Notes about activity before the war OP#1 - Late 2020 However, the actor's tactics, techniques, and procedures (TTPs) are very distinctive, which gives us a high level of confidence in our attribution.
Since our investigation started in September 2022, information about the initial campaigns has been limited. The next infographic shows some of the operations recognized by us: Malwarebytes has identified multiple operations, first dated in 2020. However, this was not the only activity carried out by the group. In fact, this is the attack that Kaspersky analyzed in its blog. Our investigation started in September 2022, when one of our former coworkers Hossein Jazi discovered an interesting lure, that seemed to target some entities over the war context: Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings.įinally, we will reveal unknown scripts and malware run by the group in this report. Military, transportation and critical infrastructure were some of the entities being targeted, as well as some involved in the September East Ukraine referendums. Additionally, we will provide insights into the latest campaigns performed by Red Stinger, where we have found that the group has targeted entities in different places of Ukraine. We have identified attacks from the group starting in 2020, meaning that they have remained under the radar for at least three years. Our investigation could be helpful to the community as we will provide new undisclosed data about the group. Now that the existence of this group is public, we will also share some of our information about the actor and its tactics. This investigation remained private for a while, but Kaspersky recently published information about the same actor (who it called Bad Magic). Moreover, we started tracking the actor behind it, which we internally codenamed Red Stinger. While looking for activities from the usual suspects, one of our former coworkers at Malwarebytes Threat Intelligence Team discovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Given this context, it would not be surprising that the cybersecurity landscape between these two countries has also been tense. While the official conflict between Russia and Ukraine began in February 2022, there is a long history of physical conflict between the two nations, including the 2014 annexation of Crimea by Russia and when the regions of Donetsk and Luhansk declared themselves independent from Ukraine and came under Russia's umbrella. This blog post was authored by Malwarebytes' Roberto Santos and Fortinet's Hossein Jazi
0 kommentar(er)
