In a surprising and unusual move, a Russian IT service provider has been hacked by a Chinese state-sponsored cyber group, showing that even countries often seen as allies are not safe from cyberattacks. Security researchers at Symantec reported that the attack was carefully planned and executed, allowing the hackers to stay undetected while collecting sensitive data over several months.
Chinese Hackers Infiltrate Russian IT Company
The attack was carried out by Jewelbug, a Chinese government-linked hacking group. Cybersecurity experts classify Jewelbug as an Advanced Persistent Threat (APT), meaning they work quietly and carefully to stay inside computer systems for long periods to steal sensitive information. While the group has previously targeted regions such as South America, South Asia, and Taiwan, the breach of a Russian company surprised many cybersecurity experts.
According to Symantec, the hackers infiltrated the network of the Russian IT service provider in early 2025 and remained inside for at least five months. During this time, they accessed software code repositories and build systems, which are essential for creating software for the company’s clients. This access gave the attackers the potential to launch supply chain attacks, affecting not just the company itself but also the organizations it serves.
4 airports in US and Canada hit by hackers targeting PA systems and flight information
The long dwell time in the network demonstrates the stealth and persistence of state-sponsored hacking operations. Jewelbug’s activities showed careful planning and execution, typical of advanced persistent threats (APTs) sponsored by governments.
Sophisticated Tools and Techniques
Researchers found that the hackers used a Microsoft tool called CDB (Console Debugger), renaming it as 7zup.exe to hide their activity. CDB is normally a legitimate program used by developers to find and fix problems in software, but the hackers misused it to secretly control computers and bypass security protections. This tool allowed the attackers to perform a wide range of operations while avoiding detection.
With the renamed debugger, the attackers were able to:
Spain–Portugal metro disruption shows challenges in managing cyber and operational safety
- Run hidden programs and shellcode on company systems
- Bypass security measures and application whitelisting
- Dump credentials and steal usernames and passwords
- Maintain persistent access and elevate privileges using scheduled tasks
- Run and terminate other programs, including security solutions
The hackers also attempted to cover their tracks by clearing Windows Event Logs, which usually record system changes and activities. They then used Yandex Cloud, a popular Russian cloud service, to quietly exfiltrate stolen data. Choosing a local cloud service likely helped the attackers avoid raising alarms, as such traffic appeared normal within the company network.
Symantec noted that using trusted tools like Microsoft’s debugger and local cloud services shows how sophisticated and careful the attackers were. Their approach allowed them to stay hidden for months while gathering valuable information.
NSE hit by 40 crore cyberattacks during ‘Operation Sindoor’ simulation, systems stay secure
Targeting Russia Despite Perceived Alliances
The attack is especially notable because Russia and China are often seen as political allies. Many experts assumed Chinese hackers would avoid Russian targets and focus on other countries, but this incident proves otherwise.
Symantec emphasized that Russia is not off-limits to Chinese state-sponsored groups. The Jewelbug hackers have been active globally, and their decision to target a Russian IT provider highlights that cyber operations do not always follow political alliances. The group appears to prioritize strategic and technical advantage over perceived friendship between nations.
This breach underlines the growing complexity of cyber operations. Even organizations in allied countries can become targets for sophisticated hacking groups. The Russian IT company’s experience illustrates the advanced capabilities of state-sponsored hackers and the risks posed to critical technology infrastructure.
