The security experts at WithSecure have exposed Kapeka. The new malware appears to have ties to the Russian hacker group Sandworm. Several factors clearly indicate that the development and use of the malware are related to the Russia-Ukraine war: the timing, the locations, and the likely connection to the Russian Sandworm group.
Threat intelligence researchers at WithSecure™ (formerly F-Secure Business) have discovered a novel malware that has been used in attacks on targets in Central and Eastern Europe since at least mid-2022. The malware, called Kapeka, can be linked to a group called Sandworm. Sandworm is a Russian hacker group operated by the Headquarters of the General Staff of the Armed Forces of the Russian Federation (GRU). The group is best known for its destructive attacks against Ukraine in pursuit of Russian interests in the region.
Backdoor malware with stealth functionality
Kapeka is a flexible backdoor with multiple features. Not only does it serve as a toolkit for hackers in the initial stages of the attack, but it also provides long-term access to the victim's data. The analysis of the malware, its infrequent occurrence, and its level of stealth and sophistication indicate APT-level activity, typically state-directed hacking attacks.
The development and use of Kapeka are closely linked to the current Russia-Ukraine war. Since the illegal invasion, the backdoor has likely been used in targeted attacks on companies in Central and Eastern Europe.
Connection to Russian Sandworm group
“We are very concerned about Kapeka because of its links to Russian APT campaigns, particularly the Sandworm group,” said Mohammad Kazem Hassan Nejad, researcher at WithSecure Intelligence. “The rare, targeted attacks observed primarily in Eastern Europe point to a tailor-made tool for attacks of limited scope. Additionally, further analysis has revealed similarities to GreyEnergy – another toolkit that appears to be part of Sandworm. This underlines the connections to the group and indicates an increased threat level for possible attack targets in Eastern Europe.”
WithSecure last observed Kapeka activity in May 2023. State threat actors in particular cannot be expected to stop their activities or decommission functioning tools. The rare sightings of Kapeka may therefore be additional evidence of a state-led advanced hacking attack (APT). These attacks can last for years – for example in the war between Russia and Ukraine.
More at WithSecure.com
About WithSecure WithSecure, formerly F-Secure Business, is the trusted partner in cyber security. IT service providers, managed security services providers and other companies trust WithSecure - as do large financial institutions, industrial companies and leading communication and technology providers. With its results-oriented approach to cyber security, the Finnish security provider helps companies to put security in relation to operations and to secure processes and prevent business interruptions.