CHINESE HACKERS BREACH RUSSIAN NETWORKS

Chinese hackers linked to Beijing breached a Russian IT firm in a covert operation, exposing growing espionage tensions and a shifting balance in global cyber alliances.

In brief: 

₿- Chinese APT group “Jewelbug” secretly breached a Russian IT services provider, gaining long-term access to internal systems and potentially its clients’ networks.

₿- The attack marks a rare instance of Beijing’s cyber operatives targeting Russia, highlighting shifting intelligence priorities and rising distrust between the two nations.

A Chinese state-linked cyber group reportedly infiltrated a Russian IT services company, marking a rare instance of Beijing’s digital spies targeting Moscow. Cybersecurity analysts from Symantec’s Threat Hunter Team uncovered the breach, linking it to a sophisticated Chinese threat actor known as “Jewelbug.” The operation reportedly spanned several months in early 2025, allowing the hackers to quietly explore internal systems and access sensitive data undetected.

Hidden operation with high stakes

Chinese APT group “Jewelbug” secretly breached a Russian IT services provider, gaining long-term access to internal systems and potentially its clients’ networks.Jewelbug allegedly gained deep access to the company’s build servers, internal code repositories, and core infrastructure, giving it potential control over the software supply chain that services multiple Russian businesses. By compromising a trusted provider, the attackers could have gained indirect access to a network of corporate clients, an approach reminiscent of major global supply chain breaches seen in the past.

To maintain stealth, the hackers disguised one of Microsoft’s legitimate debugging tools, renaming it “7zup.exe.” This allowed them to execute malicious code, hijack processes, and conceal their presence effectively. They also used credential theft, persistence mechanisms through scheduled tasks, and data removal to erase evidence of the intrusion.

In a particularly clever move, data was exfiltrated using Yandex Cloud, a domestic platform widely trusted in Russia. This made the operation appear legitimate and reduced the chance of raising alarms within the compromised network.

Strategic shift in cyber espionage

Security researchers describe the incident as a significant shift in China’s cyber operations. Historically, both Chinese and Russian hacker groups have avoided direct conflict or interference with one another. However, this breach suggests that China’s intelligence agencies are broadening their targets, even those once considered allies.

Chinese APT group “Jewelbug” secretly breached a Russian IT services provider, gaining long-term access to internal systems and potentially its clients’ networks. Recent investigations have revealed similar patterns. According to multiple cybersecurity sources, Chinese hacking groups have been probing Russian government and defence networks since 2022, reportedly seeking classified military and technological information. These findings suggest a growing strategic interest by Beijing in Russia’s defence sector, despite the two nations’ public image of close cooperation.

A wake-up call for Russian cybersecurity

Experts warn that this intrusion is a serious red flag for Russian firms and their international partners. By infiltrating an IT services company, Jewelbug demonstrated that even domestic infrastructure is vulnerable to foreign espionage.

The use of cloud-based command and control (C2) via Microsoft Graph and OneDrive further highlights Jewelbug’s evolving tactics, which favour stealth over brute force. As geopolitical alliances blur, the line between partnership and espionage continues to fade, reminding the cybersecurity world that in the realm of intelligence, no ally is ever truly off-limits.

Stay informed,
Rodcas Consulting Group