Russian safety agency Kaspersky right now launched new analysis that provides one other piece to the puzzle of a hacker group whose operations seem to stretch again additional than researchers beforehand realized.
Analysis printed final week from the safety agency Malwarebytes shed new mild on a hacking group, Purple Stinger, that has been finishing up espionage operations in opposition to each pro-Ukraine victims in central Ukraine and pro-Russia victims in japanese Ukraine. The findings have been intriguing due to the ideological mixture of the targets and the dearth of connections to different recognized hacking teams. Just a few weeks earlier than Malwarebytes launched its report, Kaspersky had additionally printed analysis in regards to the group, which it calls Unhealthy Magic, and equally concluded that the malware used within the assaults did not have connections to every other recognized hacking instruments. The analysis Kaspersky launched right now lastly hyperlinks the group to previous exercise and offers some preliminary context for understanding the attackers’ attainable motivations.
Including the Malwarebytes analysis to what that they had discovered independently, Kaspersky researchers reviewed historic telemetry information to search for connections. Ultimately, they found that a number of the cloud infrastructure and malware the group was utilizing had similarities to espionage campaigns in Ukraine that the safety firm ESET recognized in 2016, in addition to campaigns the agency CyberX found in 2017.
“Malwarebytes came upon extra in regards to the preliminary an infection stage, after which they discovered extra in regards to the installer” utilized in a number of the group’s assaults since 2020, says Georgy Kucherin, a Kaspersky malware researcher. “After publishing our report in regards to the malware, we determined to view historic information about related campaigns which have related targets and which have occurred previously. That’s how we found the 2 related campaigns from ESET and CyberX, and we concluded with medium to excessive confidence that the campaigns are tied collectively and they’re all prone to be executed by the identical actor.”
The totally different exercise by time has related victimology, which means the group targeted on the identical kinds of targets, together with each officers working for pro-Russia factions inside Ukraine and Ukrainian authorities officers, politicians, and establishments. Kucherin additionally notes that he and his colleagues discovered similarities and a number of overlaps within the code of the plugins utilized by the group’s malware. Some code even seemed to be copied and pasted from one marketing campaign to the following. And the researchers noticed related use of cloud storage and attribute file codecs on the recordsdata the group exported to their servers.
The Malwarebytes analysis printed final week documented 5 campaigns since 2020 by the hacking group, together with one which focused a member of Ukraine’s army who works on Ukrainian vital infrastructure. One other marketing campaign focused pro-Russia election officers in japanese Ukraine, an adviser to Russia’s Central Election Fee, and one who works on transportation within the area.
Again in 2016, ESET wrote of the exercise it known as “Operation Groundbait”: “The primary level that units Operation Groundbait aside from the opposite assaults is that it has largely been concentrating on anti-government separatists within the self-declared Donetsk and Luhansk Individuals’s Republics. Whereas the attackers appear to be extra inquisitive about separatists and the self-declared governments in japanese Ukrainian conflict zones, there have additionally been a lot of different targets, together with, amongst others, Ukrainian authorities officers, politicians, and journalists.”
