The 4RAS Cyberrose Research Center has discovered a long network attack, which has not been noticed in the Russian state organization in a year and a half and collecting secret data.
The attackers have entered the access and control system (SCD), not connected to the centralized information security monitoring system.
Taking advantage of this, they gained access to March 2023, not to pay attention until they tried to penetrate the systems controlled by JSOC solar energy. It was at this time that their activities were discovered, leading to the beginning of the investigation and reaction.
According to experts, the State attacked by Solar JSOC, however, only separate systems are connected to security monitoring services. The company's SCD is not one of them, allowing hackers to have a foothold online for a long time.
Uncomly computers, manually managed by hand, are rarely updated and often use local accounts with administrative privileges. In some cases, the password on those accounts is not available, and if any, they are often simple and unchanged. These forgotten systems become a small target for attackers. That is why the inventory of IT assets regularly and complex supervision of the entire network of criticism protect against cyber attacks, Mr. Denis Chernov, Solar 4rays said.
The group was found to have received the name Erudite Mogwai in the group of solar companies. This indication is due to the fact that in their harmful codes, the attackers leave references about literary and music works. This group is also known as space pirates and specializes in attacking state organizations and technology businesses. Among the goals recorded are organizations from Russia, Georgia, Mongolia, China, Serbia and Uzbekistan.
Over 1.5 years, Erudite Mogwai has violated several dozen state support systems using more than 20 different tools that have been removed after operation. Among the utilities used are mainly open source solutions for Chinese origin.
A special feature of the attack is the use of the modified version of Stowaway utility – a tool to leak traffic and hide traces. Obviously, hackers have created this utility version for their needs. In the attack, they also used:
Shadowpad Light (Deed mouse) and Luckystrike – Bacdors agent for hidden access to systems. Keylogger Copycat – A tool to block key combination. Fscan and Lscan are utilities to scan networks. Netpy is a tool for testing and reconnaissance online.
The tactics and techniques of Mogwai Erudite Erudite are targeted for a long presence in infringed systems. They started an attack with a vulnerable network segment, allowing them to not be noticed for a long time. This is a typical approach of professional groups related to online attacks, Mr. Denis Chernov emphasized.