A new international group of threat actors is currently being tracked by Group-IB. They have been affectionately called Red Curl, which started known operations in 2018. After disappearing from everyone’s radar, Red Curl has returned from their long odyssey of rest with new and improved tools.
Red Curl is a threat actor group that is believed to be Russian speaking, but not based in Russia. This is clear based on the location of the organizations that they target including Russia, Canada, Norway, Germany, Ukraine, and the United Kingdom.
Red Curl also has departed from its old ways of attacking organizations using encryption for ransom. What makes the Red Curl threat actor team concerning, is they appear to work as the ultimate insider threat. While not confirmed, many believe they infiltrate their targets by disguising as “known good actors.” Once within the target organization, they pivot across the network landscape targeting contracts, financial statements, employee records, and other legal protected information.
The methodology of various tactics, techniques, and procedures in which Red Curl utilizes are no different than what an advanced Red Team would use against an organization. But unlike a normal Red Team, after they have disabled your internal cybersecurity controls such as Endpoint Detection & Response, Anti-Virus, and SIEM monitoring, Red Curl executes their own special quest, cyber espionage. With their custom suite of attack tools, Red Curl has managed to go unnoticed within organizations for periods of time ranging anywhere from two to six months. Organizations that do not have comprehensive active monitoring (such as MDR or SOC services), solid policies and procedures, and periodic threat testing and training (such as penetration tests, and security awareness training) are consistently ripe targets for threat actors such as Red Curl.
All organizations need a helping hand from experienced professionals. Digital Silence specializes in taking an elite threat actor approach to security as part of every engagement ranging from our penetration testing and risk assessment services, incident response and threat intelligence research, up to our full Virtual CISO services.
