China has an interest in Ukraine with Russia being a key ally.
Chinese hackers have joined the fray of those targeting the Ukraine conflict and the associated refugee crisis, according to research from Google and cybersecurity company Proofpoint.
Google reported on Monday that a Chinese group called Mustang Panda targeted European entities with lures related to Russia’s invasion of Ukraine. The company’s Threat Analysis Group (TAG) spotted phishing emails with malicious attached files with names such as ‘Situation at the EU borders with Ukraine.zip’.
“Contained within the zip file is an executable of the same name that is a basic downloader and when executed, downloads several additional files that load the final payload. To mitigate harm, TAG alerted relevant authorities of its findings,” Google wrote, adding: “Targeting of European organizations has represented a shift from Mustang Panda’s regularly observed Southeast Asian targets.”
Proofpoint, meanwhile, said it had seen increased activity from a group known as RedDelta, previously linked to Mustang Panda, and believed by some researchers to be the same crew. On February 28, as Russian shells were raining down on Ukrainian cities, the RedDelta hackers were using a hacked email address of a diplomat from a European—and NATO member—country, sending malware-laced emails to another country’s diplomatic offices. Proofpoint did not identify either of the countries.
Again, the malicious file came with the title, “Situation at the EU borders with Ukraine.zip,” indicating Google and Proofpoint were witnessing the same activity. The ultimate aim of the attack appeared to be to launch a remote access tool, known as PlugX, on targets’ PCs.
Proofpoint also saw RedDelta hackers send phishing emails that contained “tracking pixels,” a tiny image within a message that tells the attackers an email has been opened and that the recipient may therefore be more susceptible to further social engineering attacks. “The operational tempo of these campaigns, specifically those against European governments, have increased sharply since Russian troops began amassing on the border of Ukraine,” Proofpoint wrote.
“The multiyear campaign against diplomatic entities in Europe suggests a consistent area of responsibility belonging to [RedDelta]. This mandate may have increased against entities in Europe during the current period of geopolitical conflict and economic upheaval in Europe.”
Just last week, Proofpoint revealed other hackers, linked to Belarus, had targeted the refugee crisis too, with phishing emails sent from a compromised account of a Ukrainian military official.
China, whose President Xi Jinping has forged close ties to Russian President Vladimir Putin, has an interest in the ongoing conflict. It has thus far avoided criticizing Russia as other nations have for its invasion of Ukraine, and Beijing has been urged to do more to mediate and help bring the war to an end. In recent days, it was reported that China’s foreign minister said his country’s Red Cross will provide humanitarian aid to Ukraine.
The Chinese embassy in London hadn’t responded to a request for comment at the time of publication.
Attacks on West expected
Google said it had also seen Russian and Belarusian groups launching attacks centered on the Ukraine invasion. One, dubbed FancyBear or APT28, was previously attributed to Russia’s GRU intelligence agency after it was accused of trying to hack the 2016 election—its most notorious alleged hack being that of the Democratic National Committee. According to Google, it’s now launched “several large credential phishing campaigns targeting ukr.net users.” UkrNet is a Ukrainian media organization.
Despite these attacks, the all-out cyberwar some had expected to coincide with the on-ground invasion has failed to materialize. Matt Olney, direct of threat intelligence and interdiction for Cisco Talos, says that his organization has been helping protect Ukrainian organizations since 2015, when hackers, alleged to be Russian, shut down power supplies across areas of its neighboring country.
According to Olney, with the Ukraine conflict primarily being fought in the physical world, it’s likelier that cyberattacks will now be launched on Western entities in countries that have sided with Kyiv.
“The A-team operators in Russia are probably primarily assigned right now to espionage activities, trying to understand what the West’s response is, because that’s where Russia fears impact more than it does on anything inside of Ukraine,” Olney said.
UPDATE: A spokesperson for the Chinese embassy in London suggested the claims Beijing-backed hackers were exploiting the Ukraine crisis amounted to a smear campaign.
‘‘China is a staunch defender of cyber security and a main victim of cyber attacks. China firmly opposes and combats all forms of cyber attacks, and is firmly against any smear against China under the pretext of cyber security. This position is consistent and clear,’’ the spokesperson added.
‘‘We’ve stated on multiple occasions that given the virtual nature of cyberspace, the vast number and diversity of online actors and the difficulty in tracing, it’s important to have complete and sufficient evidence when investigating and defining cyber-related incidents. When linking cyber attacks with the government of any country, one must be even more prudent.
‘‘In the present context, seeing the cyber security issue through the narrow prism of geopolitics and using the Ukraine issue to launch smear campaigns against others will create more division and confrontation. This will not in any way help ease the situation or resolve the problem, but will only undermine mutual trust and international cooperation in facilitating dialogue for peace.’’