Russian nation-state group Sandworm is believed to be utilizing a novel backdoor to target organizations in Ukraine and other Eastern and Central European countries, according to WithSecure researchers.
The previously unreported backdoor, dubbed ‘Kapeka’, has a high level of stealth and sophistication, designed to both serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate.
“Kapeka’s development and deployment likely follows the ongoing Russia-Ukraine conflict, with Kapeka being likely used in targeted attacks across Central and Eastern Europe ever since the illegal invasion of Ukraine in 2022,” the researchers wrote.
For example, they said the novel backdoor was likely used in intrusions that led to the deployment of Prestige ransomware in late 2022, which targeted transportation and logistics industries in Ukraine and Poland.
The technical analysis of Kapeka is designed to raise awareness amongst businesses, governments and the broader security community of the threat it poses.
Sandworm Using Novel Backdoor to Support Espionage Campaigns
In findings corroborated with Microsoft, WithSecure believes Kapeka is being used as a bespoke tool by Sandworm as part of wider espionage campaigns to support intelligence collection for the Russian state.
These campaigns can also lead to sabotage operations at later stages, including ransomware attacks, according to the report.
The Sandworm group is operated by Russia's military intelligence service, the GRU, and is known to support the wider strategic objectives and changing intelligence requirements of the Russian state.
The advanced persistent actor (APT) has been blamed for several destructive attacks against critical infrastructure organizations in Ukraine, including causing a power outage in 2022.
WithSecure cited several reasons why it assesses Kapeka is being used by Sandworm. These are:
- Numerous overlaps between Kapeka and GreyEnergy, a modular backdoor thought to be part of Sandworm’s arsenal. Kapeka is likely a successor to GreyEnergy
- Its infrequent sightings point to its meticulous usage by an APT in operations that span over years, such as the Russia-Ukraine conflict
- The level of stealth and sophistication also indicate advanced APT activity, highly likely of Russian origin
- Based on victimology, the backdoor was likely used in campaigns specifically targeting victims in Eastern Europe. It was first observed as part of an intrusion in an Estonian logistics company in late 2022, which was likely linked to Russian APT activity
However, the researchers acknowledged that they currently do not have sufficient data to state conclusively that it has become part of Sandworm’s arsenal.
No tags.
