Cybersecurity experts at Solar 4RAYS, a division of Solar Group, have recently uncovered a series of sophisticated cyber attacks attributed to a group dubbed “Obstinate Mogwai.” This newly identified threat actor has been targeting government organizations, IT companies, and their contractors in Russia, with a primary focus on cyber espionage.
Tactics and Techniques of Obstinate Mogwai
Between 2023 and early 2024, Solar 4RAYS investigators documented Obstinate Mogwai’s attacks on at least four Russian organizations. The group’s preferred methods for network infiltration include exploiting publicly accessible services, leveraging contractor access, and utilizing legitimate accounts.
In the analyzed incidents, the attackers employed a combination of known malicious tools such as KingOfHearts and TrochilusRAT, along with two newly discovered backdoors: Donnect and DimanoRAT. This diverse toolkit demonstrates the group’s technical capabilities and adaptability.
A Unique Case Study: Manual Document Review
One particularly intriguing attack, recorded by the Solar SafeInspect system, revealed that the hackers manually browsed confidential documents and captured screenshots. This unusual approach provides valuable insights into the group’s operational methods and objectives.
Targeting Exchange Servers
Obstinate Mogwai has shown a consistent interest in Exchange servers, which frequently serve as entry points into victim infrastructures. In a January 2024 incident targeting a Russian government organization, the group attempted to establish a foothold using .Net deserialization techniques.
Exploiting Contractor Credentials
The attackers leveraged compromised privileged contractor accounts to access electronic document management systems. This tactic allowed them to browse sensitive documents related to several Asian countries, demonstrating a clear geopolitical focus in their espionage activities.
Detection and Analysis
The attack was initially detected through IIS events in the organization’s SIEM system. Suspicious GET and POST requests to OWA resources from known malicious IP addresses triggered the alert. Further investigation revealed that the attackers were using certificates and accounts belonging to a contractor of the targeted organization.
Solar SafeInspect, a Privileged Access Management (PAM) system, played a crucial role in uncovering the full extent of the breach. By automatically recording screen sessions of privileged accounts, it captured the attackers’ nocturnal activities, providing invaluable evidence of their methods and interests.
Potential Links to Other APT Groups
Researchers have noted similarities between Obstinate Mogwai and other Asian-region APT groups, particularly IAmTheKing (also known as PowerPool). This has led to speculation that Obstinate Mogwai could be an evolution of IAmTheKing, employing updated tools and techniques.
The emergence of Obstinate Mogwai underscores the ever-evolving landscape of cyber threats, particularly those targeting critical infrastructure and government organizations. As these sophisticated actors continue to refine their tactics, it is crucial for organizations to implement robust cybersecurity measures, including advanced threat detection systems, privileged access management, and regular security audits. Staying vigilant and adapting to new threats will be key in defending against groups like Obstinate Mogwai and safeguarding sensitive information in an increasingly complex digital world.
