Ukrainian networks have been on the receiving end of grimly sophisticated and innovative cyberattacks from pRussia for nearly a decade, and Ukraine has increasingly struck back, particularly since the Kremlin’s invasion last year. Amidst all of this and activity from other governments and hacktivists, researchers from the security firm Malwarebytes say that they’ve been tracking a new hacking group that has been conducting espionage operations since 2020 against both pro-Ukraine targets in central Ukraine and pro-Russia targets in eastern Ukraine.
Malwarebytes attributes five operations between 2020 and the present to the group, which it has dubbed Red Stinger, though the researchers only have insights into two of the campaigns conducted in the past year. The group’s motives and allegiance aren’t yet clear, but the digital campaigns are noteworthy for their persistence, aggressiveness, and lack of ties to other known actors.
The campaign that Malwarebytes calls “Operation Four” targeted a member of Ukraine’s military who works on Ukrainian critical infrastructure, as well as other individuals whose potential intelligence value is less obvious. During this campaign, attackers compromised victims’ devices to exfiltrate screenshots and documents, and even record audio from their microphones. In Operation Five, the group targeted multiple election officials running Russian referendums in disputed cities in Ukraine, including Donetsk and Mariupol. One target was an adviser to Russia’s Central Election Commission, and another works on transportation—possibly railroad infrastructure—in the region.
“We were surprised about how big these targeted operations were, and they were able to gather a lot of information,” says Roberto Santos, a threat intelligence researcher at Malwarebytes. Santos collaborated on the investigation with former colleague Hossein Jazi, who first identified Red Stinger activity. “We have seen past targeted surveillance, but the fact that they were collecting real microphone recordings from victims and data from USB drives, it’s unusual to see.”
Researchers from the security firm Kaspersky first published about Operation 5 in late March, naming the group behind it Bad Magic. Kaspersky similarly saw the group focusing on government and transportation targets in eastern Ukraine, along with agricultural targets.
“The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns,” Kaspersky researchers wrote.
The campaigns begin with phishing attacks to distribute malicious links that lead to tainted ZIP files, malicious documents, and special Windows linking files. From there, attackers deploy basic scripts to act as a backdoor and a loader for malware. The Malwarebytes researchers note that Red Stinger seems to have developed its own hacking tools and reuses characteristic scripts and infrastructure, including specific malicious URL generators and IP addresses. The researchers were able to expand their understanding of the group’s operations after discovering two victims who appear to have infected themselves with Red Stinger malware while testing it.
“It’s happened in the past with different attackers that they infect themselves,” Santos says. “I think they just got lazy because they were undetected since 2020.”
Red Stinger appears to be currently active. With details about its operations now entering the public sphere, the group may tweak its methods and tools in an attempt to evade detection. The Malwarebytes researchers say that by releasing information about the group’s activities, they hope other organizations will deploy detections for Red Stinger operations and search their own telemetry for additional indications of what the hackers have done in the past and who is behind the group.