Hackers attacked Russian companies with ordinary utilities.
In early September 2023, Threat Intelligence analysts from F. A. C. C. T. discovered an open directory with logs of SQLMap, Metasploit, ProxyShell-Scanner and other available penetration testing tools on a server that was used by unknown people to attack Russian companies.
Experts note that the use of relatively simple and well-known tools for pentesting is a common tactic among entry-level attackers. Such utilities do not require deep knowledge in the IT field, which makes them easier to use. In addition, the use of standard programs increases the likelihood that an attack will pass unnoticed by cybersecurity tools.
However, further analysis of attacks, techniques, tools, and network and file infrastructure, initially considered part of an independent cluster of malicious activity, revealed that the attackers were linked to a large criminal group known as Shadow (Twelve/Comet/DARKSTAR).
The Shadow Group is part of the Shadow-Twelve cybercrime syndicate. Its characteristic feature is the ability to conduct both financially motivated and politically backed attacks. In the first case, hackers steal confidential data of victims, encrypt them and extort a ransom, which in 2023 reached $3.5 million. In the second case, acting on behalf of Twelve, they publish stolen information and destroy the company's infrastructure. Contrary to initial assumptions about its activation in early 2023, experts found that Shadow launched the campaign much earlier - in September 2022.
Shadow's targets were mainly Russian organizations from various industries. In total, hackers attacked more than 100 companies, completely compromising at least ten of them. All identified victims were notified by F. A. C. C. T. experts.
The company's experts described all the technical details of the study in detail in the report.
In early September 2023, Threat Intelligence analysts from F. A. C. C. T. discovered an open directory with logs of SQLMap, Metasploit, ProxyShell-Scanner and other available penetration testing tools on a server that was used by unknown people to attack Russian companies.
Experts note that the use of relatively simple and well-known tools for pentesting is a common tactic among entry-level attackers. Such utilities do not require deep knowledge in the IT field, which makes them easier to use. In addition, the use of standard programs increases the likelihood that an attack will pass unnoticed by cybersecurity tools.
However, further analysis of attacks, techniques, tools, and network and file infrastructure, initially considered part of an independent cluster of malicious activity, revealed that the attackers were linked to a large criminal group known as Shadow (Twelve/Comet/DARKSTAR).
The Shadow Group is part of the Shadow-Twelve cybercrime syndicate. Its characteristic feature is the ability to conduct both financially motivated and politically backed attacks. In the first case, hackers steal confidential data of victims, encrypt them and extort a ransom, which in 2023 reached $3.5 million. In the second case, acting on behalf of Twelve, they publish stolen information and destroy the company's infrastructure. Contrary to initial assumptions about its activation in early 2023, experts found that Shadow launched the campaign much earlier - in September 2022.
Shadow's targets were mainly Russian organizations from various industries. In total, hackers attacked more than 100 companies, completely compromising at least ten of them. All identified victims were notified by F. A. C. C. T. experts.
The company's experts described all the technical details of the study in detail in the report.
