Espionage attacks on the rise with more devastating consequences

The share of espionage attacks on Russian organizations has increased by 6% year-on-year. Some threat actors go beyond covert data collection to the disruption of compromised IT infrastructures

December 25, 2024

In 2024, espionage accounted for 21% of attacks against Russian companies vs 15% the year before.

Espionage offenders make every effort to stay unnoticed. To collect as much sensitive data as possible, they stealthily infiltrate the IT infrastructure and dwell there (sometimes for years) without causing any visible damage. In the past few months, however, some threat actors have changed their tactics. Once they achieve their primary goal, they try to destroy their victim’s IT infrastructure and paralyze business processes.

A recent surge in activity of the Paper Werewolf espionage cluster clearly illustrates this trend. Since 2022, the adversary has undertaken at least seven campaigns against Russian government, energy, finance, media, and other organizations.

Paper Werewolf’s latest activity indicates a new component in the cluster’s motivation. In addition to infiltrating the victim’s IT infrastructure for data collection purposes, the adversaries also disrupted some operations in the compromised system. Specifically, they changed passwords to employee accounts. Such actions are common to financially motivated actors when demanding ransom for restoring access to company assets, as well as to hacktivists that seek to stir up as much public attention as possible.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

Paper Werewolf initiates attacks by sending out phishing emails—typically, on behalf of a government agency or a large company. The messages contain an encrypted Microsoft Word document. To read it, the victim is prompted to allow macros. Once the user allows macros, the document content is decrypted and a malicious program is installed on the user’s device.

In some instances, the attackers employ PowerRAT, a remote access trojan that enables them to execute commands and carry out reconnaissance. The attacker tools also include a malicious IIS module Owowa for retrieving credentials during user authorization in the Outlook Web Access (OWA) service. In addition, the offenders use Mythic framework agents—Freyja and Powertaskel (an implant crafted by Paper Werewolf). By using their own tools, the attackers make it harder for corporate defenses to detect the malicious activity.

To counter cyberattacks effectively, it is essential to understand how adversaries adjust their methods to specific infrastructures. Dedicated portals, such as BI.ZONE Threat Intelligence, help organizations protect themselves from threats. The data provided by these portals form a comprehensive picture of the threat landscape, which ensures the effective operation of security solutions and speeds up incident response.