<— Back

Twisted Panda: attacks against the Russian defense sector

The war started by Russia in Ukraine in February 2022 has significantly changed the geopolitical climate in the world, prompting the governments to focus their intelligence and cyber capabilities on Eastern Europe and Russia in particular. As situational awareness during armed conflicts involves gathering intelligence on motivations, tactics, plans, and military information on the forces and weapons from all the major political forces, it comes as no surprise that these actions might be carried out against friendly countries as well.

A month into the war, Check Point researchers detected what appears to be a sequence of attempts by a Chinese espionage actor to deploy advanced malware to the networks belonging to several Russian defense research institutes, primarily focused on electronic warfare and military-specialized radio-electronic equipment. These attacks used social engineering tricks exploiting the subject of sanctions, imposed as a result of the war by western countries on multiple Russian businesses, including the military and defense sector. Each of these attempts used different methods for initial infection, including MS Office documents with macros, LNK files, and, interestingly, Word documents exploiting 0-day vulnerability, unknown at the time. 

In our talk, we will start by presenting the findings from our investigation into this cluster of activity against Russian defense institutes – which we called Twisted Panda – including the infection flows and technical analysis of the observed malicious stages and payloads. Then, we will go over this threat actor’s history of malicious activity traced back to March 2021, and show the evolution of their techniques and tools. Lastly, we will talk about attribution and the actor’s motivation behind going after those targets.