Rezet Hackers Infiltrate Russian Defense Industry

31 Jan 2025 1:06 pm GMT+0000 Date Time

Mass Cyber Attacks by REZET Group Hits Russian Industrial Enterprises
Analysts from F.A.C.T. have reported mass cyber attacks by the REZET cyberspion group, also known as Rare Wolf, on Russian industrial enterprises in January 2025. The attackers utilized phishing letters disguised as invitations to seminars on defense product standardization. These emails contained malicious files that infected workstations upon opening. The REZET group, operating since October 2018, specializes in phishing attacks. Research suggests that the group has carried out approximately 500 attacks on industrial enterprises in Russia, Belarus, and Ukraine. In previous campaigns in 2021 and 2023, the group used the Rezet.cmd malicious file, which led to their name. In January 2025, the attackers targeted enterprises in the chemical, pharmaceutical, and food industries by sending letters posing as accompanying contracts related to the state defense order. The initial mailing included a PDF document named “Priman” along with a malicious file. The archive password provided in the email bypassed antivirus protection. Once opened, the system became infected, but users were unaware as a fake PDF file appeared on the screen. Subsequent attacks within a few days featured changes in tactics. The attackers sent a second and third series of attacks, each containing two infected files. Opening any of these files triggered the malicious code, significantly increasing the chances of infecting workstations. Specialists at F.A.C.T. conducted an analysis of the malicious files and confirmed that the REZET group was responsible for the attacks. Identified indicators of compromise include malicious files with unique hashes, network addresses (VNIIR [.] Space, 45 [.] 83 [.] 192 [.] 163), and senders from VNIIR domains [.] NL.

Mass Cyber Attacks by REZET Group Hits Russian Industrial Enterprises

Analysts from F.A.C.T. have reported mass cyber attacks by the REZET cyberspion group, also known as Rare Wolf, on Russian industrial enterprises in January 2025. The attackers utilized phishing letters disguised as invitations to seminars on defense product standardization. These emails contained malicious files that infected workstations upon opening.

The REZET group, operating since October 2018, specializes in phishing attacks. Research suggests that the group has carried out approximately 500 attacks on industrial enterprises in Russia, Belarus, and Ukraine. In previous campaigns in 2021 and 2023, the group used the Rezet.cmd malicious file, which led to their name.

In January 2025, the attackers targeted enterprises in the chemical, pharmaceutical, and food industries by sending letters posing as accompanying contracts related to the state defense order. The initial mailing included a PDF document named “Priman” along with a malicious file. The archive password provided in the email bypassed antivirus protection. Once opened, the system became infected, but users were unaware as a fake PDF file appeared on the screen.

Subsequent attacks within a few days featured changes in tactics. The attackers sent a second and third series of attacks, each containing two infected files. Opening any of these files triggered the malicious code, significantly increasing the chances of infecting workstations.

Specialists at F.A.C.T. conducted an analysis of the malicious files and confirmed that the REZET group was responsible for the attacks. Identified indicators of compromise include malicious files with unique hashes, network addresses (VNIIR [.] Space, 45 [.] 83 [.] 192 [.] 163), and senders from VNIIR domains [.] NL.

/Reports, release notes, official announcements.