Google: Chinese state hackers target Ukraine’s government

Google's Threat Analysis Group (TAG) says the Chinese People's Liberation Army (PLA) and other Chinese intelligence agencies are trying to get more info on the ongoing Russian war in Ukraine.

Google TAG Security Engineer Billy Leonard says Google notified Ukrainian government organizations targeted by a Chinese-sponsored hacking group.

"Over the last few weeks Google TAG has identified a govt backed actor from CN targeting Ukrainian govt orgs, and we provided notifications to impacted parties," Leonard said.

"While our priority is providing notifications to impacted parties, we've provided related IOCs to community partners, and we will publish more details for the security community in the near future."

The group's head, Shane Huntley, also confirmed Leonard's assessment, saying that "the Ukraine war isn't only attracting interest from European threat actors. China is working hard here too."

This aligns with claims made by the Intrusion Truth, a secretive group known for its work on exposing suspected Chinese hacking operations, on Tuesday saying that it's aware of Chinese threat actors targeting Ukraine, likely at the behest of the Chinese government.

Intrusion Truth also asked infosec experts to share any indicators or samples linked to Chinese malicious activity in Ukraine via public or anonymous channels.

I would assume this is cyber espionage, which would be expected, though still not good. https://t.co/SeJWEYrWRv

— John Hultquist (@JohnHultquist) March 15, 2022

Chinese state hackers also targeting Europe

Google TAG's report of ongoing Chinese cyber operations in Ukraine follows another warning issued one week ago regarding a Chinese-backed hacking group tracked as APT31 targeting Gmail users affiliated with the US government.

One day earlier, Google security analysts revealed that Russian and Belarusian targeted Ukrainian and European government and military orgs in widespread phishing and DDoS attacks.

"In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government-backed hacking, largely emanating from Russia," said Shane Huntley, Google's TAG lead.

Google added that the Chinese-backed hacking group Mustang Panda (aka Temp.Hex and TA416) has also switched to phishing attacks against European organizations using lures related to the invasion of Ukraine.

The same day, Proofpoint revealed it detected Mustang Panda phishing "European diplomatic entities, including an individual involved in refugee and migrant services."