A collective of pirates, considered state-owned, has been identified without knowing its real allegiance. Russian targets in occupied areas of Ukraine have been spied on for a long time, as have two Ukrainian soldiers.
A new group of hackers, potentially state-owned, has been detected. In a report published on May 10, 2023, the cybersecurity company Malwarebytes attributes five operations between 2020 and 2023 to this collective, which it named Red Stinger. The group’s motives and allegiance are still unclear. However, the data theft campaigns are persistent and serious enough to follow closely. The majority of the victims are Russian, with some very specific Ukrainian targets.
During these operations, the attackers compromised the computers of the victims in order to exfiltrate screenshots, keystrokes, documents, and even to record the sound of their microphones. The collective targeted several officials of the dummy referendums organized in September 2022 in the occupied regions of Ukraine, notably in Donetsk and Mariupol.
The start of a personalized mail sent to targets, with the seal of the Russian Federation. // Source: Malwarebytes
Two soldiers based in central Ukraine were directly targeted, with extensive data exfiltrated. “We have seen cases of targeted surveillance before, but the fact that they collect recordings from microphones and data from USB sticks is unusual.“
Fake sites for jobs in occupied regions
The cybersecurity company Kaspersky also identified this group and discovered that it was trapping leaders in the occupied areas, with personalized emails containing an alleged decree sent by the authorities in place.
“The malware and techniques used in this campaign are not particularly sophisticated, but they are effective, and the code has no direct connection to anything seen in the past,” Kaspersky researchers wrote. .
Among the other methods, a phishing website was created by this collective, suggesting that a competition was organized to fill candidates for positions in the occupied cities. The winners were promised 1,000,000 rubles for a personally chosen training program in the Russian Federation.
A fake site to access an alleged competition offering positions in the occupied regions of Donetsk. // Source: Malwarebytes
Malwarebytes researchers have discovered that two of the computers from which the malware originated were affected by their own product. This can happen by mistake or in a developer testing phase.
Other strange clues include the malware’s choice of English as the default language and the use of the Fahrenheit temperature scale to display the time, which likely suggests the involvement of English speakers.
Impossible with all these criteria to determine the real allegiance of the group. What is certain is that the main motive for the attack was surveillance and data collection.
TechAint 