Cyberwarfare / Nation-State Attacks
                                                    ,
                                                            Fraud Management & Cybercrime
                                                    
                    Symantec Says It Spotted Likely Supply Chain Hack
                

Suspected Chinese state-linked hackers reportedly breached a Russian IT service provider in an espionage campaign targeting government-related networks.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Cybersecurity researchers at Symantec spotted a Chinese threat actor they named Jewelbug infiltrating a Russian company’s software build and code repository systems between January and May. The breach indicates a possible supply chain hack since hackers could potentially insert malicious code into software distributed to multiple downstream clients.
Symantec did not name the targeted Russian IT service provider in its report. The company described it as a major provider with government-related clients.
During the intrusion, the attackers conducted extensive reconnaissance, stole credentials and maintained persistent access within the network. Symantec researchers found the group using legitimate tools such as Yandex Cloud, a cloud computing platform offered by Yandex, one of Russia’s largest technology companies. Using a trusted domestic platform helps attackers blend malicious activity into normal operations. Traffic to Yandex services is routine for Russian organizations, so transfers or connections there are less likely to trigger alerts.
Symantec and other researchers say Jewelbug’s operations fit a cyberespionage profile rather than a financially motivated attack. Also tracked as REF7707, CL-STA-0049 and Earth Alux, Jewelbug has been active since at least mid‑2023 and repeatedly targets government and corporate networks across South America, South and Southeast Asia, Taiwan – and now Russia.
Symantec researchers have observed the group maintaining persistent access within compromised networks for extended periods – often months – while conducting credential theft, internal reconnaissance and lateral movement.
Symantec reported that Jewelbug has also breached a South American government agency, a Taiwanese software firm and an IT service provider in South Asia. In several of these attacks, researchers found a newly developed backdoor.
The Symantec report comes amid a string of discoveries indicating an increase in Chinese cyber operations targeting Russian organizations, despite the countries’ usual status as strategic partners. Kaspersky Lab in August 2024 identified a cyberespionage campaign named “CloudSorcerer,” which targeted Russian government agencies and research institutions. The attackers used sophisticated malware to infiltrate systems and exfiltrate sensitive data. Kaspersky linked the campaign to a Chinese state-affiliated group.
