BI.ZONE uncovers espionage attacks on the defense industry and critical infrastructure

BI.ZONE uncovers espionage attacks on the defense industry and critical infrastructure

The Core Werewolf group takes advantage of legitimate software and phishing to gain control over the victim system, copy the files, and track the user’s activities
June 13, 2023

The threat actors target confidential information about Russia’s critically important facilities.

There is a growing trend among cybercriminals and APT groups toward employing legitimate tools. This enables them to remain undetected for a long time.

Core Werewolf is one such APT group, whose activity can be traced back to August 2021. The group has been engaged in cyberattacks ever since. BI.ZONE Cyber Threat Intelligence examined the documents used by the adversaries to mislead their victims. It was established that the spies primarily targeted Russian organizations associated with the defense industry and critical infrastructure.

To penetrate the infrastructure, the attackers sent phishing emails with the links to malicious files. The files were disguised as .docx and .pdf documents and contained decrees, orders, guidelines, memos, and resumes. Hence, the content of the documents did not raise any concern with the user. However, opening the file triggered the background installation of UltraVNC. This legitimate software is often used to connect to computers remotely and has been leveraged by the attackers to gain access to compromised devices.

Today, criminal groups tend to abandon malicious software in favor of legitimate tools, including those embedded into the operating system. The example of Core Werewolf has once again proved the effectiveness of such methods in human‑operated attacks.
Oleg Skulkin
Head of Cyber Threat Intelligence, BI.ZONE

Mitigating the risk of such attacks requires adopting both reactive and proactive detection of cyber threats. BI.ZONE experts recommend special email protection solutions that block harmful messages. On top of that, implementing security event monitoring is essential in tracking suspicious behavior of legitimate programs.

@media only screen and (min-width: 320px) and (max-width: 428px) { .articleDetail .quote__authorName, .articleDetail .quote__text, .eventProgramm__date, .eventProgramm__title, .fs-h5, .h5, .headBlock__text, .headSection--news .headSection__text, .headSection__text, .newsDetail .quote__authorName, .newsDetail .quote__text, .participants__title, .popup__title, .sectionFullImage__text, .stepList .button, .stepList .button span, .stepList__title, .toggleBox .iconLine__title, .toggleBox__title, div.card__title, div.cFiltered__length, div.productDetail__subtitle, div.review__authorName, div.timer__title, div.toggleBox .iconLine__title, div.toggleBox__title, div.toggleEvent__bannerTitle, div.v-banner__title, h5 { font-size: 18px; line-height: 20px; } } @media only screen and (min-width: 320px) and (max-width: 428px) { .fs-h2, .h2, .headBlock h1, .headSection--1 h1, .headSection--2 h1, .headSection--4 h1, .headSection--news h1, .resultForm h1, .sectionEvents__title, .sectionExp__title, .sectionFullImage__title, .sectionProduct__title, h2 { font-size: 30px; line-height: 34px; } }