Positive Technologies: some of the companies attacked since February were hacked back in 2021

Investigations of cyber incidents in Russian companies, which became known after the start of the military operation in Ukraine on February 24, showed that the attackers began preparing the infrastructure for attacks in the fourth quarter of 2021, Positive Technologies told Kommersant at the SOC-Forum today, November 15 . The attackers used the well-known malware Cobalt and the unique new Fasol. For the first, control domains were registered back in November 2021, for the second – in February 2022, Positive Technologies found out during the investigation. The date of the first recorded hack is January 1, 2022.

Among the victims were domestic industrial and energy enterprises, telecommunications, media companies and enterprises of the credit and financial industry, said Alexey Novikov, director of the Positive Technologies security expert center: “In the event of any geopolitical shocks, as well as socially significant events, it is necessary to look for traces of an earlier hack organizations. Most of the companies that have been the victims of cyberattacks this year were hacked three to four months before the fact of the hack became public.”

At the same time, according to the results of the third quarter of 2022, the number of cyber attacks increased by a third compared to the same period in 2021, calculated in Positive Technologies. “This is due to the ongoing confrontation in cyberspace, the activities of hacktivists and the emergence of new ransomware,” the company explains. According to it, targeted, sophisticated attacks by hackers account for at least 67% of incidents quarterly.

As Kommersant wrote, since February 2022, it became known about the hacking of SDEK, Yandex.Food, the Rutube media platform, Rostelecom and NTV Plus cable networks, as well as the Mir payment system and other large Russian organizations.

For groups conducting targeted attacks, long-term preparation is standard practice, notes PIR Center consultant Oleg Shakirov: “Unlike hacktivists or low-skilled criminals, they are not interested in a quick effect (public or monetary), but in obtaining a comprehensive picture of their victim, access to the most valuable data and key systems,” he says. Advanced cybercriminals can also carry out targeted attacks, but sometimes groups associated with a particular state are behind such attacks, adds Oleg Shakirov. To implement a complex and lengthy attack, significant resources are needed, while the immediate commercial benefit may not be so obvious, the expert explains. Kommersant’s interlocutor in the information security market believes that the events of February coincided with the actions of intruders, just before that their plans were to gradually sell data from the victim’s systems, but “political motives changed priorities.”

Tatyana Isakova