“This tactical adaptation allows the identical operational outcomes, credential harvesting, and lateral motion into sufferer organizations’ on-line providers and infrastructure, whereas lowering the actor’s publicity and useful resource expenditure,” the researchers discovered.
Hyperlinks to Sandworm and Curly COMrades
In line with Amazon’s telemetry, the group’s infrastructure has overlaps with Sandworm, a gaggle often known as APT44 and Seashell Blizzard that’s related to Russia’s navy intelligence company, the GRU. There are additionally overlaps with a gaggle whose exercise was documented prior to now by security agency Bitdefender, beneath the title Curly COMrades.
Nonetheless, these may very well be subgroups throughout the GRU that work collectively, with the one tracked by Amazon dealing with preliminary entry and lateral motion and Curly COMrades dealing with the host persistence by its CurlyShell and CurlCat customized malware implants.
