With Friends Like These: China Spies on Russian IT Orgs TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Flaw in Oracle Identity Manager Under ExploitationCritical Flaw in Oracle Identity Manager Under ExploitationbyRob WrightNov 24, 20252 Min ReadApplication SecurityInfamous Shai-hulud Worm Resurfaces From the DepthsInfamous Shai-hulud Worm Resurfaces From the DepthsbyAlexander CulafiNov 24, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesСloud SecurityThreat IntelligenceVulnerabilities & ThreatsNewsWith Friends Like These: China Spies on Russian IT OrgsState-linked hackers stayed under the radar by using a variety of commercial cloud services for command-and-control communications.Nate Nelson, Contributing WriterNovember 25, 20254 Min ReadSource: Keystone Press via Alamy Stock PhotoA Chinese state-aligned threat actor may have been spying on Russia's government for years through its IT sector.For all of the adversarial intelligence gathering going on in the world today, there's also plenty of spying among friends. Friendly nations, and friendly-ish nations like China and Russia, regularly use cyberspace against their allies in order to glean potentially valuable political or economic intelligence, gain advantages in strategic negotiations, or simply steal technology.On Nov. 20, Russian IT security vendor Positive Technologies detailed a longstanding espionage campaign against Russia's IT sector. The culprit: China's APT31 — also known as Judgment Panda, TA412, Violet Typhoon — an advanced persistent threat (APT) of a decade and a half, well-known for performing industrial espionage and intellectual property (IP) theft against thousands of worldwide organizations.APT31's trick this time around, the researchers found, was a sophisticated manipulation of legitimate cloud services for malicious command-and-control (C2).APT31's Cloud Services AbuseThe first known evidence of APT31's campaign against Russia's IT sector dates back to the end of 2022, though the meat of the campaign appears to have occurred in 2024 and 2025.Related:Vision Language Models Keep an Eye on Physical SecurityIn many ways, the attacks have unfolded as most Chinese espionage campaigns do: APT31 distributed targeted phishing emails with archive files attached, containing decoy documents and its malware, executed in victims' systems using dynamic link library (DLL) sideloading.APT31 uses both commercial software and custom malware programs for various stages of its attack chain. For instance, the group can steal victims' authentication data using a tool that culls Google Chrome and Microsoft Edge, and another that searches through local files, and a third that scrapes Windows Sticky Notes, just in case victims leave their passwords on digital Post-its instead of physical ones.Most notably, APT31 employs a variety of backdoors customized to the victim's operating system — Windows and Linux call for different choices — and its own chosen means of C2 communication. For example, its "OneDriveDoor" backdoor uses Microsoft OneDrive for C2 communication, but "CloudSorcerer" can use OneDrive, Dropbox, or the Russian Yandex Cloud service. Its "YaLeak" tool uses the Russian Yandex Cloud service for data exfiltration, and its most tongue in cheek malware, "VtChatter," uses the commenting system on threat intelligence platform VirusTotal (VT) as a covert C2 channel.Related:Deja Vu: Salesforce Customers Hacked Again, Via GainsightBugcrowd founder Casey Ellis laments just how difficult it is to prevent hackers from abusing legitimate cloud services to conceal their malicious activity. "Aside from playing whack-a-mole when a campaign like this bubbles up, there is very little that cloud services can do to stop this type of C2 abuse," he explains. "This is deliberate exploitation of intentional design, and the fact that it flies under the radar for this reason is being deliberately abused by the threat actors. This type of C2 is notoriously difficult to prevent, aside from adding coarse features like geo-blocking entire regions, or shutting the whole service down."Commercial or Government Espionage?Certain circumstantial evidence suggests that APT31's campaign might have been aimed at more than just IT companies, commercial data, and possibly beyond Russia.Importantly, its attacks were concentrated not just against Russia's IT sector broadly, but against contractors and integrators of IT solutions for government agencies specifically. Russia itself has used this backdoor approach to breach the US government in the past.The researchers also spotted a version of APT31's very same attack chain in Peru. In that case, an unidentified victim was served malware alongside a decoy document crafted to appear like an official financial report from the Ministry of Foreign Affairs of Peru  — a more direct indication that APT31 may have been seeking out government victims.Related:US Creates 'Strike Force' to Take Out SE Asian Scam CentersCertis Foster, senior threat hunter lead at Deepwatch, points out that it can be difficult to separate government and commercial cyberespionage coming from China. "Targeting Russian IT contractors gives China a backdoor into hardened government networks," he says. "Russia still has valuable aerospace, defense, and nuclear technologies that Chinese state-owned companies seek to gain a competitive advantage. With Western sanctions limiting Russia's tech options, China also wants to know what alternatives Russia is developing in the shadows. The lines between espionage and corporate theft blur completely here because, in my book, China's state and major corporations are the same entity."About the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeBlack Hat Middle East & AfricaCybersecurity OperationsDo National Data Laws Carry Cyber-Risks for Large Orgs?Do National Data Laws Carry Cyber-Risks for Large Orgs?byNate Nelson, Contributing WriterNov 19, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

China’s APT31, also known as Judgment Panda or TA412, has been implicated in a sustained espionage campaign targeting Russian IT organizations since the end of 2022, with the bulk of the activity occurring in 2024 and 2025 as detailed by Positive Technologies. This operation highlights the concerning practice of friendly nations engaging in cyber espionage against allies, exemplified by China leveraging commercial cloud services for command-and-control communications. The group’s tactics involved distributing targeted phishing emails with malicious archive files, utilizing a diverse toolkit including commercial and custom-built malware, and exploiting vulnerabilities in services such as OneDrive, Dropbox, and Yandex Cloud. APT31’s sophisticated approach extended to creating customized backdoors tailored to specific operating systems (Windows and Linux), alongside utilizing VirusTotal (VT) as a covert Command-and-Control (C2) channel. Notably, the group employed “YaLeak” to exfiltrate data via the Yandex Cloud service, and “VtChatter” to access C2 communication through the commenting system of the threat intelligence platform. The operation reveals a concerted effort to gain access to Russian government networks through targeting contractors and integrators involved in IT solutions for government agencies, mirroring a strategy Russia has previously used against the US government. Furthermore, evidence suggests the campaign extended beyond Russia, with sightings of the same attack chain targeting an unidentified victim in Peru, specifically a potential Ministry of Foreign Affairs of Peru victim, indicating an intent to gather intelligence more broadly. Experts, like Casey Ellis of Bugcrowd, point out the deliberate exploitation of cloud service design is a significant challenge, and that China’s state and major corporations are essentially the same entity, driven by the desire to gain a competitive advantage over Russia, particularly given Western sanctions. The investigation underscores the blurred lines between commercial cyber espionage and geopolitical advantage, with China's state-owned companies seeking to acquire valuable aerospace, defense, and nuclear technologies from Russia.