Google: Chinese state hackers keep targeting Russian govt agencies

Image: Tengyart

Google said today that a Chinese-sponsored hacking group linked to China's People's Liberation Army Strategic Support Force (PLA SSF) is targeting Russian government agencies.

The company's Threat Analysis Group (TAG), a team of security experts that acts as a defense force for Google users from state-sponsored attacks, added in a report focused on Eastern Europe cyber activity that the APT group has also successfully breached several Russian companies. 

As revealed in previous Google TAG reports, this threat actor has been targeting government and military organizations from Russia, as well as those of other countries in the region like Ukraine, Kazakhstan, and Mongolia.

"In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs," Google TAG Security Engineer Billy Leonard said.

"Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company."

Mustang Panda, another Chinese-backed state actor, was recently observed by cybersecurity company Secureworks targeting "officials or military personnel familiar with the region."

Today's report follows another one published in late March that revealed extensive phishing attacks coordinated by Russian-based threat groups against NATO and the European military.

Another report from early March about malicious activity linked to the Russian war in Ukraine exposed Russian, Chinese, and Belarus government hackers' ongoing efforts to compromise Ukrainian and European organizations and officials.

Backdrop dominated by cyberattacks against Ukraine

Today, Leonard said that state-sponsored threat actors from China, Iran, North Korea, and Russia are still actively targeting critical infrastructure, including oil and gas, telecommunications, and manufacturing.

Google saw the Russian-backed APT28 and Turla hacking groups running credential phishing campaigns and attacks against defense and cybersecurity organizations. 

Another Russian APT group tracked as Coldriver (aka Callisto) uses Gmail accounts to deliver phishing emails targeting government and defense officials, NGOs, think tanks, and journalists.

Their attacks have been blocked so far by Google's Safe Browsing service after their phishing domains were identified and tagged as malicious.

Ghostwriter, a Belarusian-backed threat actor, is also attempting to steal credentials from "high risk individuals in Ukraine" in phishing campaigns targeting their Gmail accounts.

"There were no accounts compromised from this campaign and Google will alert all targeted users of these attempts through our monthly government-backed attacker warnings," Leonard added.

On Wednesday, Microsoft also revealed the true scale of Russia's cyberattacks against Ukraine, with multiple Russian threat groups linked to the GRU, SVR, and FSB Russian intelligence services targeting the country's infrastructure and citizens.