China-Linked APT31 Leverages Cloud Services in Stealthy Russian IT Attacks

China-Linked APT31 Launches Stealthy Cyberattacks on Russian IT

The China-linked APT31 group conducted a sustained cyber espionage campaign targeting Russian IT companies from 2024-2025, remaining undetected for extended periods. Researchers at Positive Technologies identified the group’s sophisticated tactics, revealing a reliance on legitimate cloud infrastructure for command-and-control and data exfiltration.

Why This Matters

Current threat detection models often struggle with attacks leveraging trusted cloud services; the assumption that traffic to major cloud providers is benign creates a blind spot for attackers. This allows APT31 to operate within the noise of legitimate activity, potentially causing significant intelligence leaks and financial losses – a single successful breach could compromise sensitive government contractor data.

Key Insights

• APT31 active since 2010: This group has a long history of targeting a diverse range of sectors.
• Cloud C2: Utilizing Yandex Cloud and Microsoft OneDrive as command-and-control channels provides camouflage and resilience.
• Tool Diversity: APT31 employs a wide array of tools, from publicly available utilities like SharpADUserIP to custom backdoors like CloudSorcerer, demonstrating adaptability.

Practical Applications

• Use Case: A Russian IT firm contracted by a government agency experienced a breach in late 2022, with APT31 maintaining access for over two years.
• Pitfall: Relying solely on signature-based detection will likely miss attacks utilizing legitimate cloud services for malicious purposes.

References:

• https://thehackernews.com/2025/11/china-linked-apt31-launches-stealthy.html