A Russian-speaking hacking group specializing in corporate espionage has carried out 26 campaigns since 2018 in attempts to steal vast amounts of data from the private sector, according to new findings.
The hacking group, dubbed RedCurl, stole confidential corporate documents including contracts, financial documents, employee records and legal records, according to research published Thursday by the security firm Group-IB, which has offices in Moscow in Singapore. Victims spanned a range of industries — including construction, finance, retail and law — with headquarters in Russia, Ukraine, the U.K., Canada, Germany and Norway.
RedCurl relies on hacking techniques similar to groups known as RedOctober and CloudAtlas, another Russian-speaking group that’s targeted multiple entities and government networks “primarily in Russia,” according to the MITRE Corp.’s database of hacking groups. The Russian security vendor Kaspersky previously published its own findings about RedOctober and CloudAtlas, and Group-IB now suggests RedCurl’s focus on similar tactics “may indicate” that the group is a continuation of those prior attacks.
Typically, hackers would impersonate the victim organization’s human resources staff, sending emails promising employee bonuses to multiple workers in the same department in an apparent attempt to dull their defenses. A phishing email against the HR department would serve as the initial point of infection, giving attackers a launching point into the rest of the organization.
Group-IB did not speculate on where RedCurl is based. That the group speaks in Russian, as researchers noted, does not indicate RedCurl is a Russian-based hacking group. Russian-based hacking groups typically do not aim to infiltrate victims located within Russian borders, in part to avoid antagonizing the country’s intelligence agencies.
“For RedCurl, it makes no difference whether to attack a Russian bank or a consulting company in Canada,” Rustam Mirkasymov, head of Group-IB’s malware dynamic analysis team, said in an emailed statement. “Such groups focus on corporate espionage and employ various techniques to cover their activity, including the use of legitimate tools that are difficult to detect.”
In this case, the group exploits Microsoft’s PowerShell to insert its own malicious software scripts. Then, hackers typically spend between two to six months inside a breached network, collecting usernames, passwords and other sensitive data while trying to avoid detection.
Group-IB did not disclose the names of the victims in its report.
Update, Aug. 13, 7:27am ET: This article has been updated to clarify that Group-IB detected 26 RedCurl campaigns. A previous version of this story stated the group aimed to breach 26 organizations.