Solar has identified a hacker group spying on Russian companies

MOSCOW, May 24. Specialists from the Solar Group have discovered a hacker group called Shedding Zmiy: it has been spying on Russian companies since at least 2022 and has several dozen on its account cyber attacks on the public sector, industry, telecom and other industries, the company’s press service said.
“Experts from the Solar 4RAYS cyberthreat research center of the Solar Group have identified the activities of the pro-state highly professional group Shedding Zmiy, which has been spying on Russian organizations since at least 2022. The hackers have carried out several dozen cyber attacks on the public sector, industry, telecom and other industries. They used the compromised data in subsequent attacks, and also posted them publicly,” the release says.

The Shedding Zmiy group is hunting for data. As Solar Group experts noted, it poses a serious threat to Russian infrastructure: attackers use both publicly available malicious software and unique ones that are developed specifically for specific purposes. In total, traces of the use of 35 different tools for reconnaissance, delivery of malware, covert horizontal promotion within the network and data theft were discovered, the report notes.

According to Solar specialists, the group has an extensive network of command and control servers in Russia; it rents resources from various hosting providers and on cloud platforms: this helps hackers bypass blocking attacks on a territorial basis. In addition, hackers use highly professional social engineering. For example, for one of the cyber attacks, they created a Telegram profile, pretended to be an information security specialist, and “begged” a company employee for the account password.
“We named the group Shedding Zmiy because every time we encountered them, we saw them in a new guise with a modified set of tactics, techniques and procedures. Just as snakes regularly change their skin, they demonstrate exceptional variability and flexibility in the methods of their attacks. And specifically Zmiy, since several pro-Ukrainian Telegram channels are associated with the group, in which they published data stolen from the attacked organizations,” commented Gennady Sazonov, an engineer of the Solar 4RAYS incident investigation group of the Solar Group.