Uncovering Red Stinger: 15 Years of Hacking History Revealed

Recently, Russian security firm Kaspersky released new research that sheds light on the operations of a mysterious hacker group known as Red Stinger. Last week, security firm Malwarebytes published research about the group and concluded that the malware used in their attacks had no connections to any other known hacking tools. Kaspersky’s research finally links the group to past activity and provides some preliminary context for understanding the attackers’ possible motivations.

Kaspersky’s Research

Kaspersky researchers reviewed historic telemetry data and discovered that some of the cloud infrastructure and malware used by Red Stinger had similarities to espionage campaigns in Ukraine identified by security companies ESET in 2016 and CyberX in 2017. Georgy Kucherin, a Kaspersky malware researcher, noted that Malwarebytes found out more about the initial infection stage and the installer used in some of the group’s attacks since 2020. After publishing their report about the malware, they decided to view historical data about similar campaigns with similar targets that have occurred in the past. This is how they discovered the two similar campaigns from ESET and CyberX, concluding with medium to high confidence that all three campaigns are likely to be executed by the same actor.

Similarities to Past Hacking Activity

The different activity through time has similar victimology, meaning that Red Stinger focused on the same types of targets – including both officials working for pro-Russia factions within Ukraine and Ukrainian government officials, politicians, and institutions. Kucherin also noted that there were similarities and multiple overlaps in the code of the plugins used by Red Stinger’s malware, with some code appearing to be copied and pasted from one campaign to another. The researchers also saw similar use of cloud storage and characteristic file formats on files exported to their servers.

Tactic Used by Red Stinger

Malwarebytes documented five campaigns since 2020 by Red Stinger, including one targeting a member of Ukraine’s military who works on Ukrainian critical infrastructure and another targeting pro-Russia election officials in eastern Ukraine, an adviser to Russia’s Central Election Commission, and one who works on transportation in the region. In 2016, ESET wrote of an activity it called “Operation Groundbait” which targeted anti-government separatists in self-declared Donetsk and Luhansk People’s Republics as well as Ukrainian government officials, politicians, and journalists. Malwarebytes also found that one particularly invasive tactic used by Red Stinger was recording audio directly from victims’ compromised devices in addition to collecting other data like documents and screenshots – something CyberX named “Operation BugDrop” when they discovered it in 2017.

Kaspersky cites ESET’s conclusion from 2016 that Operation Groundbait was likely created by Ukrainians but notes that they did not investigate or verify this finding. Kucherin believes that Red Stinger has been able to remain largely hidden for so long because their attacks are typically highly targeted with at most dozens of individuals at a time rather than launching mass exploitation. He also adds that Ukraine has been such an intense digital battleground for so many years that other actors and activities seem to have distracted researchers.