Chinese state-linked hackers have reportedly breached a Russian IT service provider in what appears to be an espionage campaign — a rare case of Chinese threat actors targeting a purported ally, researchers said.

According to a new report by cybersecurity firm Symantec, the hackers gained access to the Russian company’s software build and code-repository systems between January and May 2025 — suggesting the breach may have been an attempted software supply-chain attack aimed at the firm’s customers.

Symantec refers to the group as Jewelbug, and says its operations focus on long-term espionage rather than financial gain. Also tracked as Earth Alux, the threat actor has been active since mid-2023, targeting government and corporate networks across South America, South and Southeast Asia, and Taiwan. 

IT service providers are especially attractive targets because they often have deep access to clients’ systems and can push software updates across multiple networks at once. This means the latest breach could have opened the door for attackers to infiltrate dozens of Russian companies, enabling widespread cyber-espionage or potentially disruptive operations, Symantec said.

The attackers used Yandex Cloud, a legitimate Russian cloud platform, to exfiltrate data — likely to avoid detection. “Yandex is a legitimate and commonly used cloud service in Russia. For this reason, it is unlikely to be blocked by Russian enterprises, and its use is less likely to raise suspicions,” researchers said.

Beyond Russia, Jewelbug has compromised a South American government agency, a Taiwanese software company, and an IT provider in South Asia over the past year, Symantec said. In some of these intrusions, the researchers spotted a new backdoor that appeared to still be under development — signaling an expansion of the group’s technical capabilities.

The campaign suggests “Russia is not out of bounds” for Chinese cyber-espionage operations, the researchers said. Moscow and Beijing are generally viewed as strategic partners.

Symantec’s report follows a series of findings pointing to growing Chinese cyber activity against Russian entities.

The New York Times, citing cybersecurity analysts and a leaked document from Russia’s FSB security agency, recently reported that since Russia’s full-scale invasion of Ukraine, China has repeatedly carried out cyberattacks on Russian government agencies and defense companies to steal military intelligence.

Last year, Moscow-based Kaspersky identified intrusions into Russian government and tech networks involving tools linked to Chinese groups APT31 and APT27. Earlier this year, Politico reported that Chinese state-sponsored hackers — including those tracked as Mustang Panda and Tonto Team — targeted Russian aerospace and defense firms.

“Jewelbug, as a relatively new Chinese APT group, is one to watch,” Symantec said. “It has the skills to develop its own malware and maintain a long-term, stealthy presence on networks.”