BI.ZONE: threat actors use leaked source code to attack Russian companies

Criminal groups Battle Wolf, Twelfth Wolf, and Shadow Wolf are targeting Russian organizations with the popular ransomware programs Babuk, Conti, and LockBit, which leaked to the public domain. BI.ZONE Cyber Threat Intelligence has recorded more than 40 attacks

September 8, 2023

Since early 2022, there have been tensions within many criminal groups. Moreover, due to the recent geopolitical events, adversaries have come under the spotlight of law enforcement and researchers. As a result, criminal infrastructures are being hacked more frequently. Competing groups resort to releasing each other’s data, techniques, and tools such as malware builders.

This is how the source codes for Babuk, Conti, and LockBit ransomware became publicly available. According to BI.ZONE Cyber Threat Intelligence, they are being intensively used by three criminal groups: Battle Wolf, Twelfth Wolf, and Shadow Wolf.

Battle Wolf emerged in late February 2022 amid the global developments. According to the group’s postings on X (formerly Twitter), it has successfully attacked no less than 15 major organizations in Russia: research, manufacturing, public, financial, etc.

Twelfth Wolf appeared in April 2023, carrying out at least four successful attacks. In its Telegram channel, the group reported an attack on one of Russia’s largest federal executive agencies, which they claimed resulted in a compromise of sensitive information.

Shadow Wolf began its hunt in March 2023 with several successful attacks on Russian engineering, insurance, transportation, and media companies. Unlike Battle Wolf and Twelfth Wolf, the group is driven solely by financial motives. Shadow Wolf and the victim usually communicate on the dark web. The page address is included in the ransom note, which states the conditions for the decryption and removal of the stolen data. In some cases, the attackers create a Telegram chat room where they add the entire IT staff of the affected organization.

Today, threat actors are especially interested in malware source code published on the web. Open access to certain tools lowers the threshold for getting into cybercrime. This makes the attacks much cheaper and easier to organize. Even those countries and industries that were not previously attacked by the original developers of the malware have now become the target.

Oleg Skulkin

Head of Cyber Threat Intelligence, BI.ZONE

You can get the latest information about new attack groups, their techniques and tactics with cyber threat intelligence platforms such as BI.ZONE ThreatVision. New threats can be effectively identified and handled by endpoint detection and response solutions like BI.ZONE EDR.

Check out our new research for more details about the groups and leaked data.