Key Takeaways:
- A new tactical adaptation has been discovered that enables threat actors to achieve operational outcomes while reducing exposure and resource expenditure.
- The group’s infrastructure has overlaps with Sandworm, also known as APT44 and Seashell Blizzard, which is associated with Russia’s military intelligence agency, the GRU.
- There are also overlaps with a group known as Curly COMrades, which may be a subgroup within the GRU handling host persistence through custom malware implants.
- The new tactic allows for credential harvesting and lateral movement into victim organizations’ online services and infrastructure.
- The group’s infrastructure and tactics may be evolving to evade detection and improve efficiency.
Introduction to the New Tactic
The researchers have identified a new tactical adaptation that enables threat actors to achieve the same operational outcomes while reducing their exposure and resource expenditure. This new tactic allows the actors to harvest credentials and move laterally into victim organizations’ online services and infrastructure, all while minimizing their visibility and costs. This is a significant development, as it suggests that the threat actors are continually evolving and improving their tactics to evade detection and achieve their goals.
Links to Known Threat Groups
According to Amazon’s telemetry, the group’s infrastructure has overlaps with Sandworm, a group also known as APT44 and Seashell Blizzard that’s associated with Russia’s military intelligence agency, the GRU. Sandworm is a well-known threat group that has been involved in several high-profile attacks in the past. The fact that the new group’s infrastructure has overlaps with Sandworm suggests that there may be a connection between the two groups, or that they may be sharing resources or expertise. Additionally, there are also overlaps with a group whose activity was documented in the past by security firm Bitdefender, under the name Curly COMrades.
Curly COMrades and Potential Subgroups
The Curly COMrades group is believed to be a subgroup within the GRU, and it’s possible that they work together with the group tracked by Amazon to achieve their goals. The Curly COMrades group is known for its custom malware implants, including CurlyShell and CurlCat, which are used for host persistence. It’s possible that the group tracked by Amazon handles the initial access and lateral movement, while Curly COMrades handles the host persistence through its custom malware implants. This would suggest a division of labor and a high degree of coordination between the different subgroups within the GRU.
Implications of the New Tactic
The discovery of this new tactic has significant implications for organizations that are trying to protect themselves from these types of threats. The fact that the threat actors are continually evolving and improving their tactics means that organizations must also evolve and improve their defenses. This includes implementing robust security measures, such as multi-factor authentication and intrusion detection systems, as well as providing regular training and awareness programs for employees. Additionally, organizations must be prepared to respond quickly and effectively in the event of a breach, which includes having incident response plans in place and conducting regular exercises to test their response.
Conclusion and Future Directions
In conclusion, the discovery of this new tactic is a significant development in the world of cybersecurity. The fact that threat actors are continually evolving and improving their tactics means that organizations must also evolve and improve their defenses. The links to known threat groups, such as Sandworm and Curly COMrades, suggest that there may be a connection between the different groups, or that they may be sharing resources or expertise. As the threat landscape continues to evolve, it’s likely that we will see new and innovative tactics and techniques being used by threat actors. It’s essential that organizations stay ahead of the curve and continue to invest in their cybersecurity defenses to protect themselves from these types of threats.
