Russian tech firm attacked by Chinese state hackers in allied attack

News
By published

Russia is not out-of-bounds when it comes to cyber operations, researchers say.

China
Image credit: Shutterstock (Image credit: Shutterstock)
  • Chinese APT Jewelbug infiltrated a Russian IT provider, dwelling undetected for five months
  • Attackers used renamed Microsoft debugger to bypass defenses and exfiltrate data via Yandex Cloud
  • Symantec says China-based actors now target Russia despite perceived geopolitical alignment

Chinese hackers were recently seen targeting Russians, which raised eyebrows among the western cybersecurity community who perceive the two countries as allies in cyberspace and beyond.

Earlier this week, security outfit Symantec published a new report in which it detailed the work of Jewelbug, a Chinese state-sponsored threat actor that’s been “highly active in recent months.” In the report, Symantec said Jewelbug was seen going after targets in South America, South Asia, Taiwan and, most notably, Russia.

In early 2025, Jewelbug managed to sneak into the network of a Russian IT service provider, and remain there for no less than five months. During that time, they accessed code repositories and software build systems that they could leverage to run supply chain attacks against the IT service provider’s customers.

7zup.exe and Yandex

The compromise was spotted when researchers found a file named 7zup.exe on the IT provider’s system. This is a renamed copy of a legitimate, Microsoft binary, called CDB (Microsoft Console Debugger).

This tool can be used to run shellcode, bypass application whitelisting, launch executables, run DLLs, and terminate security solutions, Symantec added.

“Use of a renamed version of cbd.exe is a hallmark of Jewelbug activity,” the report reads. “Microsoft recommends that CDB should be blocked from running by default and whitelisted for specific users only when it’s explicitly needed.”

With the help of CBD, Jewelbug managed to dump credentials, establish persistence, and elevate privileges via scheduled tasks. They tried to cover their tracks by clearing Windows Event Logs, and used Yandex Cloud to exfiltrate data. Yandex is a Russian cloud service provider, which was probably chosen since it’s commonly used in the country and doesn’t usually raise any red flags.

“The targeting of a Russian organization by a Chinese APT group shows, however, that Russia is not out-of-bounds when it comes to operations by China-based actors,” Symantec concluded.

Via The Register

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.