Shedding Zmiy (hacker group)

History

2024: Presence in the networks of Russian state-owned companies

In May 2024, the information security company Solar announced the identification of the pro-state hacker group Shedding Zmiy, which attacked dozens of Russian organizations.

According to experts, the cyber group poses a serious threat to the Russian infrastructure, since it uses both publicly available malware and unique, designed specifically for specific purposes, and sometimes uses compromised legitimate servers to download malware to the victim's systems. At the same time, as told in the Soler group, Shedding Zmiy knows how to confuse traces: the group owns "an extensive network of command servers in Russia, rents resources from various hosting providers and on cloud platforms; this helps hackers bypass blocking attacks on a territorial basis (GeoIP). "

Unsplash

According to Solar experts, the hacker group uses highly professional social engineering. So, for example, for one of the cyber attacks, they created a profile in Telegram, pretended to be a specialist in the information security service and "asked" a company employee for the password for the account.

We called the Shedding Zmiy group, because whenever we came across them, we saw them in a new guise with a changed set of tactics, techniques and procedures, "says Gennady Sazonov, engineer of the Solar 4RAYS Solar Group incident investigation team. - As snakes regularly change skin, so they show exceptional variability and flexibility in the methods of their attacks. And it is Zmiy, since several pro-Ukrainian Telegram channels are associated with the group, in which they published data stolen from the attacked organizations.

Solar did not specify which country the Shedding Zmiy cyber group belongs to.^[1]

Notes