Threat analysis : Karakurt

23 January 2023

Threat analysis : Karakurt

2022’s cyber news were highlighted by an active hacker group that chose their name and logo after a type of black widow spider: Karakurt. Their compromise of several big corporations and the Senegalese Telecommunication and Posts Regulatory Authority (ARTP) shed light on their activity. This late and widely broadcasted attack helped understand their modus operandi and the importance of Crisis Management for affected organisations.

Almond’s CTI and SOC/CERT teams offer a presentation of the Karakurt group and further information regarding their suspected affiliation to the Conti group. Their recent attack against ARTP raised questions related to the cyberthreat on the African continent and the strategies in place to manage it.

Identity :
Karakurt Team
Karakurt Lair

Financial motivation :
Ransom Demand
(BTC) : 25k$ – 13M$

Objective : Data exfiltration, Ransom Demand without data encryption.

16 victims
in average per month

The United States, Canada and Turkey are the most affected countries.

Affiliation to Conti

Almond’s CTI and SOC/CERT teams invite you to reflect on the following issues through this report:

A summary of the information available on the group’s website;
The Group’s detailed modus operandi showing the used techniques and tools;
A focus on the link between Karakurt and Conti;
An analysis of Africa’s thread landscape and the associated protection strategies.

Africa’s thread landscape

Exponential growth of the threat

The current trend of infrastructure digitization is one of the primary causes of the sharp rise of cybercrime in African countries.

The African continent began this phase of accelerated digitization a few years ago. These include the African Union’s Digital Transformation Strategy for Africa (2020-2030),

However, this digitization, for the most part, have not been supported by efficient cybersecurity strategies to guarantee a sufficient level of protection for information systems.

As a result, the approximately 500 million Internet users, businesses and institutions are targeted by attacking groups. Furthermore, there is a shortage of cybersecurity experts to support companies and administrations in their work to secure infrastructures.

In 2021, Interpol and AFJOC (African Joint Operation against Cybercrime) presented their report on the African thread landscape.

The main identified threats were online fraud, digital extortion, business email compromise (BEC), ransomware and botnets.

Online fraud

Digital extortion

BEC

Ransomware

Botnets

MaY 2022 | Mali
General Taxes Authority – attacked by Lockbit

October 2022 | Senegal
Telecommunication and Posts Regulatory Authority

November 2022 | Senegal
Agency for Aerial Navigation Safety in Africa and Madagascar – attacked by Lockbit

November 2022 | Tanzania
Tanzania Telecommunication Company Ltd

November 2022 | Gambie
Central Bank – attacked by Blackcat

Focus on the ARTP attack

Karakurt counts three victims on the african continent : the Senegaleese Telecommunication and Posts Regulatory Authority, Tanzania’s Telecommunication Company Ltd and the south African corporation SAPPI Ltd.

Karakurt’s attack against Telecommunication and Posts Regulatory Authority was widely broadcasted. This data breach, made public on October 17, 2022 against a government infrastructure, highlighted shortcomings in cybersecurity and crisis management. The ARTP made no public communication, neither via the press, social media nor via its institutional site to inform the public of the breach, the potential risks, and the means deployed to treat it.

The institution refused to pay the ransom and nearly 102GB of data was published on the group’s site. These were mainly e-mails with other ministries, telecommunications operators, information on past and future projects and personal data.

The lack of transparency of these African organizations has been noted in all of the media attacks listed opposite. By refraining from communicating, organizations do not control the information that circulates; this can have a significant impact on their image and increase the harmful consequences of the cyberattack.

To read the entire bulletin, contact us : contact@almond.eu