Group-IB specialists spoke about Russian-speaking hack group OldGremlin, which ignores the unspoken rule "do not work on RU" and actively attacks exclusively Russian companies – banks, industrial enterprises, medical organizations and software developers.
Hacking a medical company
Recently, experts recorded an attack on a Russian medical company: attackers completely encrypted its corporate network and demanded a ransom in the amount of $ 50,000. In general, since the spring of 2020, OldGremlin has conducted at least nine campaigns to send malicious letters allegedly on behalf of the MiR Union of Microfinance Organizations, the Russian metallurgical holding, the Belarusian MTZ plant, a dental clinic, and the RBC media holding.
In August of this year, during the investigation of the incident, the specialists became aware of the details of the successful OldGremlin attack. A large medical company with a network of regional branches became the victim of hackers. The attack began with a phishing letter allegedly from the RBC media holding.
At the initial stage, the researchers found that the attackers used a unique self-written backdoor TinyNode, which acts as a primary loader that allows you to download and run other malicious programs. With its help, attackers gained remote access to the victim's infected computer, which acted as a springboard for reconnaissance, data collection, and further advancement through the organization's network. Like many other groups, OldGremlin used the Cobalt Strike Beacon pentesting tool for effective post-exploitation.
Several weeks after the attack began, attackers deleted the organization's backups to make it impossible for it to recover its data. One weekend, hackers spread their TinyCryptor ransomware from the same server to hundreds of computers on the corporate network. As a result of the attack, the work of the regional divisions of the company was paralyzed – for decrypting the data, the attackers demanded $ 50,000 in cryptocurrency.
“OldGremlin is the only currently active Russian-speaking ransomware operator group that, despite the unofficial ban,“ works on RU ”and carries out multi-stage targeted attacks on Russian companies and banks using sophisticated tactics and techniques, like APT's. By analogy with groups that “work” on foreign targets, OldGremlin can be classified under the Big Game Hunting category, which unites operators of ransomware viruses targeting large prey, ”comments Oleg Skulkin, Leading Specialist of the Computer Forensic Science Group-IB.
The first OldGremlin attack was recorded in March-April 2020. Using the current topic of COVID-19, the attackers, on behalf of the MiR Union of Microfinance Organizations, sent out recommendations to financial institutions on how to ensure safe operation during a pandemic. It was then that the attackers first used another self-written backdoor – TinyPosh, which also allows you to download and run other malware. The second attack with his participation took place on April 24 – the scheme was approximately the same as the first time, but the sender of the malicious letters was the Novadent dental clinic.
Two weeks later, Old Gremlin decided to change tactics. They prepared a fake letter on behalf of the Russian journalist RBC, who allegedly invited recipients to take part in the "All-Russian study of the banking and financial sector during the coronavirus pandemic." The "journalist" appointed a potential victim (bank) a thirty-minute interview, and especially for the attack, the hackers created a calendar in which they made an appointment for the victim. Unlike the first letters, the message from the fictitious correspondent of RBC was quite accurately faked for the newsletter of the media holding and written in good Russian. As in the first mailing lists, opening a link in an email resulted in the TinyPosh Trojan being downloaded to the victim's machine.
After a short "vacation", the group went out on the hunt again – on August 13 and 14, 2020, CERT-GIB recorded two large-scale mailings of malicious letters, but this time on behalf of the metallurgical company and again on behalf of RBC. In two days, the criminals sent out about 250 letters aimed at Russian companies from the financial and industrial sectors.
A few days later, cybercriminals changed the decoy letter, taking on the main topic of the Russian-language media – the Belarusian protests. On the morning of August 19, experts recorded malicious mailing to Russian financial organizations on behalf of the Minsk Tractor Plant (MTZ OJSC). “Alas, about a week ago, an inspection by the prosecutor’s office came to MTZ Holding. Obviously, these events are taking place because we have declared Lukashenka's strike, ”wrote the authors of the letter and asked the recipients to follow the link, download the archive and send the missing documents for verification. In fact, after an attempt to open a file attached to an email, the same malicious program, the TinyPosh backdoor, is downloaded and installed on the computer.
“The lack of a strong channel of communication between organizations fighting cybercrime, as well as the difficult political situation, lead to the emergence of new criminal groups that feel safe. Another factor that allows cybercriminals to make money on ransom is the underestimation of the threat from the business and the lack of protection measures that would allow timely identification and neutralization of the ransomware, ”says Rustam Mirkasymov, Head of Threat Research in Europe.