Good diplomatic relations do not necessarily extend to cyberspace, with the most devastating cyber attacks in Russia coming from its friends. China and North Korea were behind most of state-sponsored cyberattacks in Russia, according to the country’s security firm Solar.
Well-resourced professional cyber attackers, known as advanced persistent threats (APT), were behind 20% of all incidents investigated by Solar 4RAYS. APTs are typically state-sponsored groups that pose the most severe cyber threats to organizations.
Telemetry revealed that the highest activity was from Chinese groups focused on cyber espionage. They were the most active during the September 2023 campaign, when Chinese APTs attacked 20-40 systems of Russian organizations each day, infecting them with malware. It took more than a month for security vendors to notice attackers from APT 10, APT 15, APT 31, and APT 41 groups. Since then, the number of attacks decreased.
“The North Korean group Lazarus is also very active in the Russian Federation,” the report reads.
Over the past two years, researchers investigated several incidents related to this group, mostly against Russian government authorities. The data reveals that Lazarus hackers still have access to numerous Russian systems. They acted consistently, infecting 10-20 systems each month.
Cybernews reported that Lazarus secretly breached computer networks at NPO Mashinostroyeniya, a major Russian missile developer, while Moscow has been purchasing North Korean shells.
Asian groups were the most active in Russia despite the ongoing war in Ukraine, which also sparked confrontation in cyberspace.
“It is quite difficult to identify Ukrainian groups directly behind the squall of attacks since a huge number of politically motivated attackers from different regions act in their interests,” Russian experts noted.
They found some Ukrainian hacker activity based on indirect evidence, as they carried out attacks against one of the telecom operators using Pupy RAT (remote access trojan). Ukrainian hackers sent malicious emails and successfully damaged some operators’ infrastructure.
“Their danger lies in the fact that it is almost impossible to determine the points of penetration into a company’s infrastructure without specialized expertise: the attackers either cover their tracks too well or have been in the infrastructure for so long that it is not possible to find them,” Solar said about the recent APT attacks.
Most of the attacks were carried out against government organizations (44%), the telecom industry (14%), and the agriculture sector (9%). The main goals of cyber attackers were cyber espionage and data theft. APTs are expected to maintain similar activity in 2024.
While APTs were only responsible for 20% of attacks, the lion’s share (42.5%) was attributed to ransomware and other cyber fraudsters who make money by encrypting, stealing, and reselling the data. Almost a third of attacks were DDoS and website defacements.
Cybersecurity firm Solar is owned by the largest telecom provider in Russia, Rostelecom.