Russian cybersecurity company discovered that the Chinese hacker group APT31 launched a prolonged and difficult-to-detect cyber attack on the Russian IT industry between 2024 and 2025.
Researchers from Positive Technologies pointed out in a report released on Thursday, November 20th, that during this period, the Russian IT industry, especially contractors and integrators providing solutions to government agencies, faced a series of targeted computer attacks.
APT31, a Chinese hacker organization, was responsible for this attack. Since at least 2010, APT31 has been active in cyber attacks targeting various sectors such as government, finance, aerospace and defense, high technology, construction and engineering, telecommunications, media, and insurance.
The main objective of APT31 is to gather intelligence and provide political, economic, and military information to Beijing and state-owned enterprises.
In May 2025, the Czech Republic accused APT31 of attacking its Ministry of Foreign Affairs.
What sets this attack on Russia apart is the utilization of legitimate cloud services, specifically popular domestic cloud services like Yandex Cloud, for command-and-control operations and data theft. The attackers also attempted to evade detection by blending in with normal network traffic.
It is alleged that the attackers also used domestic and international social media accounts to distribute encrypted instructions and payloads, launching attacks during weekends and holidays.
Researchers mentioned that the traffic on these platforms does not raise suspicion, allowing hackers to effectively bypass traditional security system detection. Launching attacks on weekends and holidays indicates the hackers have insights into the target organizations’ operational workflows.
During an attack on a Russian IT company, APT31 had already infiltrated the company’s network by late 2022 but chose to escalate the attack during the New Year holiday period in 2023.
In another intrusion detected in December 2024, the attackers sent a spear-phishing email with a RAR compressed file containing a Windows shortcut (LNK).
Additionally, Chinese hackers attempted to masquerade as a Peruvian foreign ministry report in a ZIP file for phishing purposes.