Article Details

Chinese cyberspies snoop on Russian IT biz in rare east-on-east attack. Who needs enemies when you have friends like Xi?. China's cyberspies quietly broke into a Russian IT service provider in what researchers say is a rare example of Beijing turning its digital gaze on Moscow. Security boffins at Symantec's Threat Hunter Team have flagged an intrusion by a Chinese APT group known as "Jewelbug" (also tracked as REF7707, CL-STA-0049, or Earth Alux) into a Russian IT services firm, marking a surprising twist in the murky world of state-aligned cyber espionage. Over the years, Chinese and Russian cyber actors have generally steered clear of brawling with one another. But this stealthy compromise suggests Chinese operators are now willing to probe Russian infrastructure, or at least its supply chain, for an intelligence advantage. According to Symantec, the intrusion stretched from early 2025 through to May, giving the adversaries months of undetected access to build servers, code repositories, and other sensitive infrastructure inside the victim's network. In effect, Jewelbug positioned itself to potentially mount a software supply chain assault on the provider's customers – a classic "break the door in from the inside" move that could ripple through a network of Russian firms. To stay hidden, the attackers used a renamed version of Microsoft's cdb.exe ("7zup.exe"), a tactic previously seen in Jewelbug operations, which can execute shellcode, spawn DLLs, or hijack processes. Credential dumps, scheduled-task persistence, and event log clearing were also part of their repertoire, and exfiltration was handled via Yandex Cloud – a tool Russian firms are unlikely to block or question, giving the attackers plausible deniability inside the country's cyber perimeter. "The targeting of a Russian organization by a Chinese APT group shows... that Russia is not out of bounds when it comes to operations by China-based actors," Broadcom-owned Symantec said. "The fact that there are indications the IT service provider may have been targeted for the purposes of a software supply chain attack on the company's customers in Russia is also notable as it means this attack had the potential to give the attackers access to a large number of companies in the country, which they could have used for cyber espionage or disruption." This isn't the only time Beijing is thought to have keyed into Russian systems. According to a New York Times investigation, Chinese-linked hacking groups infiltrated Russian state and corporate networks since mid-2022 in pursuit of military secrets. In one instance, a group dubbed "Sanyo" allegedly masqueraded as a Russian engineering firm to extract data on nuclear submarines. In another, attackers reportedly probed Rostec for insights into satellite communications, radar systems, and electronic warfare. The report suggests that, despite the public rhetoric of "friendship without limits" between the two nations, Beijing may view Russia less as an inseparable ally and more as a rich intelligence asset ripe for exploitation. In parallel operations, a new backdoor leveraging Microsoft Graph APIs and OneDrive as command-and-control infrastructure has appeared in attacks on South American targets. This move toward cloud-native command-and-control (C2) channels signals Jewelbug's push for stealth and sophistication, with fewer traditional indicators of malicious behavior. For defenders in Russia, and anyone supplying or reliant on Russian IT infrastructure, this is a warning shot. In a domain oft presumed off-limits to China's cyber elites, the rules may be changing.