Reserchers of Solar 4RAYS rolled out a powerful report on the activities of the highly professional hacker group Shedding Zmiy, which since the beginning of 2022 attacked dozens of Russian companies in industry, telecom, public sector and other key industries, pursuing the goal of cyber espionage.
At the same time, the attackers used the compromised data of Russian companies not only for subsequent attacks, but also published them in the public domain, mainly in pro-Ukrainian Telegram channels.
And each time hackers managed to change their arsenal beyond recognition, finding all new ways of attacks: custom loaders, backdoors and web shells.
In terms of the tools used, Shedding Zmiy is associated with other groupings of Cobalt, exCobalt, Shadow, Comet, and Twelve, the origin of which is unequivocal in the professional community.
Actually, the logs also contained commands in Ukrainian and Russian.
According to experts, Shedding Zmiy demonstrates high resource availability, the presence of a well-coordinated organizational structure and the highest level of development, including its own framework for automated exploitation of vulnerabilities and an advanced malicious arsenal.
In total, experts noticed traces of using 35 different tools for intelligence, malware delivery, stealthy horizontal promotion within the network, and data theft.
It uses both publicly available and its own unique malware.
Attackers used up to 20 known vulnerabilities in common corporate software to break into the network, increase privileges, and secure it.
In addition to technical tools, Shedding Zmiy is proficient in social engineering.
Shedding Zmiy has learned to perfectly confuse its tracks: the group has an extensive network of C2 servers in Russia and abroad, renting resources from hosting providers and on cloud platforms, and bypassing GeoIP blockages.
Nevertheless, the resellers managed to combine seemingly disparate incidents with similar signs of using HPE, vulnerabilities, and infrastructure into a single cluster, the activity of which continues to pose a serious threat to the Russian Federation.
We will not dwell on the technical part and detailed analysis of the incidents under investigation, as it is clearly reflected in the report, which we strongly recommend that you read and adopt.
At the same time, the attackers used the compromised data of Russian companies not only for subsequent attacks, but also published them in the public domain, mainly in pro-Ukrainian Telegram channels.
And each time hackers managed to change their arsenal beyond recognition, finding all new ways of attacks: custom loaders, backdoors and web shells.
In terms of the tools used, Shedding Zmiy is associated with other groupings of Cobalt, exCobalt, Shadow, Comet, and Twelve, the origin of which is unequivocal in the professional community.
Actually, the logs also contained commands in Ukrainian and Russian.
According to experts, Shedding Zmiy demonstrates high resource availability, the presence of a well-coordinated organizational structure and the highest level of development, including its own framework for automated exploitation of vulnerabilities and an advanced malicious arsenal.
In total, experts noticed traces of using 35 different tools for intelligence, malware delivery, stealthy horizontal promotion within the network, and data theft.
It uses both publicly available and its own unique malware.
Attackers used up to 20 known vulnerabilities in common corporate software to break into the network, increase privileges, and secure it.
In addition to technical tools, Shedding Zmiy is proficient in social engineering.
Shedding Zmiy has learned to perfectly confuse its tracks: the group has an extensive network of C2 servers in Russia and abroad, renting resources from hosting providers and on cloud platforms, and bypassing GeoIP blockages.
Nevertheless, the resellers managed to combine seemingly disparate incidents with similar signs of using HPE, vulnerabilities, and infrastructure into a single cluster, the activity of which continues to pose a serious threat to the Russian Federation.
We will not dwell on the technical part and detailed analysis of the incidents under investigation, as it is clearly reflected in the report, which we strongly recommend that you read and adopt.
