The hacker group ART31, known for numerous attacks on government agencies in different countries, attacked Russian companies for the first time. According to Positive Technologies, in the first half of 2021, the ART31 group, in addition to its actions in Russia, carried out about ten malicious mailings in Mongolia, the USA, Canada and Belarus.
The hacker group ART31, also known as Hurricane Panda and Zirconium, has been operating since the 2010s. Its representatives attack mainly the public sector, spying on potential victims and collecting confidential information. Microsoft previously indicated that APT31 is operating from China, and the UK government in mid-July linked the group’s activities with the Chinese Ministry of State Security.
According to Positive Technologies experts, starting in the spring of 2021, ART31 began to expand the geography of attacks and use a new method of hacking and infecting gadgets. According to the company, the hackers send phishing emails containing a link to a fake domain – inst.rsnet-devel [.] Com. It completely imitates the domain of certain government agencies. When a link is opened, a so-called dropper (remote access Trojan) enters the user’s computer, which creates a malicious library on the infected device and installs a special application. Then the application launches one of the functions of the downloaded malicious library, and the attacker takes control of the computer.
Daniil Koloskov, the senior specialist of the information security threat research department at Positive Technologies, warns that malware developers are trying to bring the malicious library as close as possible to the original, the names of the set of functions of the infected library partially coincide with the official one. Another hacker ploy was that in some attacks, the dropper was signed with a real, valid digital signature, and many security tools perceived it as a program from a certified manufacturer. Positive Technologies experts believe that the signature was most likely stolen, which indicates a good preparation of the group.
Denis Kuvshinov, head of the information security threat research department at Positive Technologies, predicts that in the near future ART31 will be used in attacks, including against Russia, and other tools, which can be detected by their correspondence to the code or the network infrastructure. Positive Technologies specialists have already reported on the attack of a hacker group that they have recorded in the State System for Detection, Prevention and Elimination of the Consequences of Computer Attacks (GosSOPKA). In the near future, the company does not expect a decrease in the number of cyberattacks from ART31, therefore, they advise commercial and other structures to implement indicators in their defences that will help detect such a virus in time.
Catch up on more articles here
Follow us on Twitter here