Bi. Zone: Since 2019, the group has attacked over 400 companies in the Russian Federation.
In 2023, a series of cyberattacks carried out by the hacker group Rare Wolf, targeting organizations and industrial enterprises in Russia and neighboring countries, was identified. Among the targets were, in particular, heavy engineering enterprises, and hackers could hunt for information about new research and development of companies, including so-called "documents for official use". According to Bi. Zone, at least 97 attacks have been recorded since the beginning of the year, and the total number of attacks since 2019 has exceeded 400.
A feature of Rare Wolf's activities is methodical and secretive. Hackers do not cause immediate damage to the attacked systems, but seek long-term penetration to collect information. This is achieved through the use of legitimate software, which makes it much more difficult for security services to detect their actions.
The group's main attack method is sending out phishing emails disguised as regular payment notifications. Each letter was accompanied by an archive, which allegedly contained the invoice "1C:Enterprise" and an electronic key for accessing it. But in fact, there was a file with the extension inside the archive. When you open such a file on the victim's computer, a malicious program is activated that collects passwords from browsers, copies all Microsoft Word files to the archive and sends them to the attackers. Then the Mipko Employee Monitor program was installed on the compromised system. This is legitimate software for monitoring employee actions, which is most often used by corporate security services. However, the attackers used it to intercept keystrokes and clipboard logs, take screenshots and snapshots from the device's camera.
Hackers pay special attention to accessing employees Telegram accounts, which often transmit official documents and other information that is interesting from the point of view of industrial espionage. On the victims computers, hackers searched, in particular, for an encrypted key that identifies the Telegram session. This allowed them to log in to a compromised account without authorization and control all correspondence and forwarded files without being noticed by the account owner. New sessions were not recorded in the activity history.
Experts believe that spy hackers are selling stolen data on shady forums. The damage caused by such attacks can be very high if other attackers use the received data. According to experts, the members of the Rare Wolf group come from the CIS countries, as they are well aware of domestic software. In addition, they rented computing power located on the territory of Russia, so as not to arouse suspicion and not be blocked by providers.
In 2023, a series of cyberattacks carried out by the hacker group Rare Wolf, targeting organizations and industrial enterprises in Russia and neighboring countries, was identified. Among the targets were, in particular, heavy engineering enterprises, and hackers could hunt for information about new research and development of companies, including so-called "documents for official use". According to Bi. Zone, at least 97 attacks have been recorded since the beginning of the year, and the total number of attacks since 2019 has exceeded 400.
A feature of Rare Wolf's activities is methodical and secretive. Hackers do not cause immediate damage to the attacked systems, but seek long-term penetration to collect information. This is achieved through the use of legitimate software, which makes it much more difficult for security services to detect their actions.
The group's main attack method is sending out phishing emails disguised as regular payment notifications. Each letter was accompanied by an archive, which allegedly contained the invoice "1C:Enterprise" and an electronic key for accessing it. But in fact, there was a file with the extension inside the archive. When you open such a file on the victim's computer, a malicious program is activated that collects passwords from browsers, copies all Microsoft Word files to the archive and sends them to the attackers. Then the Mipko Employee Monitor program was installed on the compromised system. This is legitimate software for monitoring employee actions, which is most often used by corporate security services. However, the attackers used it to intercept keystrokes and clipboard logs, take screenshots and snapshots from the device's camera.
Hackers pay special attention to accessing employees Telegram accounts, which often transmit official documents and other information that is interesting from the point of view of industrial espionage. On the victims computers, hackers searched, in particular, for an encrypted key that identifies the Telegram session. This allowed them to log in to a compromised account without authorization and control all correspondence and forwarded files without being noticed by the account owner. New sessions were not recorded in the activity history.
Experts believe that spy hackers are selling stolen data on shady forums. The damage caused by such attacks can be very high if other attackers use the received data. According to experts, the members of the Rare Wolf group come from the CIS countries, as they are well aware of domestic software. In addition, they rented computing power located on the territory of Russia, so as not to arouse suspicion and not be blocked by providers.
