A Chinese-affiliated threat actor known as ‘Jewelbug’ has been linked to a five-month-long cyber intrusion targeting a Russian IT service provider, according to a new report from Broadcom-owned cybersecurity firm Symantec.
Jewelbug is believed to overlap with other tracked entities, including CL-STA-0049 (Palo Alto Networks), Earth Alux (Trend Micro), and REF7707 (Elastic Security Labs).
According to the Symantec Threat Hunter Team, the attackers gained access to code repositories and software build systems.
“Attackers had access to code repository and software build systems that they could potentially leverage to carry out supply chain attacks targeting the company’s customers in Russia. Notably too, the attackers were exfiltrating data to Yandex Cloud. Yandex is a popular service in Russia, so the attackers likely chose to use it in order to avoid raising suspicions,” the report notes.
In the Russian intrusion, Jewelbug utilized a renamed version of Microsoft's Console Debugger (cdb.exe) to execute shellcode and bypass application allowlisting. Other tactics included credential dumping, persistence through scheduled tasks, and log tampering to cover tracks.
In another case, the threat actor deployed a new, likely in-development backdoor on a major South American government network. The malware uses Microsoft Graph API and OneDrive for command-and-control (C2).
The group also breached a Taiwanese company and a South Asian IT provider. In this incident the attackers used DLL side-loading and ShadowPad, a modular backdoor long associated with Chinese state-sponsored hacking groups
The group also utilized Bring Your Own Vulnerable Driver (BYOVD) techniques, including the EchoDrv tool, which abuses a flaw in an anti-cheat driver, to disable endpoint protection.
Additional tools used in the attacks include LSASS, Mimikatz, and privilege escalation exploits like PrintNotifyPotato and Sweet Potato, along with EarthWorm, a SOCKS tunneling utility previously linked to Chinese APTs like Gelsemium, Lucky Mouse, and Velvet Ant.
Symantec threat intelligence team said they had not been able to determine the initial access vector used in many of the observed attacks.
“The most notable element of all this recent Jewelbug activity is the targeting of a Russian IT service provider by the Chinese APT group. When it comes to things like the Russia-Ukraine conflict and other geopolitical matters, China has traditionally backed, or at least not opposed, Russia, with the two considered to be loosely allied,” the report said. “The targeting of a Russian organization by a Chinese APT group shows, however, that Russia is not out-of-bounds when it comes to operations by China-based actors. The fact that there are indications the IT service provider may have been targeted for the purposes of a software supply chain attack on the company’s customers in Russia is also notable as it means this attack had the potential to give the attackers access to a large number of companies in the country, which they could have used for cyber espionage or disruption.”