Full Report
Who needs enemies when you have friends like Xi? China's cyberspies quietly broke into a Russian IT service provider in what researchers say is a rare example of Beijing turning its digital gaze on Moscow.…
Analysis Summary
# Threat Actor: Jewelbug
## Attribution & Identity
**Attribution:** Chinese APT Group (China-based actors).
**Known Aliases:** REF7707, CL-STA-0049, Earth Alux.
**Associated Groups:** The article references other Chinese-linked groups like "Sanyo" in connection with separate operations against Russian networks.
## Activity Summary
Jewelbug conducted a stealthy intrusion into a Russian IT service provider, spanning from early 2025 through May 2025. The compromise provided months of undetected access to sensitive infrastructure including build servers and code repositories. Researchers suggest the intent was to position the actor for a potential software supply chain attack against the provider's Russian customers.
Additionally, the article notes other related Chinese activity targeting Russia since mid-2022, including infiltration of state and corporate networks for military secrets, such as espionage targeting nuclear submarine data (attributed to "Sanyo") and probing Rostec for satellite communications and warfare insights. Jewelbug is also noted for parallel operations showing a move toward advanced C2 infrastructure.
## Tactics, Techniques & Procedures
- **Evasion/Masquerading:** Used a renamed version of Microsoft's `cdb.exe` (specifically `7zup.exe`) capable of shellcode execution, DLL spawning, or process hijacking.
- **Persistence:** Established persistence via scheduled tasks.
- **Credential Access:** Employed credential dumping techniques.
- **Defense Evasion:** Performed event log clearing to cover tracks.
- **Command and Control (C2):**
- Utilized **Yandex Cloud** for data exfiltration, leveraging a tool unlikely to be blocked by Russian firewalls for plausible deniability.
- In separate, parallel operations (potentially by Jewelbug or closely related groups), utilized a new backdoor leveraging **Microsoft Graph APIs and OneDrive** as C2 infrastructure.
## Targeting
- **Sectors:** IT Service Provision, potentially the broader Russian corporate and state sector (based on related activities).
- **Geography:** Russia (Primary focus of the intrusion described). South America mentioned in context of cloud C2 migration.
- **Victims:** A specific Russian IT service provider. Broader potential targets include the Russian firms that rely on this provider's software/services, and Russian state/military entities (based on historical context).
## Tools & Infrastructure
- **Malware Families Used:** Unspecified custom malware was used, executed via the renamed legitimate Microsoft utility (`7zup.exe`). A separate new backdoor leveraging Microsoft Graph/OneDrive APIs was mentioned in parallel operations.
- **Infrastructure (C2, domains, IPs):**
- **Exfiltration C2:** Yandex Cloud.
- **Parallel Operation C2:** Microsoft Graph APIs and OneDrive.
## Implications
This operation signals a significant shift in the threat landscape, indicating that China-based actors are willing to actively target and probe allied or perceived friendly nations like Russia when a significant intelligence advantage can be gained. The focus on an IT service provider highlights a mature strategy prioritizing **software supply chain attacks** to achieve broad, undetected access across numerous downstream victims within Russia. The adoption of cloud-native C2 infrastructure demonstrates an ongoing effort by the actor to enhance stealth against traditional detection methods.
## Mitigations
- **Supply Chain Risk Management:** Extreme vetting and monitoring of third-party IT providers, especially those with access to build environments or sensitive client code.
- **Network Segmentation:** Strict segmentation between C2 traffic and internal infrastructure, even for cloud services like Yandex Cloud, if used for sensitive data handling.
- **Endpoint Detection & Response (EDR):** Enhanced detections for execution of legitimate utilities (like Microsoft binaries) with anomalous naming patterns or behavior (e.g., `cdb.exe` renamed to `7zup.exe`).
- **Log Management:** Implement centralized log retention policies that prevent successful local clearing of critical security events by suspicious processes.
- **Cloud Monitoring:** Monitor for abnormal API usage related to Microsoft Graph/OneDrive that deviates from standard operational patterns, indicative of cloud-based C2.