In the .ru/.rf zone, the number of domains with malicious software has sharply increased

The Coordination Center for Domains and the Ministry of Digital Transformation note a sharp increase in registrations in the ru./.rf zone of domains that distribute malware, registered under the passport data of Chinese citizens. Information security specialists confirm the activation in the Russian Federation of “pro-state cyber-espionage” groups associated with the PRC, calling them “long-standing and traditional” participants in hacker attacks in the country. Experts on Russian-Chinese relations consider attacks to be one of the elements of negotiating positions that do not fundamentally interfere with cooperation between countries.

“Kommersant” got acquainted with the data of the Coordination Center (CC) of .ru/.rf domains, according to which in June the number of domains distributing malware increased sharply in the .rf zone. In May 2023, 226 such domains were blocked in the .рф zone, and in June – already 2.6 thousand (in May 2022 – only 9, in June – 74 domains).

Evgeniy Pankov, project manager at KC, believes that there is a “planned attack using the .rf domain.” According to him, “in past years” the share of malicious sites in .rf was less than 1% of the total number of requests from competent organizations and users, but in January-June it increased to 10%. The CC emphasized that in May and June all domains with malware turned out to be registered to the passport data of Chinese citizens. The sites created on them were used to spread the universal Trojan Evo-gen, which infects devices on Android and Windows, as well as the Zmutzy.Lscpt ransomware virus and the VoidBalaur trojan.

The Ministry of Digital Development confirmed to Kommersant that at the end of May they noted incidents related to the use of domains in the .rf zone. “In total, about 2.2 thousand such resources were identified and blocked,” they said. Some of them contained links to malware, in some cases the content posted on the site was in Chinese, the ministry said.

Chinese APT groups (organize targeted and targeted attacks) are traditionally considered “one of the most active pro-state cyber-espionage groups”, their feature is “covert penetration into infrastructure and espionage for a long time, usually Chinese APTs target government, military, financial, educational institutions, as well as energy, medical and IT companies,” says Yaroslav Kargalev, head of the FACCT cybersecurity center (formerly Group IB).

RTK-Solar has been observing the activity of Chinese ART groups for a “long time”, Vladislav Lashkin, head of the company’s threat analysis group, confirms. “They have been and remain one of the most constant and stable threats to both the public sector and private companies in the Russian Federation,” he notes. Chinese hackers are quite skilled, therefore, on the contrary, they usually try to disguise the domains of control servers as something specific to the Russian Federation or simply inconspicuous – ordinary hosting, certificates containing fields common to millions of addresses, the expert adds.

Specialists of the Positive Technologies security expert center note a “new wave of attacks” by a hacker group with Chinese roots – Space Pirates (first discovered in May 2022), which increased the number of attempts to attack the Russian public sector, the aviation and rocket and space industries, educational institutions, “according to the investigation PT ESC, Space Pirates has successfully attacked at least 16 organizations in Russia over the past year.” Denis Kuvshinov, head of the cyberthreat research department at the Positive Technologies security expert center, says that over the past year, the group has developed new tools that implement non-standard techniques.

Kommersant’s interlocutor, who is familiar with the development of relations between the Russian Federation and China, considers the growth of cyber espionage by the latter understandable and inevitable – “the Chinese side is investing large resources in its cyber capabilities, because it wants to have a stronger negotiating position.” In his opinion, as a result, Moscow and Beijing “can develop certain rules of the game so that cyber incidents and data theft do not affect relations as a whole too much.” The rapprochement between Russia and China will not stop this, the source of Kommersant is sure, the Russian Federation is under sanctions and the possibilities are limited, and the PRC needs a partner to withstand US pressure.

Russia and China have formats for dialogue on cybersecurity both at the bilateral level and within the framework of the SCO (Shanghai Cooperation Organization), “perhaps problematic issues are discussed there,” adds Oleg Shakirov, an expert at the Russian International Affairs Council. An illustrative story happened in 2021: in May, the NKTsKI released a joint report with RTK-Solar on computer attacks on Russian government organizations, the document did not indicate the country, but later it turned out that it was about China, he notes. Russian experts sent a warning to Chinese hackers, the expert explains, “but the incident was not transferred to a public scandal.”

Tatyana Isakova