Full Report
Zeljka Zorz reports: Getting breached by two separate and likely unconnected cyber attack groups is a nightmare scenario for any organization, but can result in an unexpected silver lining: the noisier intrusion can draw attention to a far stealthier threat that might otherwise linger undetected for months. A double whammy In a recently published report,... Source
Analysis Summary
# Incident Report: Dual Threat Compromise Uncovered via Ransomware Noise
## Executive Summary
Two Russian organizations were compromised by two distinct and unconnected threat actors. A noisy ransomware attack by the 'Thor' group led to the discovery of a much stealthier, long-term espionage foothold maintained by the 'QuietCrabs' group. Both intrusions leveraged vulnerabilities in widely used enterprise software, highlighting significant exposure stemming from unpatched systems.
## Incident Details
- Discovery Date: Sometime prior to December 2, 2025 (Date of reporting/analysis by Positive Technologies).
- Incident Date: Not explicitly stated, but the espionage presence likely spanned months before the ransomware discovery.
- Affected Organization: Multiple Russian companies (details undisclosed).
- Sector: Not explicitly disclosed (Implied enterprise/corporate sector).
- Geography: Russia.
## Timeline of Events
### Initial Access (Two Separate Vectors)
- Date/Time: Unknown, but the espionage activity was long-term.
- Vector: Exploitation of publicly known vulnerabilities.
- **Actor 1 (Thor/Ransomware):** Exploited Ivanti solutions vulnerabilities (CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, CVE-2023-38035).
- **Actor 2 (QuietCrabs/Espionage):** Exploited Microsoft Sharepoint Server vulnerability (CVE-2025-53770).
- Details: Both actors gained initial access based on weaknesses in externally facing corporate services (SharePoint and Ivanti).
### Lateral Movement
- Details: Not explicitly detailed, but the QuietCrabs actor maintained a stealthy presence, implying established persistence and movement before discovery.
### Data Exfiltration/Impact
- **Thor:** Executed a ransomware attack (using LockBit/Babuk variants).
- **QuietCrabs:** Engaged in cyber espionage, implying data collection/exfiltration related to intelligence gathering, which lingered undetected for months.
### Detection & Response
- **Detection:** The noisy ransomware intrusion by the Thor group inadvertently drew attention to, and subsequently exposed, the stealthier QuietCrabs espionage foothold.
- **Response:** Threat researchers at Positive Technologies investigated and detailed the findings of both separate intrusions. Response actions related to containment and eradication are not detailed in the source material.
## Attack Methodology
| Stage | QuietCrabs (Stealthy Espionage) | Thor Group (Noisy Ransomware) |
| :--- | :--- | :--- |
| **Initial Access** | Exploitation of Microsoft Sharepoint Server vulnerability (CVE-2025-53770). | Exploitation of Ivanti solutions vulnerabilities (CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, CVE-2023-38035). |
| **Persistence** | Implied (required to maintain long-term access). | Implied (typical for ransomware deployment). |
| **Privilege Escalation** | Not documented. | Not documented. |
| **Defense Evasion** | High capability (remained undetected for months). | Lower capability (noisy deployment leading to discovery). |
| **Credential Access** | Not documented. | Not documented. |
| **Discovery** | Not documented. | Not documented. |
| **Lateral Movement** | Implied for establishing long-term access. | Implied prior to ransomware deployment. |
| **Collection** | Focused on intelligence gathering (espionage). | Focused on encrypting systems (ransomware phase). |
| **Exfiltration** | Data related to espionage goals. | Potential data theft prior to encryption (common practice for ransomware groups). |
| **Impact** | Long-term intelligence compromise. | Operational disruption and data encryption via LockBit/Babuk variants. |
## Impact Assessment
- Financial: Not quantified, but likely involved costs for ransomware remediation and extensive forensic investigation following the dual breach.
- Data Breach: Sensitive data/intelligence likely exfiltrated by QuietCrabs; data encrypted by Thor.
- Operational: Significant disruption caused by the Thor ransomware attack.
- Reputational: Negative impact due to high-profile security failures leading to two separate, unrelated breaches.
## Indicators of Compromise
*Note: Specific IOCs were not available in the summary provided, only the exploited CVEs.*
- **Network Indicators:** N/A
- **File Indicators:** N/A
- **Behavioral Indicators:** Stealthy, long-term remote access activity indicative of espionage (QuietCrabs); Loud encryption/deployment activity indicative of immediate extortion (Thor).
## Response Actions
- **Containment:** Involved stopping the active, noisy ransomware encryption process.
- **Eradication:** Required comprehensive investigation to identify and remove remnants of *both* threat actors from the network, including the stealthy QuietCrabs foothold.
- **Recovery:** Restoring systems encrypted by the ransomware actors.
## Lessons Learned
- **Patch Management Criticality:** Both intrusions hinged on exploitation of known, publicly disclosed vulnerabilities (Microsoft SharePoint and Ivanti solutions). Failure to patch these immediately resulted in external network compromise.
- **Defense in Depth Value:** A noisy attack (ransomware) can serve an unintentional security benefit by exposing a quieter, more dangerous threat (espionage). Relying solely on stealth indicators is insufficient.
- **Attacker Diversity Risk:** Organizations must prepare for multiple, simultaneous, and unrelated threats operating on their networks.
## Recommendations
- Conduct an immediate, aggressive patching cycle prioritizing external-facing services and known vulnerable endpoints (including Ivanti products and SharePoint).
- Implement enhanced threat hunting focused on detecting low-and-slow lateral movement and command-and-control traffic patterns characteristic of espionage actors.
- Review and segment critical internal assets to limit the potential blast radius when external vulnerabilities are inevitably exploited.