Chinese Cyber Spies Target Russian Government Agencies

Experts from Positive Technologies and Kaspersky Lab have tracked down a cybercriminal group believed to be operating out of China. According to cybersecurity specialists, this group has been attacking more than 20 Russian companies and government agencies over the past several years.

The operations of this Chinese cybercriminal group resemble those of government-backed cyber intelligence agents engaged in espionage and political intelligence gathering. In their attacks, the perpetrators use the task scheduler built into the operating system.

Positive Technologies noted that the APT group, named TaskMasters, has been active for at least nine years. During this time, the criminals have managed to attack more than 30 organizations in the industrial, construction, energy, and real estate sectors.

It is emphasized that out of these 30 significant organizations, 24 are located in Russia. In a conversation with Kommersant, representatives of Positive Technologies declined to disclose the names of the targeted organizations.

Researchers were led to believe that these cybercriminals are operating from China due to the presence of references to Chinese developers in the code of the tools used by the attackers. Additionally, during their attacks, connections from Chinese IP addresses were recorded, and keys for some versions of the used programs can be found on Chinese forums.

The TaskMasters cybercriminals have skillfully used the built-in OS task scheduler, which allows them to launch specific programs at set times. In addition, after infiltrating an organization’s network, the Chinese cybercriminals explore the infrastructure for known vulnerabilities and then upload malicious software to compromised nodes, which is later used for espionage activities.

Kaspersky Lab has given its own code name to the Chinese cyber spies—BlueTraveler. According to antivirus experts, they have been tracking BlueTraveler’s activity since 2016.