About the hackers from Shedding Zmiy first-hand. Interview with Gennady Sazonov and Anton Kargin from Solar 4RAYS of Solar Group of Companies
How did you first find traces of this group?
Anton: When we started investigating the incidents, we did not have a clear understanding of the situation. We found various indicators, and the first of them was the CobIint malware, associated with the Cobalt group, which has been known since at least 2016. We separated Shedding Zmey as a separate cluster, without connecting it directly to Cobalt or ex(Cobalt).
Gennady: During the research, we discovered unique malware and techniques that are specific only to this group. Moving from case to case and collecting new artifacts – IP addresses, network infrastructure, techniques and features used – we were able to combine all the information into one story, which we called Shedding Zmiy.
This was some kind of ordinary case with one of your customers, right?
Gennady: Yes, the first case turned out to be quite common, but it attracted public attention because the attackers published the data stolen from the victim. That is why we were invited to investigate. This was our first encounter with this group, and we did not yet know all the details about it.
And then you had several incidents, right?
Gennadiy: Definitely. We had several incidents that we eventually linked into one chain. The first occurred in December 2022, and the last one we covered was in February 2024. Thus, we monitored this group for a year and a half. In addition, data discovered by Anton points to a custom bootloader and malware used in phishing emails going back to March 2022. We see traces of the group's activity for more than two years.
Did colleagues from other companies help you in searching for this group?
Gennady: We did not exchange data with colleagues from other companies, but closely followed their reports and research. We studied how they described similar groups mentioned on one of our slides and recorded connections with our group. When reading their materials, we made sure to take into account the general points in our work.
It turns out that colleagues from other information security companies did not have adjacent traces of this group?
Gennadiy: All colleagues attributed the observed incidents to their old groups. Some linked the tracks to ex-(Cobalt), others pointed to groups such as Shadow\Comet, Twelve. It is important to note that everyone interpreted the situation in their own way. Some of our colleagues have seen more instances of encryption and disruption, while we have seen a shift in motivation towards cyber espionage.
Do I understand correctly that these are more hacktivists and not a group focused on cyber espionage and financial enrichment?
Anton: We wouldn't call them hacktivists. It is important to note that the instruments we analyzed revealed several unique patterns that our colleagues had not reported on. Their activity level is quite high. Some instances of malware exploited a ten-year-old vulnerability, were first noticed in attacks on Russia, and were designed for maximum secrecy. This surprised us. It is unlikely that ordinary hacktivists would demonstrate such a high level of preparation.
It turns out that Shedding Zmiy is engaged in cyber espionage, but for what purpose is it unknown?
Gennady: Attribution issues are always complex and we approach them with caution. We laid out our vision and one of the audience members approached us, asking in a whisper about a specific country. He was pretty close to the truth. Although we will not announce the name of the country, I think those who understand the topic will understand what we are talking about.
Anton: We are aware of some attacks on contractors working with large government companies. It is likely that the purpose of such attacks could be to penetrate the infrastructure of government agencies to obtain confidential information. However, in our practice there were no such cases recorded.
Have you tried to trace this group on the Darknet?
Gennady: Monitoring darknet channels is not really our area. This is done by our separate division Solar AURA, which specializes in tracking such threats. So far there has been no specific information from them, but we are constantly exchanging data. We noted that the Shedding Zmiy group often purchases specialized software from underground forums and uses it in its attacks, especially in the initial stages.
Anton: We did not have direct contacts with them. The only mention related to threats against us was removed shortly after publication. No active actions were taken against us, and their goals probably lie on a different plane.
Will we hear about this cluster again? What's your forecast? Will they continue to act or will they go into hiding after your report?
Gennady: There is a high probability that they will not change their motivation and aspirations. The group attacks many organizations, and the seven cases we have described are just those in which we have been involved. There are probably many more companies affected: some do not know about the hack, while others prefer not to report it.
Anton: We are also seeing significant development in their tools. They gradually improve their techniques. For example, at first we saw loaders written in one language, and then the more complex XDHijack loader appeared. This can be seen as a transition from NIM to XDHijack. Their complex Bad State framework is also being developed – we've seen several versions of it, indicating that it's under active development. Based on this, we can conclude that they have long-term plans.
Gennady: As for the name, they don't call themselves that. We have certain rules for designating groups. The 4RAYS blog published a post where we look in detail at how names for cyber groups are formed. We explain why certain names are chosen and show our approach to classifying threats and how it compares with international practice.
Anton: Cyber groups rarely give themselves names. The Shadow and Twelve groups, for example, openly announced their attacks in ransom notes and on their Telegram channels. But more often their names are invented by cybersecurity specialists. As a result, the same groups may have different names from different companies. They may have their own internal names, but they do not disclose them to make identification difficult.
Gennady: We noted that the Shedding Zmiy group is associated with other cybercriminal structures. Some of them even use their own public channels, for example, the BlackJack group with a Telegram channel of the same name.
How likely is this group to be pro-state?
Gennady: The probability of this is very low. Some publicly active members of the group reported transferring some information downloaded from victims’ networks for the needs of government services and departments of a particular country, but completely state-sponsored groups keep a low profile and do not comment on their activities publicly.
Some groups have been shown to be self-funding, which explains their public fundraising for equipment and facilities – this openness is often in contrast to government-sponsored groups, which usually have stable funding and resources. Also, a motivated team can be formed around ideological goals, which are often comparable to the government agenda, but do not necessarily coincide.
This is how our conversation turned out. I think I will have other materials on the topic of detecting hacker groups and identifying hacker attacks. By the way, I have material about the first steps in searching for a hacker presence in an enterprise. So together with material about Shedding Zmiy an interesting picture emerges. Thanks for reading!
