Traces of espionage activities of a group of highly organized foreign hackers were discovered in the network infrastructure of one of the administrative authorities of the Russian Federation. Alexey Firsh, head of the threat analysis department at the Solar 4RAYS center of the Solar group of companies, told socialbites.ca.
The group they discovered has been around for at least three years, according to Firsch, but because there isn’t enough data yet to accurately attribute it, this cluster of activity has been tentatively named NGC2180. All malware detected to date has been neutralized and affected systems have been returned to service.
The NGC2180 attack was discovered by Solar experts at the end of 2023 during a comprehensive analysis of the infrastructure of one of the Russian departments processing critical data. During the study, signs of hacking were found on one of the computers. A deeper investigation revealed several instances of the multi-stage malware (MW), dubbed DFKRAT by experts, across the department’s network. It provided attackers with ample opportunities to manipulate the attacked system, from stealing user data to downloading additional malware.
“We were able to locate and analyze a fragment of the command and control server code. The file was uploaded to a public service under the name config.jsp from a Saudi Arabian IP address. Analysis of the network infrastructure showed that the person whose server was hijacked to host the control center (C2) was likely an intermediate victim.” Alexey Firsh, head of threat analysis, said that in the current version of the implant, a hacked component of the server of the Institute of Nanoscience and Nanotechnology of the National Center for Scientific Research “Demokritus” in Greece was used to coordinate the work of the department at the Solar 4RAYS center of the Solar Group.
NGC2180’s activity over at least the last three years indicates a highly organized cyber group. The compromise of legitimate servers for the distribution of C2 infrastructure and the targeting of key government structures by NGC2180 indicate a systematic approach and possible political motivation of the group.
Russians before saidWhich devices are listening to your conversations.