Experts reported an increase in espionage attacks on Russian companies

The share of espionage attacks on Russian companies increased by 6%. Some cyber groups are not just infiltrating IT infrastructure for covert data collection, but also disrupting its functionality. This follows from the data of the digital risk management company BI.ZONE, which was reviewed by Izvestia on December 18.

According to experts, espionage is the main target of attacks on Russian organizations in 21% of cases. In 2023, the share was 15%. As a rule, groups operate covertly: attackers stealthily penetrate the IT infrastructure and stay in it as long as possible, sometimes up to several years, without causing visible damage. However, according to experts, some have recently changed tactics: having achieved their main goal, they try to destroy the victim's IT infrastructure, thereby paralyzing the company's processes.

It is noted that this trend is evident in the recent surge of activity of the Paper Werewolf spyware cluster, which since 2022 has implemented no less than seven campaigns targeting the Russian public sector, energy, financial sector, media, as well as a number of other industries.

"Paper Werewolf's new activity is notable for expanding the attackers' motivation. They not only infiltrated a company's IT infrastructure to collect information, but also disrupted its functionality - in particular, changing passwords to accounts. This is usually the way groups with financial motivation, who ask for a ransom for restoring access to the organization's resources, or hacktivists, for whom the widest possible publicity is important," said Oleg Skulkin, head of BI.ZONE Threat Intelligence.

According to the experts, the group's attacks began with phishing emails, usually on behalf of a government agency or large company. The email contained a Microsoft Word document with encoded content. To read the content, the victim was asked to allow macros to be executed. If the user agreed, the malware was installed on the device at the same time as the document was decoded. In some cases, the attackers used the PowerRAT remote access trojan, which allowed them to execute commands and collect system information. They also used the Owowa malicious IIS module, which allowed them to obtain authentication data when users authorized Outlook Web Access (OWA).

Keeping an eye out: How Russians are being attacked by stalking programs

In 2024, 25% more people will face such surveillance

Earlier, on December 9, it was reported that Russia is in second place in the number of cyberattacks targeting it, with the United States in first place. This follows from the data of the Solar 4RAYS Cyber Threat Research Center of the Solar Group. Also among the most attacked countries are Canada, Switzerland, and Singapore. At the same time, India (31%) topped the list of countries from whose IP addresses cyberattacks were observed in the third quarter. This is followed by Lithuania (24%), China (22%) and the United States (8%).