TZUTC: -0500   
   MSGID: 1614.consprcy@1:2320/105 2d5a2ebe   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Russian tech firm attacked by Chinese state hackers in allied attack   
      
   Date:   
   Fri, 17 Oct 2025 17:43:00 +0000   
      
   Description:   
   The Chinese were apparently spying on Russians for almost half a year.   
      
   FULL STORY   
      
   Chinese hackers were recently seen targeting Russians, which raised eyebrows   
   among the western cybersecurity community who perceive the two countries as   
   allies in cyberspace and beyond.    
      
   Earlier this week, security outfit Symantec published a new report in which    
   it detailed the work of Jewelbug, a Chinese state-sponsored threat actor    
   thats been highly active in recent months. In the report, Symantec said   
   Jewelbug was seen going after targets in South America, South Asia, Taiwan   
   and, most notably, Russia.    
      
   In early 2025, Jewelbug managed to sneak into the network of a Russian IT   
   service provider, and remain there for no less than five months. During that   
   time, they accessed code repositories and software build systems that they   
   could leverage to run supply chain attacks against the IT service providers   
   customers.   
      
   7zup.exe and Yandex    
      
   The compromise was spotted when researchers found a file named 7zup.exe on    
   the IT providers system. This is a renamed copy of a legitimate, Microsoft   
   binary, called CDB (Microsoft Console Debugger).    
      
   This tool can be used to run shellcode, bypass application whitelisting,   
   launch executables, run DLLs, and terminate security solutions, Symantec   
   added.    
      
   Use of a renamed version of cbd.exe is a hallmark of Jewelbug activity, the   
   report reads. Microsoft recommends that CDB should be blocked from running by   
   default and whitelisted for specific users only when its explicitly needed.    
      
   With the help of CBD, Jewelbug managed to dump credentials, establish   
   persistence, and elevate privileges via scheduled tasks. They tried to cover   
   their tracks by clearing Windows Event Logs, and used Yandex Cloud to   
   exfiltrate data. Yandex is a Russian cloud service provider , which was   
   probably chosen since its commonly used in the country and doesnt usually   
   raise any red flags.    
      
   The targeting of a Russian organization by a Chinese APT group shows,    
   however, that Russia is not out-of-bounds when it comes to operations by   
   China-based actors, Symantec concluded.    
      
    Via The Register    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/russian-tech-firm-attacked-by-chinese-s   
   tate-hackers-in-allied-attack   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426