Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Symantec Identifies Potential Supply Chain Attack
Recent findings from cybersecurity firm Symantec reveal that suspected hackers linked to the Chinese government have breached the systems of a Russian IT service provider. This incident is part of a broader espionage operation aimed at infiltrating networks associated with governmental entities.
Related Read: OnDemand | North Korea’s Secret IT Army and How to Combat It
Symantec’s research identified a Chinese threat group, referred to as Jewelbug, which compromised a Russian company’s software development and code repositories between January and May. This breach exemplifies a potential supply chain attack; adversaries may have inserted malicious code into software distributed to a variety of downstream clients.
The targeted Russian IT service provider remains unnamed, but it is characterized as a significant player with connections to governmental clients. The infiltration allowed attackers to conduct extensive reconnaissance, steal credentials, and maintain persistent access to the network. Notably, the attackers leveraged legitimate services such as Yandex Cloud, a popular platform in Russia, to obscure their malicious activities within normal operations.
Applicable tactics from the MITRE ATT&CK framework indicate that this operation aligns more closely with cyberespionage motivations than financial gain. Jewelbug, also tracked under identifiers REF7707, CL-STA-0049, and Earth Alux, has reportedly been active since at least mid-2023, targeting government and corporate networks across regions including South America, South and Southeast Asia, Taiwan, and now Russia.
Researchers have documented instances where Jewelbug maintained access to compromised networks for extended durations—often spanning several months—while executing credential theft and lateral movement within systems.
Symantec further noted that Jewelbug has previously breached a South American governmental agency, a Taiwanese software development company, and an IT provider in South Asia, deploying a newly developed backdoor in some attacks. Such activities are indicative of a rising trend in Chinese cyber operations directed at Russian entities, despite the two nations typically being strategic partners.
This observation comes on the heels of Kaspersky Lab’s August 2024 report highlighting a cyberespionage campaign named “CloudSorcerer,” which similarly targeted Russian governmental and research institutions using sophisticated malware to extract sensitive information. Kaspersky linked this campaign to a Chinese state-affiliated group, reinforcing concerns about the evolving nature of geopolitical cyber threats.
