A group of hackers believed to be associated with China, Jewelbug, had been quietly infiltrating the internal network of an IT service provider in Russia for five months, specifically from January to May 2025. The incident marked Jewelbug’s notable expansion into Russia, following the previous series of attacks in Southeast Asia and South America.
Jewelbug has access to the source code repository and build system, posing a supply chain attack risk to customers in Russia. The stolen data is transferred to Yandex Cloud, while the team uses legitimate tools such as Microsoft Console Debugger, Mimikatz, LSASS and BYOVD techniques to hide, maintain access and evade the defenses.
Specifically, Yandex Cloud is the cloud computing platform of Yandex, Russia’s largest technology corporation (as exemplified by “Google of Russia”). The service provides virtual servers, data storage, AI, containers, CaaS, and similar data management services such as AWS, Google Cloud, or Microsoft Azure.
Experts suggest that the Jewelbug has likely expanded its attack to Southeast Asia, including Vietnam, but has not been detected. Like the Russian case, the campaign may have been silent for months before it was announced.
White Hat’s Perspective
According to WhiteHat, Jewelbug’s campaign shows that China – related cyber espionage is expanding its global reach, even targeting close partners such as Russia. This warns that Vietnam’s existing risk may be in the red zone like other Southeast Asian countries, especially in the fields of information technology, telecommunications, and e-government.
The group is sophisticated, exploiting legal tools and cloud services to hide itself, maintain long – term access, and evade the defense system, experts said. Therefore, organizations in Vietnam should strengthen cloud flow and API monitoring, examine software supply chain safety, and deploy EDR/XDR solutions and analyze abnormal behaviors to early detect latent intrusion signs.
