September 29, 2023

The Russian-speaking hacking group RedCurl attacked a “main Russian financial institution” and an unidentified Australian firm earlier this 12 months to steal company secrets and techniques, in line with current analysis.

The incidents have been the newest in a string of a minimum of 34 assaults within the final 4 years, in line with a report revealed on Monday by Russia-based firm F.A.C.C.T., an offshoot of cybersecurity agency Group-IB.

RedCurl has been conducting industrial espionage since a minimum of 2018, focusing on a variety of organizations together with building, finance, consulting companies, retailers, banks, insurance coverage firms, and authorized entities.

About half of the assaults have been geared toward victims in Russia, whereas the opposite half focused organizations in Ukraine, Canada, and Europe, F.A.C.C.T. mentioned.

The group doesn’t encrypt the information of its victims and doesn’t demand a ransom. It hunts for paperwork with industrial secrets and techniques and private information of staff, and tries to get them “as discreetly as doable,” the researchers mentioned.

RedCurl made two makes an attempt to assault the undisclosed Russian financial institution. In the course of the first try in November 2022, they used phishing emails however failed, F.A.C.C.T. mentioned. Nonetheless, in Could of this 12 months, the group efficiently focused one of many financial institution’s contractors to achieve entry to the sufferer’s infrastructure. In June, RedCurl used the identical techniques and instruments within the assault on the Australian firm.

Instruments and technique

The group principally makes its personal instruments or modifies current malware, the researchers mentioned.

In each current assaults, the instrument was known as RedCurl.SimpleDownloader, which is at present nonetheless being developed, F.A.A.C.T. mentioned.

When focusing on Russian organizations, the hackers employed the preliminary model of this instrument, which lacked any safety towards evaluation and detection. Nonetheless, the model employed within the assault on the Australian firm consists of new protecting options, equivalent to string encryption utilizing an algorithm.

“RedCurl is continually evolving, refining each their methods and instruments,” F.A.C.C.T. mentioned.

The group’s hackers can keep undetected for lengthy intervals, between two and 6 months, earlier than stealing company information, the researchers mentioned, and the assaults can embrace a protracted and complicated an infection chain.

It’s nonetheless not clear who’s behind this marketing campaign and what their motives are, F.A.C.C.T. mentioned.

“RedCurl stays one of the vital attention-grabbing Russian-language cybercrime teams, particularly the unusual focusing on of each Russian and non-Russian entities,” Russian cyber analyst Ian Litschko wrote on Twitter.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Study extra.

Daryna Antoniuk

Daryna Antoniuk
is a contract reporter for Recorded Future Information based mostly in Ukraine. She writes about cybersecurity startups, cyberattacks in Japanese Europe and the state of the cyberwar between Ukraine and Russia. She beforehand was a tech reporter for Forbes Ukraine. Her work has additionally been revealed at Sifted, The Kyiv Impartial and The Kyiv Submit.