“The war between Russia and Ukraine has prompted many countries to deploy their cyber skills to better understand political machinations and motivations. This need (…) extends to gathering sensitive information from friends.”
This is the conclusion of a report published on 27 April 2022 by Secureworks, which revealed a massive phishing campaign against Russian officials, launched from servers previously attributed to the Chinese cybercriminal group Bronze President (also identified as HoneyMyte and Mustang Panda).
The group is known for its proprietary Trojan horse (PlugX) and for its modus operandi (using publicly available documents to transport its malware).
In the case of this campaign, Bronze President allegedly used official EU texts on sanctions against Belarus, posing as PDF files but in fact containing a new ‘.exe’ version of PlugX. The files were named after Blagoveshchensk, a Russian city near the Chinese border. For Secureworks, this name proves that the campaign targeted Russian officials in that region.
During April 2022, Proofpoint and ESET had also spotted PlugX variants in other attacks against state bodies. Secureworks concludes that a large Chinese espionage campaign is probably underway.