China spies on Russian IT firms in unusual cyberattack

The breach

Chinese state-linked hackers have targeted a Russian IT service provider despite Moscow and Beijing’s public partnership. This unusual attack highlights deep cyber-espionage layers even among allies.

Symantec warned that the attackers’ access to build systems and code repositories could be leveraged to carry out supply-chain attacks against multiple downstream customers.

Who was targeted in Russia?

The victim was a Russian IT services firm that supports other companies with software builds and infrastructure access. The attackers infiltrated its internal systems, possibly to exploit the firm’s wide access footprint.

By compromising one provider, China-linked hackers may have gained entry into many downstream networks. The choice of target underscores how supply-chain vectors are increasingly prominent in espionage. The provider’s clients across Russia may now face exposure.

Attribution

Symantec’s Threat Hunter team attributes this intrusion to a China-linked actor it tracks as Jewelbug (also referenced as REF7707 / CL-STA-0049 and by some vendors as Earth Alux).

Other China-linked clusters (for example, APT31 and groups linked in court filings to PRC security services) exist, but the Symantec report specifically ties this incident to Jewelbug.

Timeline of intrusion revealed

The breach internal access reportedly ran from early 2025 through May, according to Symantec’s Threat Hunter team. The attackers laid the groundwork through build systems and code repositories before possibly moving laterally.

The long dwell time gave them potential for expansive espionage. Although detected in mid-2025, the full scope and number of clients affected are still under investigation. The timeline shows that even trusted alliances don’t guarantee cybersecurity loyalty.

Supply-chain risk exploited

Researchers believe the hackers aimed not just at the IT provider but at its clients through supply-chain intrusion. By accessing the provider’s build and code systems, attackers could inject malicious code or backdoors upstream.

This technique magnifies risk far beyond the single firm. The campaign shows how one compromised service provider can cascade vulnerabilities throughout an entire ecosystem. Security teams must thus monitor their suppliers, not just internal assets.

Tools and techniques used

The attackers employed specific techniques: they used “7zup.exe” (disguised Microsoft debugger) for privilege escalation, credential dumping, scheduled tasks, and event log clearing.

The attackers leveraged legitimate cloud services to hide activity: Symantec observed exfiltration to Yandex Cloud in the Russian incident, and the vendor also documented the group’s use of Microsoft Graph API / OneDrive as command-and-control in other activity.

These tactics help bypass network filters and hide within permitted traffic. The sophistication indicates a well-resourced state-actor, not a generic cyber-crime group.

Why China targeted Russia?

Despite the public “no-limits” friendship between China and Russia, intelligence goals diverge. China appears motivated to glean Russian experience in the Ukraine war, defense systems, UAV technology, and electronic warfare.

Russian analyst leaks even label China an “enemy” in a classified FSB document cited in sources. These hidden attacks are part of China’s broader strategy to reduce strategic reliance on allies and collect intelligence proactively. It’s a reminder that geopolitics underpins cyber-espionage.

Impact on Russian IT/defense sectors

The infiltration affects more than just the provider; it potentially impacts Russian firms serviced by the target. This includes defense, aerospace, security contractors, and technology vendors.

The risk: planted code, persistent access, or compromise of critical systems through the supply chain. Moscow may face greater vulnerability than it lets on, especially as it handles wartime operations. Russian companies must treat insiders and partners as part of their threat model.

Detection and stealth tactics

The campaign shows how attackers hid by using familiar platforms and services (e.g., Yandex Cloud) to avoid raising alarms. Also, lateral movement was gradual, tools disguised, and normal-looking services used for malware delivery.

Such stealth makes detection difficult and means defenders must focus on behaviour, not just IOCs. The long dwell time (several months) implies detection capabilities in Russia are lagging, or attackers were extremely subtle.

Supply-chain defence lessons

This incident reinforces that supply chain weakness can be exploited for major espionage. Organizations must vet vendors, monitor build systems, apply segmentation, and audit software dependencies.

Build environments and code repositories must be treated as high-risk zones. Just because your vendor is an “ally” does not make it safe. Implement continuous monitoring, zero trust, and runtime code verification as standard practice.

Strategic implications for China–Russia ties

The breach raises questions about trust and intelligence sharing between China and Russia. If China is spying on its ally’s IT infrastructure, cooperative frameworks may be hollow. The move can adjust the global balance of power in cyber-intelligence.

Russia may rethink its platforms, partners, and external reliance. The cyber-dimension of alliances is now as important as diplomacy and military cooperation.

Broader espionage trend worldwide

This case fits a broader pattern: state-actors increasingly target even allies to extract strategic advantage. Cyber-espionage is no longer just about attacking adversaries but exploiting every possible access point.

China’s shift toward targeting Russia indicates a global mindset of surveillance rather than conventional diplomacy. Other nations should expect similar behaviour—trust no one implicitly. The era of “friendly cyber zones” may be over.

Legal and geopolitical fallout

This operation may prompt Russian internal investigations, legislative reviews, and possible countermeasures. Accusations could strain intelligence cooperation or lead to retaliatory actions in cyberspace.

For China, the strategy remains deniable, though the malware footprints are traced. International norms around cyber-alliances and trusted partnerships could erode. For defenders globally, the takeaway is that geography and alliance do not equal safety.

Corporate cybersecurity takeaway

Companies, especially IT service providers, managed-service vendors, and code-hosts, must assume they too may be espionage targets regardless of client location. Review build systems, repository access, credential hygiene, and partner trust.

Conduct third-party audits, segment networks, monitor lateral movement, and cloud-based exfiltration paths. Simple assumptions (e.g., “our vendor is national”) are inadequate in the cyber-age.

Russia’s defence posture under scrutiny

For Russia, the breach demonstrates vulnerabilities in its own cyber-defence posture, even while engaged in a major war. Supply-chain compromise of IT infrastructure used by defense and tech firms can degrade readiness, leak secrets, or disrupt critical operations.

Russia may need to shift to more hardened, isolated, or domestic platforms and less reliance on international clouds or services. Cyber-resilience becomes a national imperative.

This case shows how even Wi-Fi can be used for global surveillance. Explore the Dutch duo accused of Wi-Fi spying on Russia’s behalf.

Next steps

China’s cyber-espionage against a Russian IT provider is a striking example of friend-turned-target behaviour in cyberspace. The incident demonstrates that intelligence collection knows no alliances, and supply-chain access is a major vulnerability.

Organizations and nations must expand their threat model to include vendors, allies, and infrastructure partners. The next wave of espionage will likely exploit trusted relationships, and defense will need to reflect that reality.

War controls are crippling digital life across Russia. Explore why Russian internet outages surge amid war controls.

Did this case change your view on partner-firms or allied nations’ security risk, and will you treat even friendly vendors as potential threats now? Share your thoughts.

Read More From This Brand:

• China is rapidly developing a brain-computer interface industry
• China Quietly Admits Role in Cyber Attacks
• Why China and America are building next-generation weapons

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.