top of page

Security Brief: CICYBER Week of December 13, 2021

Week of Monday, December 13, 2021 | Issue 54

Keanna Grelicha, Counterintelligence and Cyber (CICYBER) Team


Date: December 13, 2021

Location: Dublin, Ireland

Parties involved: Accenture; Karakurt

The event: Accenture, an information technology company based in Ireland, is investigating a new hacker group, Karakurt, identified in June 2021.[2] Karakurt is believed to be a ransomware group of Chinese origin.[3] This new threat group is financially motivated and performs data theft through cyber attacks. The group targets small companies or corporate subsidiaries, rather than larger organizations and infrastructures, to cover its malicious activities and abuse the software to gain access to the data in the operating systems of less protected companies. The method used to access and remain unnoticed is the living off the land (LotL) method where hackers exploit existing software and functions in order to move laterally within the system and carry out malicious activity. Karakurt’s main targets include the professional services, industrial, retail, healthcare, technology, and entertainment industries.[4]

Analysis & Implications:

  • The threat of data being stolen in any of the industries Karakurt is known to attack could very likely pose security concerns for the public. Their attacks very likely include patient or research data theft in the healthcare sector, or industrial services’ sensitive data used across a country. If Karakurt obtains the data from any such industries’ servers, the ransom could very likely surpass what smaller companies could pay, likely leading to financial burden for the targets or the inability to retrieve the stolen data.

  • Karakurt attacks smaller organizations using the LotL tactic because of its high success rate and the difficulty of its detection. Smaller companies and corporate subsidiaries are almost certainly more vulnerable to cyber attacks due to their lower security, so the targeted companies likely do not have the security capabilities to track irregular activities within the server. A lack of patches or system updates that would assess and monitor vulnerabilities very likely allows for Karakurt to exercise malicious activity to obtain data from the servers. If the data is accessed, the hackers could very likely gather data for an extended time without the companies noticing. This almost certainly allows Karakurt to set a high ransom deal, because the target would very likely have no other way to retrieve the stolen data right after the attack.

Date: December 14, 2021

Location: Temp, Arizona, USA

Parties involved: Symantec; Microsoft; Iran; Mercury

The event: A new Iranian-backed espionage hacking group known as Mercury was recently identified by a Threat Hunter Team at Symantec, a software company based in the US. For the past six months, the hacking group has been attacking countries in the Middle East and Asia by targeting telecommunication and technology services vulnerabilities. The vulnerabilities the group targeted are specifically in Microsoft Exchange Servers that have access to accounts in corporate networks. The group is known to steal account credentials and move through the network to attack connected organizations. Symantec’s research found that the hacking group exploits the Exchange Server vulnerabilities by distributing phishing emails to specific targets, which contain malicious links and files that, when clicked, give Mercury access to the system.[5]

Analysis & Implications:

  • Mercury’s methodology to target employees with access to the corporate network almost certainly presents security concerns for the targets. Once Mercury has access to the individual account and company data, the breach would very likely escalate to a ransomware attack if the threat actor holds the stolen data for ransom. This issue would very likely lead to financial loss for the targeted companies if they cannot retrieve the data in another manner, such as with a decoder key to unlock the stolen information on their system.

  • The security issues very likely fall on a lack of employee knowledge of phishing scams and how to spot irregular activity within one’s account. If individuals continue to fall victim to email scams and download malicious files, Mercury will very likely continue to use this method. If the same employees are targeted and the attacks are successful, the companies could very likely experience reputational damage because their employees and security measures are vulnerable to continued attacks.

  • Companies connected to those that have already been targeted are almost certainly at risk of a data breach. A lack of preventative measures within the connections from network to network will almost certainly allow malicious activity to transfer from one company's system to another. Vulnerabilities that arise from connected servers very likely increase when more than one company becomes at risk of having data stolen, or having interruptions by malware or phishing campaigns in the systems.

Specialty reports are designed to inform clients of existing and emerging threats worldwide. To defeat terrorists and individuals intent on harming, it is critical to understand and investigate them. We collect and analyze intelligence on terrorists and extremists, their organizations, individuals who are threats, and their tactics and attacks to develop solutions to detect, deter, and defeat any act of terrorism or violence against our client. We also conduct investigations to identify persons of interest, threats, and determine the likelihood of a threat and how to stop them. To find out more about our products and services visit us at


[2] Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group, The Hacker News, December 2021,

[3] Chinese espionage in Southeast Asia. The C-suite's awareness of ransomware attacks. New cybercriminal group conducts data-theft extortion, The CyberWire, December 2021,

[4] Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group, The Hacker News, December 2021,

[5] Telecom operators targeted in recent espionage hacking campaign, Bleeping Computer, December 2021,



bottom of page