Twisted Panda: Chinese APT espionage operation against Russia

Check Point Research (CPR) has uncovered a targeted cyber espionage campaign against at least two Russian research institutes specializing in advanced defense technologies. These institutes are part of Rostec Corporation, Russia’s largest state-owned defense conglomerate in the radio-electronics sector. CPR also identified a similar attack on a Belarusian target, likely involved in research, through a spear-phishing email claiming the US is spreading a biological weapon.

The Russian defense institutes targeted focus on the development and manufacturing of:

• Electronic warfare systems
• Military-specialized onboard radio-electronic equipment
• Air-based radar stations
• State identification systems

This activity has been attributed with high confidence to a Chinese threat actor. Possible links include:

• Stone Panda (APT10): A sophisticated, nation-state-backed cyber espionage actor.
• Mustang Panda: Another experienced China-based espionage group.

CPR named the campaign Twisted Panda to reflect the sophistication of the tools used and its attribution to Chinese actors.

New Tools Observed

The attackers used tools that have not been previously documented:

• Multi-layered Loader: A highly sophisticated, multi-layered loader with advanced evasion capabilities.
• SPINNER Backdoor: A custom backdoor employing advanced anti-analysis techniques.

These tools have been in development since at least March 2021 and utilize advanced techniques, such as:

• In-memory execution for evasion.
• Compiler-level obfuscations to hinder detection and analysis.

Twisted Panda demonstrates a new level of sophistication in cyber espionage, highlighting the advanced capabilities of Chinese APT groups targeting critical defense research.