Space Pirates group targets key sectors of the Russian economy: a study by Positive Technologies

At least 16 companies in Russia have been attacked over the past year

Positive Technologies Expert Security Center (PT ESC) registered a new wave of attacks by the Space Pirates1 hacking group. The criminals, known for their large-scale activities, have developed new tools and increased their attempts to attack the Russian public sector, aviation and aerospace industries, and educational institutions.

According to PT ESC, Space Pirates has successfully attacked at least 16 companies in Russia over 2022. The main targets of the criminals are espionage and theft of confidential information. However, the group has broadened its scope of interest to include other targets. Among the new victims, experts highlight government, educational institutions, security, aviation, aerospace, agricultural, military, and fuel and energy companies, as well as information security companies. A ministry in Serbia also suffered an attack by Space Pirates.

Denis Kuvshinov, Head of Threat Analysis, Positive Technologies Expert Security Center, commented: "Over the past year, we have often seen Space Pirates activity during our cyberattack investigations. The group's tactics haven't changed much, but the hackers have developed new tools that use unusual techniques (such as Voidoor) and improved old ones. We found an Acunetix scanner on one of the Space Pirates' C2 servers: this suggests a likely attack vector via vulnerability exploitation that we have not encountered before. To protect your company against threats posed by Space Pirates, we recommend taking proactive measures, such as using traffic analyzers and sandboxes to identify even complex malware."

Positive Technologies first registered Space Pirates activity in late 2019, when a Russian aerospace company received a phishing email containing a previously unknown malware. Over the next two years, our specialists identified four more compromised companies (two of them state-owned) that were targeted by the criminals. PT ESC continues to monitor and respond to threats, including those posed by Space Pirates.

Positive Technologies products such as the PT Network Attack Discovery (PT NAD) behavioral traffic analysis system and PT Sandbox, can detect malicious activities of Space Pirates, prevent attacks, and identify infected hosts in the network. Up-to-date versions of these tools already contain the required expertise. For example, PT Sandbox detects malware used by Space Pirates and identifies additional hacker toolkits registered during investigations. In addition, PT Sandbox detects malware using a combination of behavioral analysis, PT ESC network and YARA rules, and machine learning algorithms.

PT NAD uses reputational lists with domain names and IP addresses belonging to cybercriminals when performing an analysis. Proprietary threat detection rules help to detect network activity of backdoors and malware on infected devices inside the protected network.

  1. By many indications, the developer of the tools does indeed have Chinese roots. Whether the developer is a member of the group is unknown to us. However, the group uses techniques typical of Chinese groups (like APT41, for example), such as hosting servers on Choopa and using specific files for dll-hijacking.