In a striking development within the realm of cybersecurity, the Chinese Advanced Persistent Threat (APT) group known as Jewelbug has successfully infiltrated a Russian IT provider, remaining undetected for a span of five months. This revelation has stirred considerable interest among experts, particularly given the prevailing perception of a geopolitical alliance between China and Russia.
Intricate Tactics and Tools
According to a recent report by Symantec, Jewelbug has demonstrated a notable increase in activity, targeting not only Russian entities but also interests across South America, South Asia, and Taiwan. The group employed a cleverly disguised version of the Microsoft Console Debugger (CDB), a tool typically used for debugging applications, to circumvent security measures and facilitate data exfiltration.
Symantec’s analysis highlights that the use of a renamed CDB is a distinctive marker of Jewelbug’s operations. The report emphasizes that organizations should consider blocking the execution of CDB by default, allowing it only for specific users when absolutely necessary. This precaution is crucial, as Jewelbug leveraged the debugger to extract credentials, maintain persistence within the system, and elevate privileges through scheduled tasks.
In an effort to obscure their activities, the attackers cleared Windows Event Logs, further complicating detection efforts. Data exfiltration was conducted via Yandex Cloud, a popular Russian cloud service provider, chosen likely for its familiarity and minimal scrutiny within the region.
Symantec’s findings underscore a significant shift in the cyber threat landscape, revealing that Russian organizations are not immune to incursions from Chinese state-sponsored actors. This targeting of a Russian entity by Jewelbug serves as a stark reminder of the complexities and evolving dynamics in international cybersecurity.
