According to a new report, these cyber miscreants have unleashed a barrage of malicious tools linked to Chinese threat actors. It is unclear why they would do this as Russian and China as supposed to be chums. We guess someone forgot to pay their bill.

The campaign, whimsically dubbed EastWind, was discovered late last month by the ever-vigilant researchers at Russian cybersecurity firm Kaspersky.

The attackers used the GrewApacha remote access trojan (RAT), an unknown PlugY backdoor, and an updated version of CloudSorcerer malware—yes, the same CloudSorcerer that previously spied on Russian organisations.

The GrewApacha RAT, a favourite toy of the Beijing-linked hacking group APT31 since at least 2021, made an appearance, while PlugY, which shares many similarities with tools used by the suspected Chinese threat actor APT27, also joined the party.

Kaspersky noted that the hackers sent phishing emails containing malicious archives. In the first stage of the attack, they exploited a dynamic link library (DLL), commonly found in Windows computers, to collect information about the infected devices and load additional malicious tools.

While Kaspersky didn’t explicitly attribute the recent attacks to APT31 or APT27, they highlighted links between the tools used. PlugY malware, still under the microscope, is highly likely to have been developed using the DRBControl backdoor code. This backdoor, previously linked to APT27, is similar to PlugX malware, another tool typically used by hackers in China.

APT27 has been active since at least 2010, targeting organisations in sectors including aerospace, government, defence, technology, energy, manufacturing, and gambling. In 2022, they even attacked a US state legislature using a Log4j vulnerability.

Earlier in July, the UK government accused APT31, which overlaps with the group RedBravo, of breaching the Electoral Commission's servers and accessing the personal information of nearly 40 million people.

According to Kaspersky, PlugY was deployed using an updated version of the CloudSorcerer backdoor. This tool has previously been deployed to steal data from Russian government agencies.

Researchers described CloudSorcerer as “a sophisticated cyber espionage tool” that relied on legitimate cloud services such as Yandex Cloud and Dropbox for stealth monitoring and data collection.

Its updated variant used a popular Russian blogging platform, LiveJournal, and Quora's social question-and-answer website as initial command and control servers.

Earlier in July, researchers at cybersecurity firm Proofpoint discovered a malicious tool that shared many similarities with CloudSorcerer and was used to target a US-based organisation. In the Eastwind campaign, researchers at Kaspersky said that the hackers used a similar infection method as described by Proofpoint in their attack on the U.S. organisation.