Targeted cyber attacks on structures in Donetsk, Luhansk, and Crimea were noted by Kaspersky Lab in March 2023. The same group of hackers exhibited even greater sophistication in their malicious activities by May, expanding their threats beyond organizations to individuals, diplomatic missions, and academic institutions in Central and Western Ukraine. The attacks observed in March utilized the CommonMagic framework, while subsequent attacks employed the more intricate CloudWizard modular framework. Furthermore, evidence suggests that this cybercriminal group was also responsible for the Operation BugDrop and Operation Groundbait (Prikormka) cyber espionage campaigns.
Unveiling the Connection: CloudWizard and CommonMagic Campaigns Linked in Long-Standing Cyber Espionage
Unveiled in March, the cyberspy campaign had been active since at least September 2021. It employed previously unknown malware, utilizing a complex modular CommonMagic framework that was installed after infecting a device with a PowerShell backdoor.
Although some aspects of the campaign remained unclear to researchers in March, their investigation persisted, leading to deeper insights into past campaigns. In May, a newly discovered campaign surfaced, employing the CloudWizard modular framework. This framework consisted of nine modules, each assigned to distinct malicious actions such as file collection, screenshot creation, password theft, keystroke and audio hijacking. Notably, one of the modules extracted Gmail account cookies, granting access to the victim’s activity history, contact list, and all email messages.
During the analysis of CloudWizard, researchers identified striking similarities with the Operation Groundbait (Prikormka) and Operation BugDrop campaigns from 2015-2016. These similarities encompassed code, file naming format, utilization of Ukrainian hosting providers, and overlap of target sites in Central, Western, and Eastern Ukraine. CloudWizard also exhibited resemblances to the CommonMagic campaign, with identical sections of code, the use of the same encryption library, similar file naming formats, and both frameworks being employed in attacks within the same regions.
“The group responsible for these attacks has been engaging in cyber espionage activities within the region for over 15 years, continuously refining their techniques. Considering the persistent influence of geopolitics on cyber threats, we anticipate that such attacks will persist in the region for the foreseeable future,” commented Leonid Bezperenko, a cybersecurity expert from Kaspersky Lab.