Karakurt data thieves linked to larger Conti hacking group

Karakurt data thieves linked to larger Conti hacking group

Data theft group has apparent ties to another, more prolific hacking crew, according to cyber security vendor Tetra Defense.

Credit: Dreamstime

An analysis of the cryptocurrency wallets tied to the Karakurt hacker group, combined with their particular methodology for data theft, suggests that the group's membership overlaps with two other prominent hacking crews, according to an analysis published by cyber security vendor Tetra Defense.

Tetra's report details the experience of a client company that was hit with a ransomware attack by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt group. The analysis showed that the Karakurt attack used precisely the same backdoor to compromise the client's systems as the earlier Conti attack.

"Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," Tetra wrote in its report.

It's important to differentiate the two different types of cyber attack described here, according to Tetra. In a ransomware attack, key data is encrypted and the extortion money is paid in exchange for a decryption key, so that the target company can recover its data and resume operating. 

In a data theft, which has been the sole type of attack perpetrated by the Karakurt group, hackers steal sensitive corporate data and demand money in exchange for not releasing it to the world at large.

The Karakurt attacks of this type — there have been more than a dozen to date, according to Tetra — also used cryptocurrency wallets linked to Conti victim payment addresses, further strengthening the argument that the two groups' membership may overlap significantly.

This pattern represents a departure from the Conti group's normal pattern of business, according to Nathan Little, senior vice president of digital forensics and incident response at Tetra,

"Historically, we've seen the criminals honour their deals," he says. "Early on, when these [data theft attacks] started in 2019, it was common that companies were frightened enough that they'd pay, not to hide the incident, but to avoid the consequences."

These days, however, data theft has become common enough — and new regulatory regimes have made mandatory disclosures more likely — that companies are less likely to pay just to have their data protected.

Nor is that that the only confusing thing about the Karakurt attacks, according to Tetra. The attacks erode trust among victim companies that they won't be targeted multiple times by the same types of attacks. 

Paying off a Conti ransom was usually a relatively solid guarantee that the group would move on and that no further attacks would be forthcoming. If the two groups are linked, and victims are indirectly being re-extorted by the same people, payments may become harder to come by.

‘It's interesting how it unfolds," says Little. "It does seem to be a little bit of a side hustle within the Conti group."

While the machinery of cyber crime is fantastically complicated, he added, the initial system compromise that makes these attacks possible is frequently quite simple, and can often be avoided with relatively basic protective measures.

"Cyber security is a big problem that needs solving, but many of these incidents, with some pretty basic cyber security controls, they wouldn't happen," Little says.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cryptocurrency


EDGE 2024

Register your interest now for EDGE 2024!



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments