Karakurt data thieves linked to larger Conti hacking group

Data theft group has apparent ties to another, more prolific hacking crew, according to cybersecurity firm Tetra Defense.

An analysis of the cryptocurrency wallets tied to the Karakurt hacker group, combined with their particular methodology for data theft, suggests that the group's membership overlaps with two other prominent hacking crews, according to an analysis published by cybersecurity firm Tetra Defense.

Tetra's report details the experience of a client company that was hit with a ransomware attack by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt group. The analysis showed that the Karakurt attack used precisely the same backdoor to compromise the client's systems as the earlier Conti attack.

"Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," Tetra wrote in its report.

It's important to differentiate the two different types of cyberattack described here, according to Tetra. In a ransomware attack, key data is encrypted and the extortion money is paid in exchange for a decryption key, so that the target company can recover its data and resume operating. In a data theft, which has been the sole type of attack perpetrated by the Karakurt group, hackers steal sensitive corporate data and demand money in exchange for not releasing it to the world at large.

The Karakurt attacks of this type — there have been more than a dozen to date, according to Tetra — also used cryptocurrency wallets linked to Conti victim payment addresses, further strengthening the argument that the two groups' membership may overlap significantly.

This pattern represents a departure from the Conti group's normal pattern of business, according to Nathan Little, senior vice president of digital forensics and incident response at Tetra, 

"Historically, we've seen the criminals honor their deals," he says. "Early on, when these [data theft attacks] started in 2019, it was common that companies were frightened enough that they'd pay, not to hide the incident, but to avoid the consequences."

These days, however, data theft has become common enough — and new regulatory regimes have made mandatory disclosures more likely — that companies are less likely to pay just to have their data protected.

Nor is that that the only confusing thing about the Karakurt attacks, according to Tetra. The attacks erode trust among victim companies that they won't be targeted multiple times by the same types of attacks. Paying off a Conti ransom was usually a relatively solid guarantee that the group would move on and that no further attacks would be forthcoming. If the two groups are linked, and victims are indirectly being re-extorted by the same people, payments may become harder to come by.

‘It's interesting how it unfolds," says Little. "It does seem to be a little bit of a side hustle within the Conti group."

While the machinery of cybercrime is fantastically complicated, he added, the initial system compromise that makes these attacks possible is frequently quite simple, and can often be avoided with relatively basic protective measures.

"Cybersecurity is a big problem that needs solving, but many of these incidents, with some pretty basic cybersecurity controls, they wouldn't happen," Little says.