China’s APT31 Targets Russian IT Sector with Stealthy Cloud-Based Cyberattacks
Between 2024 and 2025, the Russian information technology (IT) sector, particularly companies serving as contractors and integrators for government agencies, experienced a series of sophisticated cyberattacks. These intrusions have been attributed to APT31, a China-linked advanced persistent threat (APT) group known for its stealthy operations and strategic intelligence gathering.
APT31: A Profile of the Threat Actor
APT31, also referred to by aliases such as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium), has been active since at least 2010. The group has a history of targeting a diverse range of sectors, including government entities, financial institutions, aerospace and defense industries, high-tech firms, construction and engineering companies, telecommunications, media, and insurance sectors. Their primary objective is to gather intelligence that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages.
Tactics and Techniques Employed
The cyberattacks on Russian IT companies were marked by the use of legitimate cloud services, particularly those popular within Russia, such as Yandex Cloud. By leveraging these services for command-and-control (C2) operations and data exfiltration, APT31 effectively blended malicious activities with normal network traffic, thereby evading detection.
In addition to utilizing cloud services, the group embedded encrypted commands and payloads within social media profiles, both domestic and international. This method further obscured their activities, making it challenging for security systems to identify and mitigate the threats. Notably, APT31 timed their attacks to coincide with weekends and holidays, periods when organizational vigilance is typically reduced.
Case Studies of Intrusions
One significant intrusion involved an IT company whose network was compromised as early as late 2022. The attackers escalated their activities during the 2023 New Year holidays, taking advantage of the reduced monitoring during this period.
In another incident detected in December 2024, APT31 executed a spear-phishing campaign by sending emails containing RAR archives. These archives included Windows Shortcut (LNK) files that, when executed, launched a Cobalt Strike loader known as CloudyLoader through DLL side-loading. This technique allowed the attackers to establish a foothold within the targeted systems discreetly.
Toolset and Persistence Mechanisms
APT31 employs a combination of publicly available tools and custom-developed malware to achieve their objectives. To maintain persistence within compromised networks, they set up scheduled tasks that mimic legitimate applications, such as Yandex Disk and Google Chrome. Some of the tools utilized by APT31 include:
– SharpADUserIP: A C# utility for reconnaissance and discovery.
– SharpChrome.exe: Used to extract passwords and cookies from Google Chrome and Microsoft Edge browsers.
– SharpDir: A tool for searching files within the system.
– StickyNotesExtract.exe: Extracts data from the Windows Sticky Notes database.
– Tailscale VPN: Creates an encrypted tunnel and establishes a peer-to-peer (P2P) network between the compromised host and the attacker’s infrastructure.
– Microsoft Dev Tunnels: Utilized to tunnel traffic, facilitating covert communication channels.
– Owawa: A malicious IIS module designed for credential theft.
– AufTime: A Linux backdoor that uses the wolfSSL library for secure communication with C2 servers.
– COFFProxy: A Golang-based backdoor supporting commands for tunneling traffic, executing commands, managing files, and delivering additional payloads.
– VtChatter: A tool that facilitates covert communication and data exfiltration.
Global Implications and Previous Activities
APT31’s activities are not confined to Russia. In May 2025, the Czech Republic accused the group of targeting its Ministry of Foreign Affairs, highlighting the global reach and persistent threat posed by this actor. The group’s consistent focus on entities that can provide strategic intelligence underscores the need for heightened cybersecurity measures across various sectors.
Mitigation Strategies and Recommendations
Given the sophisticated tactics employed by APT31, organizations are advised to implement comprehensive cybersecurity strategies, including:
– Enhanced Monitoring: Increase vigilance during weekends and holidays when attacks are more likely to occur.
– Cloud Service Scrutiny: Monitor the use of cloud services within the network to detect any anomalies that may indicate malicious activity.
– Employee Training: Educate staff on recognizing spear-phishing attempts and the importance of not interacting with suspicious emails or attachments.
– Regular Updates: Ensure all systems and software are up-to-date with the latest security patches to mitigate vulnerabilities.
– Incident Response Planning: Develop and regularly update incident response plans to quickly address and contain potential breaches.
By adopting these measures, organizations can bolster their defenses against the evolving threats posed by APT31 and similar advanced persistent threat groups.
