In recent weeks, the Russian information technology (IT) sector has been inundated with cyberattacks. Cybersecurity experts have traced these attacks back to APT31, an advanced persistent threat group tied to China. APT31 has been conducting operations since at least 2010. It has a few names you might know it by, including Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon. The group has established a reputation for striking a diverse array of sectors, including government agencies, financial institutions, aerospace and defense, high technology, construction and engineering, telecommunications, media, and insurance.
APT31’s activity has increased, especially on weekends and holidays, with significant increases around the 2023 New Year celebrations. The group’s overarching objective is to build intelligence. They are designed to provide Beijing and Chinese SOEs a profound competitive advantage in political, economic, and military spheres. In reality, the Czech Republic has already accused APT31 for hitting its Ministerium der Äusseren Angelegenheiten in 2022.
Tactics and Techniques
APT31 utilizes highly advanced tactics, including the use of trusted cloud-based services for command and control (C2) operations. Notably, they utilize platforms like Yandex Cloud and Microsoft OneDrive to blend in with normal internet traffic, making detection challenging for cybersecurity defenses. This method provides APT31 the ability to pre-position encrypted commands and payloads underneath social media faces, far abroad or on-shore.
As I noted above, the group has proven time and again that they undertake a methodical approach to their attacks. For example, one of their achievements was having compromised a Russian IT firm’s network as early as late 2022. Their attacks are notable in the spear-phishing technique they employ. They frequently write emails with attachments included that are malicious in nature. In one recent attack, threat actors had delivered an email with a spear-phishing RAR archive. Within the archive was a Windows Shortcut (LNK) file which executed a Cobalt Strike loader named CloudyLoader via DLL side-loading.
Impact on Russian IT Landscape
The repercussions from APT31’s cyber operations would be far-reaching for the Russian IT industry. The group is quite skilled at zeroing in on critical infrastructure, causing very real liabilities for the private sector as well. Even worse, it puts national security interests at risk. APT31 continues to attack sectors that support government and economic continuity. Their intent is to either disrupt operations or extract sensitive information.
The targets chosen by APT31 showcase this group’s strategic aims. The group has a proven track record of successfully waging policy fights across sectors. This broadens their focus, and expediency to exploit vulnerabilities is a hallmark of cyber adversaries. We know that cyberattacks are becoming more sophisticated and increasingly commonplace. Organizations across Russia’s dynamic IT landscape need to fortify their defenses to protect against these ongoing threats.
APT31’s tactics are a helpful reminder of the changing nature of cybersecurity threats. Companies need to be on alert. Cloud services are the foundation backbone for modern C2 operations. It cuts through the high priority desire for better threat detection capabilities that separate the legit stuff from the sneaky bad guy stuff lurking inside the fog of regular activity.
