BI.ZONE sheds light on data breaches caused by Leak Wolf’s malware-free attacks

The Leak Wolf group hacks Russian companies and publishes their data in its Telegram channel. The so-called hacktivists use no malicious software and act under the guise of company employees to evade detection

Download the research

May 17, 2023

In 2022, hacktivists were the driving force behind a surge in data breach incidents. Unlike ransomware attackers motivated by financial gains or espionage actors sponsored by national governments, hacktivist groups aim to break into companies for “ethical” reasons.

Leak Wolf is one of such groups. Their earliest activities can be traced back to April 2022 in Telegram, where they first published the stolen data of several victims. As of early 2023, the group had conducted attacks against more than 40 Russian companies. Most often, the targets were retail, education, and IT organizations.

Contrary to the traditional hacker approaches, Leak Wolf used no popular vulnerability exploits, no malware, no phishing emails. According to the BI.ZONE Cyber Threat Intelligence unit, the attackers leveraged their access to the employee accounts and abused trusted relationships between the victim organizations and their IT contractors. This approach enabled Leak Wolf to remain invisible to monitoring for a long time. To avoid unwanted attention, the group leased Russia-based servers and used a VPN for remote connections. Given the spread of remote work, this sent no warning signals to the cybersecurity teams.

The perpetrators also gained unauthorized access by analyzing individual users’ data leaks. Employees often neglect the principles of digital hygiene: they use corporate email addresses to register on third-party platforms and set the same simple passwords for multiple accounts.

After the cybercriminals had penetrated the target infrastructure, they scanned the network, stole sensitive information (e.g., a client database), uploaded it to a file-sharing site, and posted a link to it in Telegram.

Nearly 60% of incidents we dealt with last year were related to data breaches. In comparison to 2021, the number of such attacks increased fourfold. Leak Wolf’s activity shows us yet again that hackers do not necessarily need malware to succeed. Without effective threat monitoring in place, discovering such incidents is nearly a mission impossible. Addressing the issue also requires proactive threat search capabilities.

Oleg Skulkin

Head of Cyber Threat Intelligence, BI.ZONE

To reduce the risk of such attacks, it is necessary to streamline security event monitoring as part of SOC operations. If an incident has already occurred, it is critical to respond quickly and launch an investigation. This will allow the company to understand the attack vector, isolate the compromised assets from the network, and prevent similar repeat attacks.

Read more about Leak Wolf’s tactics, techniques, and procedures in our white paper Hidden in plain sight.