New hacking group Karakurt attacks six Canadian organizations

New hacking group Karakurt attacks six Canadian organizations | Insurance Business Canada

New hacking group Karakurt attacks six Canadian organizations

A relatively new hacking group has alleged it has launched a cyberattack against several Canadian and US organizations.

On December 29, 2021, the Karakurt group claimed on its website that it had struck 11 organizations as part of its “Winter Data Leak Digest.” Of the 11, six were based in Canada.

ITWorldCanada.com confirmed that two of the affected Canadian organizations are tourism agency Tourisme Montréal and heavy equipment maker Weldco-Beales Manufacturing.

“Tourisme Montréal can confirm that it became aware of a cybersecurity incident that we experienced on December 7th,” said Tourisme Montréal manager of corporate communications and public affairs Francis Bouchard in a recent statement.

“We immediately retained security experts to investigate this matter further and ensure the integrity and security of our systems,” Bouchard stated, adding that the investigation over the cyberattack is ongoing, including assessing which types of data may have been affected. He also said that both employees and agency partners have been notified of the attack and its potential impact.

Tourisme Montréal was unable to comment on how it was compromised.

Likewise, Weldco-Beales Manufacturing is currently unable to determine if the Karakurt gang actually copied any data.

“We have no way to prove or deny that at this point, so we’re trying to assess that,” Weldco-Beales Manufacturing IT manager Lyle Makus told ITWorldCanada.com. “We don’t believe they really got any data.”

Makus also said that the hackers had left them voicemails, instructing them to pay in bitcoin or risk having their stolen files shared on the Karakurt website.

The other four Canadian organizations affected include a Quebec construction firm, a Quebec-based bathroom designer, a Canadian First Nation, and a Western Canadian data management firm.

BleepingComputer reported that the first signs of Karakurt were identified in June 2021, when two URL domains bearing the group’s name were registered. Based on data from Accenture Security, it was determined that Karakurt focuses nearly exclusively on data exfiltration and extortion and is not using ransomware to encrypt victims’ files. The group accomplishes this by first using VPN credentials to access victims’ networks, either by sourcing them from sellers or through phishing.

Karakurt had previously employed the Cobalt Strike remote access tool, but researchers noted that it had since switched to using AnyDesk. Afterwards, the group steals additional credentials from administrators by using the password-stealing tool Mimikatz. No ransomware is employed at any stage of the attacks, but the group uses the threat of leaking the stolen data for its ransom demands.

The group claimed to have compromised more than 40 victims between September and November 2021, sharing the stolen files on its name-and-shame website.