Threat Research

Multiple Campaigns by Russian Speaking Threat Groups Expanding their Attack Footprint – CYFIRMA

Securonix

CYFIRMA tracks three campaigns—Evian, UNC064, and Siberian bear—believed to be operated by Russian-speaking threat groups on behalf of their Russian masters, targeting various industries and geographies for espionage, financial gains, and reconnaissance. The report connects these campaigns through shared targets, infrastructure, and hacker discussions, implicating groups such as TA505, FIN7, Cozy Bear, and Fancy Bear. #Evian #UNC064 #SiberianBear #TA505 #FIN7 #CozyBear #FancyBear #Emotet #Qakbot #FlawedAmmyyRAT #ClopRansomware

Keypoints

  • The CYFIRMA team tracks three campaigns (Evian, UNC064, Siberian bear) suspected to be operated by Russian-speaking threat groups.
  • Threat actors linked include TA505, FIN7, Cozy Bear, and Fancy Bear, with motives spanning espionage, financial gain, and reconnaissance.
  • Campaigns show similarities in target industries, geographies, objectives, TTPs, malware used, and hacker conversations, suggesting collaboration or shared authorship.
  • Hacker conversations translate to aggressive expansion and monetization goals across campaigns (e.g., “Expand Target List” and “Lots of money to make”).
  • Indicators and infrastructure indicators are shared across campaigns, including IOCs and malware families like Emotet, Qakbot, FlawedAmmyy RAT, and Clop Ransomware.
  • MITRE ATT&CK mapping notes executions, process injection, and discovery techniques (e.g., T1059, T1055, T1057) observed in campaign activity.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used to execute commands and scripts, including Unix Shell and scheduled tasks. “T1059: Command and Scripting Interpreter” and “T1059.004: Command and Scripting Interpreter: Unix Shell” and “T1053: Scheduled Task/Job”
  • [T1055] Process Injection – Employed as a defense-evading and privilege-escalation tactic. “T1055: Process Injection”
  • [T1057] Process Discovery – Used to identify running processes during intrusion. “T1057: Process Discovery”

Indicators of Compromise

  • [IP Address] Campaign infrastructure – 179.43.147.77
  • [File Hash] Shared indicators across campaigns – 8bcd45559f6cb8834016d8e8eb0752cc, 8363e265a2f79666f9bfca8ef23c453c
  • [Malware] Emotet, Qakbot – malware families used across campaigns (also associated with FlawedAmmyy RAT and Clop Ransomware in observations)

Read more: https://www.cyfirma.com/outofband/multiple-campaigns-by-russian-speaking-threat-groups-expanding-their-attack-footprint/