Mandiant experts report that a hack group, which previously worked with the ransomware group DarkSide, hacked the website of an unnamed video surveillance system vendor and infected the official Windows application with malware.
The attack took place on May 18 and lasted until early June, until the moment when Mandiant specialists discovered the malware and notified the affected company. The malware was hidden inside a custom version of the Dahua SmartPSS Windows app that an unnamed video surveillance vendor made available to its customers to configure and manage.
It is reported that the Trojanized version of the application infected the machines affected by the SMOKEDHAM backdoor .
Although the ransomware group DarkSide announced it would cease operations last month after a scandalous attack on the Colonial Pipeline company, Mandiant researchers have linked the hack to the video surveillance provider to one of three main subgroups DarkSide, which the company tracks under the ID UNC2465.
According to analysts, such “partner groups” of DarkSide, known under the codenames UNC2628, UNC2659 and UNC2465, launched attacks on corporate networks, and then deployed there a ransomware that they rented from the authors of DarkSide. As soon as the victims paid the ransom, the “partners” received 85% of the amount paid and moved on to new goals.
The linking of the recent incident to UNC2465 was possible thanks to the aforementioned SMOKEDHAM, which has so far been used exclusively in UNC2465 campaigns. And although in this case the attack did not lead to the deployment of DarkSide or other ransomware on the victim’s network, the researchers warn that attackers may soon switch to the new RaaS (Ransomware-as-a-Service) and return to ransomware attacks.