Recent months have seen a marked increase in ransomware assaults targeting critical infrastructure, with cybersecurity researchers identifying a new group engaging in sophisticated, multistage attacks aimed primarily at major corporate networks within Russia. This emerging threat actor, dubbed “OldGremlin,” appears to be linked to numerous operations that have been active at least since March, marking a notable campaign against a clinical diagnostics laboratory on August 11.
The OldGremlin group, which is believed to operate in the Russian language space, has so far directed its attacks exclusively at Russian enterprises—a pattern common among early-stage adversaries, including groups like Silence and Cobalt. According to a report released by Singapore-based cybersecurity firm Group-IB, such targeting is typical of many Russian-speaking cybercriminals as they refine their methods.
OldGremlin employs a strategy of utilizing customized backdoors—specifically TinyNode and TinyPosh—as conduits to introduce additional malicious payloads, ultimately aimed at encrypting files on compromised systems with their TinyCryptor ransomware, which they hold hostage for upwards of $50,000. Their initial breach tactics typically involve phishing attempts, as evidenced by a recent campaign that leveraged an email masquerading as correspondence from RBC Group, a prominent Moscow-based media conglomerate, with an “Invoice” subject line.
This phishing email informed the recipient about an alleged urgent bill payment issue, embedding a malicious link that would trigger the download of the TinyNode malware upon clicking. Once infiltrated, the attackers could remotely access the infected machine, employing lateral movement strategies via Cobalt Strike to extract domain administrator authentication credentials from the network.
Interestingly, in earlier variants of their attacks conducted in March and April, researchers observed OldGremlin adapting COVID-19-themed phishing messages targeted at financial institutions, disguising themselves as a Russian microfinance organization to deploy the TinyPosh Trojan. This adaptability highlights their capability to exploit current events for malicious gain.
A notable escalation occurred on August 19, as the group launched a series of spear-phishing emails that exploited the political upheaval surrounding the current protests in Belarus, again demonstrating their proficiency at exploiting real-world events to enhance the effectiveness of their campaigns. In total, Group-IB has tracked nine distinct operations executed by OldGremlin from May through August, indicating a sustained and evolving threat landscape.
According to Oleg Skulkin, a senior digital forensics analyst at Group-IB, what sets OldGremlin apart from other Russian-speaking adversaries is their apparent willingness to operate within Russian territory. This could suggest they are either honing their techniques locally before expanding internationally, as seen previously with other groups, or that they might be associated with neighboring countries where Russian is prevalent as a dominant language.
In examining the tactics employed by OldGremlin, one can draw parallels with the MITRE ATT&CK framework. Key tactics likely employed include initial access via phishing methods, persistence through custom backdoors, and lateral movement enabled by remote access tools like Cobalt Strike. Understanding these tactics is essential for organizations to bolster their cybersecurity defenses in light of this evolving threat landscape.
