Red Wolf is back to spy against commercial firms

BI.ZONE has detected a new wave of attacks by the Red Wolf group (aka RedCurl) that went off the radar in 2022

June 26, 2023

Similarly to its earlier attacks, the group maintains its focus on stealing sensitive data of commercial organizations.

Since 2018 Red Wolf has been engaged in corporate espionage in Russia, Canada, Germany, Norway, Ukraine, and the United Kingdom.

To penetrate organizations, the attackers sent out phishing emails. In the series of attacks revealed by BI.ZONE, the hackers used disk images to deliver malware to the target systems. The intrusion had several stages and hence was difficult to detect with conventional security tools. Upon gaining a foothold in a victim’s system, Red Wolf sent data about the compromised environment to the command-and-control server and delivered additional malware.

Typically, espionage actors are state-sponsored groups while their victims are mostly industrial enterprises and government-owned companies. Unlike others, Red Wolf targets primarily commercial firms. The group prefers to slowly move forward in the compromised IT infrastructure. By not drawing much attention, it can remain invisible for up to six months. Despite the widely known attack techniques, the perpetrators manage to effectively bypass traditional defenses and minimize the likelihood of detection.

Oleg Skulkin

Head of Cyber Threat Intelligence, BI.ZONE

To reduce the risk of such attacks, it is necessary to improve email security as vulnerable email is most often abused by threat actors similar to Red Wolf. It is important for a company to have the capacity to stop a cyberattack at any stage of its development. Thus, we recommend delegating the detection, response, and prevention of cyber threats to security event monitoring experts.