Russian Organizations Targeted Through Hacked Elevators, Solar Group Reports

By Riley ThompsonTechnology News

Russian Organizations Targeted via Hacked Elevator Systems

Cybersecurity experts from the Solar 4RAYS cyber threat research center at Solar Group have reported a series of attacks by the pro-government hacker group Lifting Zmiy, targeting Russian government agencies and private companies. The attackers hosted their command and control servers on compromised equipment that is part of SCADA systems, which are used, for example, to manage elevators.

The specialists first encountered this group at the end of 2023, when information about the hacking of a Russian government organization was published in a pro-Ukrainian Telegram channel. The experts participated in the investigation of this attack on an unnamed IT contractor for a Russian government agency. Over the next six months, they studied three more incidents linked to Lifting Zmiy’s activities.

Attack Methods and Tools

The hackers’ tactics were consistent across attacks: initial access was gained through password brute-forcing, after which the attackers established persistence and expanded their attack using various open-source tools, including:

  • Reverse SSH – a reverse shell for controlling infected systems and delivering additional payloads;
  • SSH backdoor – for intercepting passwords from remote access sessions;
  • GSocket – a utility for creating remote connections to compromised systems, bypassing some security solutions.

Use of Compromised Elevator Controllers

All the studied Lifting Zmiy attacks involved the use of this software, as well as the placement of command servers on controllers produced by the Russian manufacturer Tekon-Automatika, which are used for managing and dispatching elevator equipment. In total, more than a dozen infected devices were discovered, and as of the publication of the research, eight of them remained compromised.

The firmware for these devices is universal and runs on a Linux kernel. Combined with the ability to write custom LUA plugins, this gives attackers broad opportunities for exploitation.

“We believe that during the attack, Lifting Zmiy took advantage of publicly available information about security flaws in Tekon-Automatika devices and exploited existing vulnerabilities to host their C2 server components, which were then used in further attacks on their main targets,” the experts wrote.

Objectives and Evolving Tactics

According to the researchers, Lifting Zmiy’s main goal is to obtain confidential data from targeted organizations. After achieving their objective, or if unable to penetrate deeper into the victim’s infrastructure, the hackers switch to destructive actions, such as deleting data from accessible systems.

Interestingly, in most incidents, the group connected to infected systems from IP addresses belonging to various hosting providers. However, in an attack on an IT company investigated in winter 2024, their tactics changed: they used IP addresses from a pool owned by Starlink. Public data indicates these IPs are used by Starlink terminals operating in Ukraine.

Based on several indicators, Solar 4RAYS experts believe that Lifting Zmiy originates from Eastern Europe.

Recommendations for Organizations

“As of our research, Lifting Zmiy remains highly active: using our own hunting systems, we constantly discover new elements of their infrastructure. Therefore, we recommend that organizations using SCADA systems similar to those targeted by the attackers pay close attention to their cybersecurity. Additionally, in all investigated cases, access to infrastructure was gained through simple password brute-forcing, so companies should review the strength of their password policies and, at a minimum, implement two-factor authentication,” commented Dmitry Marichev, an expert at Solar 4RAYS.

Leave a Reply