Kaspersky has discovered a new hacker group that is spying on Russian government agencies

marry 10.07.2024, 12:30 PM

Kaspersky Lab researchers have discovered a new hacking group, called CloudSorcerer, which uses a “sophisticated cyberespionage tool” to steal data from Russian government agencies.

The group’s activity was first noticed in May, and researchers at Kaspersky Lab say it resembles an APT (advanced persistent threat) group known as CloudWizard, which last year targeted, among other things, diplomatic and research organizations in the Russian-occupied territories of Ukraine.

Given that the two groups use “completely different” malware, Kaspersky says CloudSorcerer is a new group, “probably inspired” by CloudWizard techniques, but developing its own “unique” tools.

Kaspersky did not disclose further details about CloudSourcer’s targets, nor did it attribute the campaign to a specific country or government.

The malware uses GitHub as its command and control (C2) server, Kaspersky said. It also relies on legitimate cloud services like Yandex Cloud and Dropbox for covert tracking and data collection.

The use of GitHub and cloud services “demonstrates a well-planned approach to cyberespionage,” the researchers said.

CloudSorcerer’s malware is manually launched by attackers on an already infected device. It consists of different modules, such as a communication module or a data collection module, which can perform certain tasks independently. The backdoor module, for example, collects various system information about the victim’s device, such as computer name, user name, and system uptime.

Hackers can also collect information about victims’ files and folders, copy, move, rename or delete files, read data from any file, create and write data to any file, and run additional advanced functionalities.

The malware’s ability to adapt its behavior based on the process it’s running in indicates “its sophistication,” Kaspersky said.

It is also not clear how the hackers gain initial access to the targeted networks and to which country they are connected.

Given that many Western companies left the Russian market when Russia invaded Ukraine, reports from Russian cybersecurity companies offer a rare opportunity to learn about the cyber threats facing local governments and companies.

However, in the case of CloudSorcerer, researchers from the American company Proofpoint shared additional observations about the group. They say they noticed a campaign against a US-based organization in late May that used an email account that spoofed a “well-known” US organization with a fake invitation to an event as bait.

“The observed activity overlaps with the details in the report published by Kaspersky,” Proofpoint researchers said. They attribute this activity to the group currently being monitored as UNK_ArbitraryAcrobat.

Photo: Daniil Zameshaev | Unsplash