BI.ZONE sheds light on data breaches caused by Leak Wolf’s malware-free attacks
In 2022, hacktivists were the driving force behind a surge in data breach incidents. Unlike ransomware attackers motivated by financial gains or espionage actors sponsored by national governments, hacktivist groups aim to break into companies for “ethical” reasons.
Leak Wolf is one of such groups. Their earliest activities can be traced back to April 2022 in Telegram, where they first published the stolen data of several victims. As of early 2023, the group had conducted attacks against more than 40 Russian companies. Most often, the targets were retail, education, and IT organizations.
Contrary to the traditional hacker approaches, Leak Wolf used no popular vulnerability exploits, no malware, no phishing emails. According to the BI.ZONE Cyber Threat Intelligence unit, the attackers leveraged their access to the employee accounts and abused trusted relationships between the victim organizations and their IT contractors. This approach enabled Leak Wolf to remain invisible to monitoring for a long time. To avoid unwanted attention, the group leased Russia-based servers and used a VPN for remote connections. Given the spread of remote work, this sent no warning signals to the cybersecurity teams.
The perpetrators also gained unauthorized access by analyzing individual users’ data leaks. Employees often neglect the principles of digital hygiene: they use corporate email addresses to register on third-party platforms and set the same simple passwords for multiple accounts.
After the cybercriminals had penetrated the target infrastructure, they scanned the network, stole sensitive information (e.g., a client database), uploaded it to a file-sharing site, and posted a link to it in Telegram.
To reduce the risk of such attacks, it is necessary to streamline security event monitoring as part of SOC operations. If an incident has already occurred, it is critical to respond quickly and launch an investigation. This will allow the company to understand the attack vector, isolate the compromised assets from the network, and prevent similar repeat attacks.
Read more about Leak Wolf’s tactics, techniques, and procedures in our white paper Hidden in plain sight.