An analysis of cryptocurrency wallets linked to the Karakurt hacker group, combined with their peculiar data theft methodology, suggests that membership of the group overlaps with two other top hacking teams, according to an analysis published by the security firm. Tetra Defense cybersecurity.
Tetra’s report details the experience of a corporate customer who was the victim of a ransomware attack by the Conti Group and then again targeted by a data theft perpetrated by the Karakurt Group. Analysis showed that the Karakurt attack used precisely the same backdoor to compromise customer systems as the previous Conti attack.
“Such access can only be gained through some sort of surreptitious purchase, relationship, or access to Conti Group infrastructure,” Tetra wrote in its report.
It is important to differentiate between the two types of cyberattacks described here, according to Tetra. During a ransomware attack, key data is encrypted and extortion money is paid in exchange for a decryption key, so that the target company can recover their data and resume operations. In data theft, which was the only type of attack perpetrated by the Karakurt Group, hackers steal sensitive corporate data and demand money in exchange for not disclosing it to the world.
Karakurt attacks of this type – there have been more than a dozen to date, according to Tetra – have also used cryptocurrency wallets linked to the payment addresses of Conti victims, further strengthening the argument according to which members of the two groups could significantly overlap.
According to Nathan Little, senior vice president of digital forensics and incident response at Tetra, this model represents a departure from the Conti Group’s normal business model,
“Historically, we’ve seen criminals honor their agreements,” he says. “At first, when these [data theft attacks] started in 2019, it was common for companies to be scared enough to pay, not to hide the incident, but to avoid the consequences.”
These days, however, data theft has become common enough – and new regulatory regimes have made mandatory disclosures more likely – that companies are less likely to pay just to have their data protected.
That’s also not the only confusing thing about Karakurt’s attacks, according to Tetra. Attacks erode victimized businesses’ confidence that they won’t be targeted by the same types of attacks multiple times. Paying a Conti ransom was usually a relatively strong guarantee that the group would move on and that no further attacks would occur. If the two groups are linked and the victims are indirectly extorted by the same people, payments may become more difficult to obtain.
“It’s interesting to see how it plays out,” Little says. “It seems to be a bit of a scramble within the Conti group.”
Although the machinery of cybercrime is incredibly complicated, he added, the initial system compromise that makes these attacks possible is often quite simple and can often be avoided with relatively basic protective measures.
“Cybersecurity is a big issue that needs to be addressed, but many of these incidents, with fairly basic cybersecurity controls, wouldn’t happen,” Little says.
Copyright © 2022 IDG Communications, Inc.