Escalation in Cyber Espionage Activity Observed Across Government-Oriented Infrastructure
A state-aligned cyber intrusion narrative has emerged after a highly coordinated hacker collective, operating with military-grade organization, left traces within the network infrastructure of a Russian administrative authority. The disclosure comes from Alexey Firsh, head of threat analysis at the Solar 4RAYS center, part of the Solar group of companies. In the official briefing, Firsh emphasized that the team has been monitoring this activity for several years, leading to the tentative naming of the cluster as NGC2180 due to insufficient data for definitive attribution. The incidents so far have been contained, with compromised systems restored to full functionality.
The Solar team first identified the NGC2180 activity toward the end of 2023 during a sweeping review of critical data processing infrastructure within a Russian department. During the assessment, investigators observed malware activity on a workstation, prompting a deeper probe. The resulting analysis uncovered a multi-stage malware framework, later labeled DFKRAT by experts, propagating across the department’s network. The implant granted attackers the capacity to manipulate systems, exfiltrate user information, and fetch additional malicious payloads for broader access.
According to Firsh, a fragment of the command-and-control server code was discovered and analyzed. The file had been uploaded to a publicly accessible service under the name config.jsp, traced back to a Saudi Arabian IP address. An ensuing infrastructure review suggested that the hosting machine was likely an intermediary victim, manipulated to coordinate the broader attack. Firsh noted that the current variant of the implant leveraged a hijacked component from the Institute of Nanoscience and Nanotechnology at the National Center for Scientific Research Demokritos in Greece to synchronize operations at Solar 4RAYS. This attribution aligns with the broader pattern of the attackers leveraging compromised third-party servers to manage C2 activities. {Citation: Solar 4RAYS threat intel briefing}
The ongoing activity attributed to NGC2180 spans at least three years, illustrating a highly organized cyber espionage group. The misuse of legitimate servers to host command-and-control infrastructure, combined with targeted assaults against critical government sectors, points to a deliberate, possibly politically motivated campaign. Analysts highlight that the group’s approach marks a shift toward stealthy, scalable operations designed to maintain persistence while expanding access across high-value networks. {Source attribution: Solar 4RAYS threat analysis unit}
In closing, multiple investigators stress that the patterns observed—long-running presence, the abuse of trusted servers, multi-stage payloads, and targeted government interfaces—signal a sophisticated threat actor with sustained operational capability. The incidents underline the importance of rigorous network segmentation, continuous monitoring of anomalous traffic, and rapid containment procedures to minimize impact on essential public services. The Solar team continues to monitor developments and share findings with relevant security communities for collective defense. {Source attribution: Solar 4RAYS center, threat analysis division}
Note: The information described here reflects ongoing investigative work and may be refined as new data becomes available. The reporting emphasizes a cautious assessment of attribution while acknowledging concrete indicators tied to the observed infrastructure compromise. {Source attribution: Solar 4RAYS security brief}