Hackers knocked on the door of the Ministry of Foreign Affairs – Business – Kommersant

Information security experts tracked down the dangerous actions of hackers from the XDSpy group, which specializes in cyber espionage. The attackers chose Russian state institutions as their targets, including the structures of the Russian Foreign Ministry. The ministry said the attacks were successfully blocked. The potential damage from XDSpy attacks can be very serious, experts admit. What country these hackers work for is unknown.

Russian state institutions were attacked by the XDSpy hacker group, known for targeted attacks on government agencies and private companies in Eastern Europe, interlocutors in the cybersecurity market told Kommersant. In mid-March, XDSpy sent phishing emails to organizations with malicious attachments. According to one of Kommersant’s interlocutors, the structures of the Russian Foreign Ministry became the target of the new attack. “On March 13, an archive called “Spisok_No_658.zip” was discovered, which contains two malicious files,” he says. Once the archive is opened by the victim, hackers can access confidential data on the infected computer without being noticed.

Kaspersky Lab also detected malicious mailings on March 13: “One started in the morning, in the first four days alone we found several hundred emails in which malware was sent under the guise of an important list.” Letters allegedly come from regulators, Andrey Kovtun, head of the email threat protection group at Kaspersky Lab, said.

The goal of the attackers is espionage, the theft of documents or data to access work mail, the expert claims. In which organizations the attacks were recorded, the company did not specify.

The Ministry of Foreign Affairs reported to Kommersant that cyber attacks on the ministry in the middle of the month were detected and localized by regular means of active protection and did not receive further distribution. The ministry clarified that their IT specialists record numerous attempts to carry out various kinds of “cyber attacks on information systems” almost daily.

“XDSpy is an old, but little-studied and dangerous group,” notes Dmitry Kupin, Lead Malicious Code Analyst at Group-IB Threat Intelligence. “It was first discovered by the Belarusian CERT (Information Security Incident Response Center.— “b”) in February 2020, although experts from international companies such as ESET believe that the group itself has been active since at least 2011.”

Despite the long history of XDSpy, cybercrime investigators both in Russia and in the world still cannot determine in the interests of which country this group is working, admits a Kommersant interlocutor in the cybersecurity market.

Most of the group’s targets are in Russia, including government, military, financial institutions, as well as energy, research and mining companies, Mr. Kupin said. The previous large-scale XDSpy cyberattack in Russia was recorded in October 2020, when cybersecurity experts noticed the collection, encryption and sending of data from victim companies to attackers’ servers (see. “Kommersant” dated October 5, 2020).

The scale of damage in a successful XDSpy attack can range from minimal to critical, as the group tries to collect all possible documents and letters from the infected machine, Denis Kuvshinov, head of cyberthreat research at the Positive Technologies security expert center, knows.

Russian state institutions have been massively subjected to various cyber attacks since February last year. So, in the summer, attackers purposefully searched shady forums for databases containing encrypted codes (hash) of passwords for identification on government sites and services in order to organize their hacking in the future (see below). “Kommersant” dated August 29).

Tatyana Isakova