Enigmatic Hacking Group Operating in UkraineAttackers Target both Ukraine and pro-Russian Actors
A newly uncovered hacking group with a string of cyberespionage successes is targeting Ukrainian and pro-Russian targets alike, its motivations uncertain in a conflict that offers little to no middle ground.
Malwarebytes says it traced Red Stinger activities back to 2020, while Kaspersky says it spotted the group in October 2022 - the dates suggesting an investment in stealthy techniques and operational security.
Malwarebytes identified five operations between 2020 and the present, the victims located in central Ukraine and Russian-aligned individuals involved in discredited September 2022 referendums called for by Moscow in Ukrainian territories of Luhansk, Donetsk, Zaporizhzhia and Kherson. Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions.
Depending on the campaign, attackers spotted by Malwarebytes in eastern Ukraine managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings.
Of two victims located in central Ukraine, one was a military target, although the infection appears to have lasted only a few hours before being spotted.
"As far as we know, attackers managed to exfiltrate on this target several screenshots, microphone recordings and some office documents," Malwarebytes researchers say.
The other victim was an officer working in critical infrastructure. In that case, the infection lasted nearly a year until January. Attackers exfiltrated screenshots, microphone and office documents.
The group utilizes its own hacking tools and recognizable infrastructure, including malicious URL generators and IP addresses. “The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns,” Kaspersky researchers wrote.
Malwarebytes calls malware deployed by the group "DBoxShell," writing that it utilizes cloud storage services as a command and control mechanism. Once deployed, it allows attackers to assess whether to probe deeper, and if so, download additional tools. Kaspersky calls the malware "Magic Box."
One clue about the nationality of the group may come from Malwarebyte's observation that two infections apparently made by the attackers on their own computers, whether to carry out testing or as a mistake. The keyboard language of the two infected machines was set to English. Still, the security firm analysts say they're not convinced the perpetrators are native English speakers "because of the way they named the project folder (internet_WORK). We cannot be certain, but we believe that no native speaker would use that naming convention."