Full Report
BO Team, also known as Black Owl, has been active since early 2024 and appears to operate independently, with its own arsenal of tools and tactics, researchers at Russian cybersecurity firm Kaspersky said.
Analysis Summary
# Threat Actor: BO Team
## Attribution & Identity
- **Identification:** Emerging, independent hacking group.
- **Aliases:** Black Owl.
- **Known Associations:** Previously cooperated with Ukrainian military intelligence (HUR) on several operations. Stands apart from other pro-Ukraine hacktivist groups due to a lack of apparent coordination or tool-sharing.
## Activity Summary
- Active since early 2024.
- Conducts operations aimed at causing maximum disruption and extracting financial gain.
- **Key Campaigns:**
- A cyberattack last month that reportedly wiped out about a third of Russia’s national electronic court filing system.
- Breaches of Russia's federal digital signature authority.
- Attack against a Russian scientific research center.
- The group often posts about its attacks on Telegram for intimidation and media attention.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails containing convincing malicious attachments.
- **Dwell Time:** May wait weeks or months after gaining access before executing impact operations (unusual for hacktivists).
- **Impact:** Deletes backups and virtual infrastructure using tools like Microsoft’s SDelete.
- **Final Payload:** Deploys Babuk ransomware to encrypt data and demand payment in some cases.
- **Evasion:** Disguises malware as legitimate Windows software.
- **(Note:** No specific MITRE ATT&CK IDs were provided in the source text.)
## Targeting
- **Sectors:** State-run companies, technology, telecom, and manufacturing sectors.
- **Geography:** Exclusively targeted organizations within Russia.
- **Victims:** Russia's national electronic court filing system, Russia’s federal digital signature authority, and a Russian scientific research center.
## Tools & Infrastructure
- **Malware Families Used:** DarkGate (backdoor), BrockenDoor (backdoor), Remcos (backdoor).
- **Impact Tools:** Microsoft’s SDelete (for wiping binaries/backups).
- **Ransomware:** Babuk ransomware.
- **Infrastructure:** Posts about attacks on Telegram.
- **(Note:** No C2 domains or IPs were specified in the source text.)
## Implications
BO Team is assessed as a serious threat to Russian organizations due to its disruptive operations, unusual patience compared to typical hacktivists, and its self-sufficient arsenal. The group blends destructive hacktivist goals with financial extortion (ransomware).
## Mitigations
- Enhance vigilance against sophisticated phishing attacks, especially those using convincing attachments.
- Ensure robust, geographically/logically isolated backup systems that are regularly verified (given the use of SDelete to target existing backups).
- Monitor for stealthy internal lateral movement or long dwell times after initial compromise.
- Implement strong endpoint detection and response (EDR) capable of identifying known malware families (DarkGate, BrockenDoor, Remcos).