A new report by pure-play managed detection and response (MDR) service provider eSentire has connected the data breach affecting Cisco Talos systems in May with an Evil Corp-affiliate group.
More specifically, eSentire‘s Threat Response Unit (TRU) discovered that the IT infrastructure used to attack Cisco was also deployed in an attempted compromise of one of its clients in April 2022.
“TRU believes that a hacker who uses the alias, mx1r, is the cybercriminal behind the attack,” eSentire wrote.
According to security company Mandiant the threat actor known as mx1r would be a member of an Evil Corp affiliate group called UNC2165.
For context, in an advisory published after the May attack, Cisco attributed their breach to a threat actor with ties to the Lapsus$ threat group, the Yanluowang ransomware operators, and a group that Mandiant calls UNC2447.
Fast forward to the present day, the MDR advisory clarified that while the tactics, techniques, and procedures (TTPs) of the attack against the workforce management corporation matched those of Evil Corp, the infrastructure used matched that of a Conti ransomware affiliate, which has been seen deploying both Hive and Yanluowang ransomware payloads.
“Looking at various technical details of the malicious infrastructure leveraged, TRU discovered a handful of additional instances of Cobalt Strike infrastructure,” eSentire wrote.
“TRU tracks this infrastructure cluster as HiveStrike. The Hive group first appeared on the ransomware scene in June 2021 and quickly gained a reputation for attacking critical targets including hospitals, energy companies and IT companies.”
According to eSentire’s report, HiveStrike also bears some similarities to the ShadowStrike infrastructure reported by TRU earlier this year with affiliations to Conti.
“It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp,” reads the advisory.
eSentire concluded its advisory by providing a series of suggestions to help companies protect their systems from cyber-attacks. These include having offline backup copies of all critical files, using multi-factor authentication (MFA) and only allowing administrators to access network appliances using a VPN service, among others.