- Chinese APT group Jewelbug breached a Russian IT firm and stayed hidden for five months
- Attackers disguised Microsoft debugger as 7zup.exe to bypass security measures
- Data was exfiltrated via Yandex Cloud to blend with regular local traffic
- The breach shows that cyber alliances are not safe-zones in modern warfare
In a move that challenges assumptions about cyber alliances, the Chinese state-linked threat actor known as Jewelbug breached a Russian IT service provider. The attackers remained undetected for nearly five months, giving them free rein over code repositories and software build systems.
Security researchers from Symantec uncovered the intrusion. They say Jewelbug exploited trust in internal tools and used a clever disguise to avoid detection. Their actions highlight how even nations perceived as allied in cyberspace are not immune from covert attacks.
Disguised Windows Tool Helps Cover Traces
A critical part of the intrusion was a file named 7zup.exe. What at first glance looked like a benign tool was actually Microsoft’s console debugger (CDB), repackaged under a different name.
• The renamed debugger allowed the hackers to run shellcode and execute DLLs.
• It let them circumvent application whitelisting and disable security tools.
• Using this tool, they dumped credentials, created persistence, and escalated privileges via scheduled tasks.
Jewelbug also went a step further to hide its tracks. It cleared Windows Event Logs, making forensic analysis harder. Using a trusted Microsoft binary under a new name is a tactic that analysts associate closely with this threat actor.
Data Exfiltration via Local Cloud to Avoid Suspicion
Instead of sending stolen data to external servers abroad, Jewelbug used Yandex Cloud, a Russian provider, to siphon data. That choice likely lowered suspicion in the local network environment.
Yandex is a widely used service in Russia. Thus the malicious network traffic may have blended into normal traffic patterns. Over several months, the group extracted source code, build systems, and other sensitive assets. With that access, they could launch additional supply-chain attacks against the provider’s clients.
Russia Not Safe from China’s Cyber Threats
This breach underscores that no country is automatically off limits to state-affiliated cyber actors – even those viewed as geopolitical partners.
Symantec notes that in recent months, Jewelbug has expanded its reach beyond familiar zones into South America, South Asia, Taiwan, and now Russia.
The attack tells a broader story about modern cyber conflict: alliances are not guarantees of immunity. Actors may exploit grey zones or shifting interests to strike where least expected.
Lessons in Cyber Hygiene and Defense
Security teams are urged to block Microsoft’s CDB by default and allow it only for trusted users when truly necessary.
Regular monitoring, anomaly detection, and rigorous network segmentation are more critical than ever.
Organizations should scrutinize internal traffic to local cloud providers too. Infiltration may hide behind trusted channels.
Follow TechBSB For More Updates
