Full Report
F6 Threat Intelligence has disclosed that it tracked the activities of the Hive0117 group, which conducted a large-scale... The post DarkWatchman-linked group Hive0117 targets Russian critical infrastructure sector in broad cyber campaign appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Hive0117
## Attribution & Identity
- **Identification:** Hive0117 group, tracked by F6 Threat Intelligence.
- **Associations:** Linked to the malware VPO DarkWatchman.
## Activity Summary
Hive0117 is a financially motivated threat group that has been active since February 2022. They recently conducted a large-scale, mass phishing campaign targeting organizations across Russia and neighboring countries. The primary target sector mentioned is Russian critical infrastructure, though the campaign was broad.
## Tactics, Techniques & Procedures
- **Initial Access:** Mass phishing campaigns utilizing legitimate-looking infrastructure.
- **Delivery Mechanism:** Infection chain initiated by opening a password-protected archive distributed via email, often disguised under various names.
- **Malware Usage:** Utilizes VPO DarkWatchman for malicious activity.
- **Infrastructure Reuse:** Attackers frequently reuse domains and register infrastructure specifically for mailings and domain management.
- **Specific Campaign TTP:** Emails used the subject line ‘Documents from 29.04.2025,’ sent from `manager@alliance-s[dot]ru` to over 550 addresses.
## Targeting
- **Sectors:** Media, tourism, finance and insurance, manufacturing, retail, energy, telecommunications, transport, and biotechnology. The context specifically highlights targeting the **Russian critical infrastructure sector**.
- **Geography:** Primarily Russia, but also Belarus, Lithuania, Estonia, and Kazakhstan.
- **Victims:** Over 550 addresses were targeted in the specific mass mailing analyzed, encompassing various industries.
## Tools & Infrastructure
- **Malware Families Used:** VPO DarkWatchman (modified version used for the final infection stage).
- **Infrastructure:** Domains registered for mailings; an example sender email was `manager@alliance-s[dot]ru`.
## Implications
Hive0117, operating since early 2022, presents a persistent financial threat demonstrating capability in large-scale initial access operations against geographically diverse targets, including sensitive sectors like critical infrastructure and telecommunications utilizing sophisticated (for phishing) techniques like password-protected archives and infrastructure reuse.
## Mitigations
- Implement robust email filtering capable of scanning password-protected archives.
- Strengthen user awareness training regarding unsolicited attachments, especially those requiring user interaction (like opening archives).
- Monitor for infrastructure patterns involving domain reuse for malicious campaigns.
- Ensure endpoint detection and response (EDR) systems are updated to detect variants of VPO DarkWatchman.