Solar JSOC spoke about a series of cyber attacks on Russian government systems in 2020. According to the American Company Sentinel Labs, the ThunderCats group, which is associated with China, is behind the attacks
Sentinel Labs, an American cybersecurity company, said that China is involved in a series of targeted hacker attacks on Russian government systems in 2020.
The report was prepared on the basis of a study by Rostelecom-Solar JSOC (a subsidiary of Rostelecom responsible for cybersecurity), conducted jointly with the National Coordination Center for Computer Incidents (NCCCI, established by the FSB). It said that in the past year, attackers attacked the federal executive authorities (FOIV) several times, using phishing and vulnerability of web applications published on the Internet, as well as hacking the infrastructure of contractors.
According to Rostelecom-Solar and the NCCCI, hackers developed malicious software called Mail-O, which used the cloud storages of Yandex and Mail.ru Group to download the collected data. Attackers disguised network activity under the legitimate Yandex Disk and Disk-O utilities. Experts said that they acted in the interests of a foreign state, but did not specify which one.
Analysts at Sentinel Labs studied how Mail-O works, as described by Russian experts, and concluded that ThunderCats hackers (part of the larger hacker group TA428, which is associated with China) were behind the attacks. They suggested that Mail-O is a variant of the more well-known malware PhantomNet or SManager. It was used by attackers from TA428 during cyber attacks on resources in Southeast Asia, including Vietnam.
According to Anastasia Tikhonova, head of the sophisticated cyber threat research department of the Threat Intelligence department of Group-IB, Russian organizations are regularly attacked by pro-government groups from different countries, "including China." It should be noted that the largest number of active pro-government groups (23) are concentrated in China.
In early May, E Hacking News reported that Chinese hackers attacked the Rubin Central Design Bureau for Marine Engineering (СKB Rubin), which designs submarines for the Russian Navy, by sending images of a submarine with malicious code to its CEO.
