According to Dark Reading, China’s state-aligned APT31 hacking group has been conducting espionage against Russia’s IT sector since at least late 2022, with the bulk of activity occurring in 2024 and 2025. The group, also known as Judgment Panda and Violet Typhoon, used sophisticated phishing emails containing archive files with decoy documents and malware. Researchers from Positive Technologies discovered APT31 employed clever manipulation of legitimate cloud services including Microsoft OneDrive, Dropbox, and Russia’s own Yandex Cloud for command-and-control communication. The campaign specifically targeted IT contractors and integrators working with Russian government agencies, suggesting broader espionage goals beyond commercial theft. Evidence also emerged of similar attacks in Peru using decoy documents mimicking that country’s Ministry of Foreign Affairs.
The cloud service abuse problem
Here’s the thing about APT31’s approach: they’re not breaking cloud services, they’re using them exactly as designed. Their “OneDriveDoor” backdoor uses Microsoft’s legitimate file storage for C2, while “CloudSorcerer” can switch between OneDrive, Dropbox, or Yandex Cloud. They even created “VtChatter” malware that uses VirusTotal’s commenting system as a covert channel. Basically, they’re turning the internet‘s infrastructure against itself.
And as Bugcrowd founder Casey Ellis points out, this creates an almost impossible defense problem. Cloud providers can’t realistically block these activities without shutting down entire regions or services completely. The hackers are exploiting intentional design features that millions of legitimate users rely on daily. So what’s the solution? There might not be a good one.
Beyond commercial espionage
Now, the really interesting part is who they’re actually targeting. While the campaign appears focused on Russia’s IT sector, the specific concentration on government contractors and integrators tells a different story. This is classic supply chain attack methodology – go after the weak links that have access to the real prize.
Russia itself has used this exact approach against the US government in the past, most famously in the SolarWinds attack. The irony here is pretty thick – Russia’s own tactics being used against them by their supposed strategic partner. And when you combine this with the Peru incident using forged foreign ministry documents, the pattern suggests government intelligence gathering, not just commercial IP theft.
The friendship isn’t what it seems
Look, China and Russia talk a big game about strategic partnership, but this research shows the reality is much more complicated. APT31 has been active for over 15 years and is well-known for industrial espionage, but targeting your ally’s government contractors? That’s next-level distrust.
Ellis makes the key point that “knowing what your friends are up to is as important as knowing what your enemies are planning” – a concept that predates modern technology by thousands of years. The tools have changed, but the game remains the same. When it comes to critical infrastructure protection, whether we’re talking about government systems or industrial computing equipment, the threat can come from any direction, including supposedly friendly nations.
So what does this mean for organizations? Assume everyone is potentially a threat, even your allies. The detailed technical analysis from Positive Technologies shows just how sophisticated these campaigns have become. And if state-backed groups are willing to burn their cloud service tricks on each other, imagine what they’re doing to actual adversaries.
