related to the research field, received a similar spear-phishing email claiming that the US is allegedly spreading a biological weapon, Check Point said in a recent post. The campaign is a continuation of what the researchers believe to be a long-running espionage operation against Russian-related entities that have been in operation since at least June 2021. The operation may still be ongoing, as the most recent activity was observed in April 2022, it added.

“The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months,” according to the researchers.

The defense research institutes identified as targets by Check Point of the attack belong to a holding company within the Russian state-owned defense conglomerate Rostec Corporation. It is Russia’s largest holding company in the radio-electronics industry and the specific targeted research institutes’ primary focus is the development and manufacturing of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based radar stations, and means of state identification. The research entities are also involved in avionics systems for civil aviation, and the development of a variety of civil products, such as medical equipment and control systems for energy, transportation, and engineering industries.

The defense research institutes “that we identified as targets of this attack belong to a holding company within the Russian state-owned defense conglomerate Rostec Corporation,’” Check Point said. It is Russia’s largest holding company in the radio-electronics industry and the specific targeted research institutes’ primary focus is the development and manufacturing of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based radar stations, and means of state identification, it added.

As a part of the investigation, the researchers uncovered the previous wave of this campaign, also likely targeting Russian or Russia-related entities, active since at least June 2021. “The evolution of the tools and techniques throughout this time period indicates that the actors behind the campaign are persistent in achieving their goals in a stealthy manner. In addition, the Twisted Panda campaign shows once again how quickly Chinese espionage actors adapt and adjust to world events, using the most relevant and up-to-date lures to maximize their chances of success,” they added.

“The Tactics, Techniques, and Procedures (TTPs) of this operation enabled us to attribute it to Chinese APT activity. In general, Chinese groups are known to reuse and share tools between them,” Check Point said. “Without enough strong evidence, such as infrastructure-based connections, we couldn’t directly attribute this activity with high confidence to any specific Chinese threat actor. However, the Twisted Panda campaign bears multiple overlaps with advanced and long-standing Chinese cyberespionage actors,” it added.

APT group Mustang Panda was observed exploiting the invasion of Ukraine to target Russian entities around the same time as Twisted Panda, the researchers said. “The infection flow relying on DLL side-loading is a favorite evasion technique used by multiple Chinese actors. Examples include the infamous PlugX malware (and its multiple variants, including the aforementioned Mustang Panda’ Hodur samples), the recently published APT10 global espionage campaign that used the VLC player for side-loading, and other APT10 campaigns,” they added.

“In addition to the similarities between SPINNER and Hodur that we previously mentioned, other practices like multi-layer in-memory loaders based on shellcodes and PEs, especially combined with dynamic API resolutions via hashes, are also a signature technique for many Chinese groups,” Check Point said. The victimology of the Twisted Panda campaign is consistent with Chinese long-term interests, it added.

Together with the previous reports of Chinese APT groups conducting their espionage operations against the Russian defense and governmental sector, the Twisted Panda campaign might serve as more evidence of the use of espionage in a systematic and long-term effort to achieve Chinese strategic objectives in technological superiority and military power, Check Point said.

Last month, researchers from Secureworks Counter Threat Unit (CTU) revealed that the China-based Bronze President threat group had targeted Russian speakers with updated PlugX. The Bronze President malware also appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine. As a result, the threat group has primarily focused on Southeast Asia, gathering political and economic intelligence valuable to the People’s Republic of China (PRC).

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.