Red Stinger APT Group Targets Military and Critical Infrastructure in Eastern Europe

Reading Time: ( Word Count: )

May 11, 2023
Nextdoorsec-course

Since December 2020, a cyber attacker collective known as Red Stinger has been responsible for several sophisticated, ongoing threat (APT) assaults on Eastern European military, shipping, and vital infrastructure targets. Malwarebytes, a cybersecurity company, has revealed that Red Stinger targeted entities involved in the September East Ukraine referendums and managed to steal sensitive data such as snapshots, USB drives, keyboard strokes, and microphone recordings, depending on the campaign.

Also, Read: Atomic macOS Malware: Stealing Your Passwords and Crypto Wallets

The APT group, which overlaps with another threat cluster known as Bad Magic, has targeted government, agriculture, and transportation organizations in Donetsk, Lugansk, and Crimea since 2020. The first operation occurred in December 2020, with evidence suggesting that the group may have been active since at least September 2021. The final recorded action of the organization took place in September 2022, which was also the beginning of Russia’s armed invasion of Ukraine.

On hacked machines, the assault chain drops the DBoxShell (PowerMagic) implant using fraudulent installation files. Within a ZIP package, a Windows shortcut is used to download the MSI file. The group has also used alternative implants like GraphShell, which utilizes the Microsoft Graph API for command-and-control (C&C) purposes.

Red Stinger

The gang used tools including ngrok, rsockstun, and a binary file to steal victim information to a Dropbox account under an actor’s control. Although the exact scale of the infections is unknown, evidence suggests that two casualties, a military victim and an official working in important facilities, had been hacked in February 2022 in central Ukraine. After a period of observation, the potential agents in both cases stole screenshots, microphone recordings, and office files.

The motivations behind the attacks remain unknown, although the attackers infected their Windows 10 machines in December 2022, likely for testing purposes. The group’s choice of the Fahrenheit thermometer scale and English as their primary language shows that native English speakers were involved.

The experts contend that it is difficult to pin the attack on a particular nation since some victims supported Russia while others supported Ukraine. The main goals of the assault were monitoring and data collecting and the perpetrators protected their victims with various defenses and powerful instruments. The attack was targeted at specific entities.

Saher Mahmood

Saher Mahmood

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *