Threat Watch

Karakurt Hacking Group Focuses on Data Theft and Extortion

First seen in June 2021, the hacking group Karakurt has continually increased its attacks. The financially motivated group focuses on data theft and extortion. Researchers have recently exposed the group’s tactics and procedures noting they primarily use virtual private network (VPN) credentials to gain initial access to a victim’s network. The group either buys the credentials on the dark web or uses phishing campaigns to obtain them. Researchers indicate the group recently switched from the Cobalt Strike remote access tool to AnyDesk, as Cobalt Strike has become more aggressively detected by security software. Once on a network, the threat actors continue to steal additional credentials by employing Mimikatz and exfiltrate data using 7zip and WinZip. The group posts the stolen data to their leak site and threatens to publish it if not paid. Although the group does not encrypt data and wipe backups, the attacks can be very detrimental to an organization.


Organizations should focus on defense, prevention, and detection measures to keep these threats off their networks. The following preventative measures can help defend against attacks.

• Implement network segmentation.
• Install updates/patch operating systems, software, and firmware as soon as practical after they are released. Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.
• Use multi-factor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.