Positive Technologies Discovers Series of Cyberattacks on Russian and CIS Government Organizations

Experts at Positive Technologies have identified a new hacker group, Lazy Koala, responsible for a series of cyberattacks targeting government organizations in Russia and six CIS countries. According to researchers, the attackers use simple yet effective techniques. So far, organizations in Russia and six other CIS countries have fallen victim, with approximately 867 employee accounts compromised to date.

Details of the Attacks

The wave of attacks, aimed at government agencies in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia, was discovered in the first quarter of 2024. Victims include government and financial institutions, as well as medical and educational organizations in these countries.

At the time of discovery, a total of 867 accounts had been compromised, 321 of which were unique. All affected organizations have already been directly notified of the breach.

Possible Connections and Attack Methods

Given the geographic distribution of the victims and the tools used, researchers suspect a possible connection to the YoroTrooper group, which has used similar techniques and tools. However, no direct links have been found so far.

The group behind these incidents was named Lazy Koala due to their use of simple techniques and the username of the individual managing Telegram bots with stolen data.

Malware and Attack Techniques

The malware used by the group has been dubbed LazyStealer because of its straightforward implementation. Despite its simplicity, attacks using this stealer have proven to be quite effective. While the exact infection vector has not been determined, phishing is believed to be the primary method.

“The new group’s approach can be described as ‘complex doesn’t mean better.’ Lazy Koala doesn’t use sophisticated tools, tactics, or techniques, yet they achieve success. Their main weapon is a primitive stealer written in Python, which we believe is distributed via good old phishing. The attackers convince victims to open an attachment and run a specific file in their browser. Attachments are prepared in the national language for each country. Once on the infected device, the malware sends stolen data via the attackers’ favorite messenger, Telegram,” commented Denis Kuvshinov, Head of Cyber Threat Research at Positive Technologies’ Security Expert Center.

Attackers’ Goals and Consequences

The main goal of the attackers appears to be stealing account credentials for various services from employees of government organizations. The criminals likely intend to use this information for further attacks on internal company structures. Additionally, such stolen data can be sold on the dark web.