APT31 and APT27 launch “EastWind” operation utilizing multi-staged implantation tactics
Cybersecurity firm Kaspersky Lab has uncovered a targeted cyberattack campaign dubbed “EastWind” that has been actively hacking into Russian government agencies and IT companies since late July 2024. After careful analysis, researchers determined the attacks originated from Chinese state-sponsored threat groups APT31 and APT27 based on the malware, tools, and techniques used throughout the operation.
The initial intrusions began with phishing emails containing RAR archive attachments disguised as documents related to the targeted organizations. Hidden within was a DLL side-loading payload that deployed a custom backdoor onto compromised machines from a Dropbox link. This initial access trojan granted the adversaries the ability to navigate files, execute commands, steal data, and drop additional payloads.
Through the backdoor, APT31’s “GrewApacha” trojan was installed on victims. GrewApacha featured upgrades like using two command and control (C2) servers instead of one and retrieving their IP addresses from public user profiles on Quora and LiveJournal instead of GitHub as in past versions. A second stage malware analyzed by Kaspersky was a newer variant of “CloudSorcerer” that had been repacked with VMProtect evasion techniques.
CloudSorcerer is noteworthy for its custom encryption that only allows decryption and execution on the originally infected machine through a unique system-generated key. This anti-analysis technique is designed to prevent security analysts from properly studying the threat in lab environments. The hackers continued distributing additional payloads, with one uncovered tool identified as an undisclosed backdoor named “PlugY”.
PlugY shared code similarities to APT27’s known arsenal and had capabilities like communicating over UDP, file operations, command execution, screenshot and clipboard capture, and keylogging. The adversaries carefully selected different malware families for every phase of infiltration, making full compromise harder to detect. Based on the infrastructure and TTPs involved, researchers assessed with high confidence that APT27 and APT31 worked closely together on this cyber espionage operation targeting Russia.
The “EastWind” campaign highlights the complex dynamics between nations with deep economic and political ties but also active intelligence gathering taking place under the surface. While China and Russia cooperate on various fronts, their government hackers still dedicated considerable offensive capabilities against one another. This incident serves as another example of how even allied countries are susceptible to sophisticated, intrusion tactics from state-sponsored threat groups. Organizations across these countries must remain vigilant and deploy strong security practices to detect and thwart such advanced adversaries on their networks.