'Space pirates' penetrate deep into Russia's aerospace industry
A novel hacker group with likely Asian origins, targeting Russia's space tech industry using previously unknown malware.
A previously unidentified hacker group, active since at least 2017, has been stealing documents from several space-focused companies, a recent report by Positive Technologies shows.
Researchers have discovered that the group has been sending phishing emails to Russian aerospace enterprises in an attempt to deploy a novel strain of malware. The group was dubbed 'Space Pirates' over its use of P1Rat string in the PDB paths and focus on victims within the aerospace industry.
According to the report, the group's primary goals are espionage and theft of confidential information. Threat actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were identified to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation.
Report's authors claim that at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months.1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains.
Another victim organization had its servers infested for over a year with malicious actors spreading malware on a dozen corporate nodes in several regions of the country.
The report claims that the group has a unique toolkit of downloaders and backdoors, MyKLoadClient, BH_A006, and Deed RAT, previously unlisted in the open-source.
Space Pirates share many intersections with several previously identified China-based groups such as Winnti (APT41), Bronze Union (APT27), Mustang Panda, and others.
Researchers note that the link with China-linked threat actor TA428 is especially intimate as Space Pirates and TA428 were present on infected networks. However, their network infrastructure did not cross paths.
The threat actors distributed previously unlisted MyKLoadClient malware via phishing emails. An analysis of emails showed that Chinese companies providing financial services also were victims of the same group.
Report's authors are careful not to specify the origin of Space Pirates, claiming that technical similarities with other groups might arise over Asian threat actors sharing tools with each other.
"A separate difficulty as regards APT groups operating out of the Asian region is accurate attribution: the frequent exchange of tools and, in some cases, joint activity of groups significantly complicate this task," reads the report.
It's hardly the first time that an Asian-based threat actor has targeted Russian companies with ties to the state in recent months. For example, Mustang Panda has targeted European and Russian organizations since the beginning of the war in Ukraine.
According to a Cisco Talos report, Mustang Panda targeted Russian agencies trying to lure victims with information on political events in Eastern Europe. Researchers noted that threat actors used a fake report on a town bordering China and Russia in one instance.
More from Cybernews:
Subscribe to our newsletter