Chinese state-linked hackers breached a Russian IT service provider, researchers say, as part of a espionage campaign. This is a rare instance of Chinese cybercriminals targeting a country usually considered an ally, as reported by The Record.
According to a Symantec cybersecurity report, the breach occurred from January to May 2025. Hackers accessed the company’s software build systems and code repositories, indicating a possible supply chain attack targeting both the firm and its clients.
Symantec attributes the attack to a group called Jewelbug, also known as Earth Alux. Their operations focus on long-term espionage rather than financial gain. Since 2023, Jewelbug has targeted government and corporate networks in South America, South and Southeast Asia, and Taiwan.
IT service providers are particularly vulnerable because they have broad access to client systems and can distribute software updates across multiple networks. Symantec suggests the breach may have allowed attackers to infiltrate dozens of Russian companies, opening the door to large-scale cyberespionage and potentially disruptive operations.
The hackers used Yandex Cloud—a legitimate Russian cloud platform—to exfiltrate data, helping them avoid detection. Researchers note that using such a familiar service appears safe to Russian firms, raising no immediate suspicion.
Experts emphasize that Jewelbug’s actions demonstrate that Russia is not immune to Chinese cyberespionage. Despite the strategic partnership between Moscow and Beijing, China actively conducts cyberattacks against Russian entities.
