hacking group Stonefly, which has been active since 2009, has attacked an engineering company with military and energy clients in February, potentially through a Log4j exploit
against the firm's publicly-exposed VMware View server, according to The Record
, a news site by cybersecurity firm Recorded Future.
Symantec researchers discovered that Stonefly, which is also known as BlackMine, DarkSeoul, Silent Chollima, and Operation Troy, went on to infect 18 other computers with the Preft backdoor and malicious open-source tools, such as WinSCP, 3proxy, and Invoke-TheHash, before proceeding to deploy a custom information stealer that prompts ZIP file creation.
Stonefly began launching distributed denial-of-service attacks against financial and government sites in the U.S. and South Korea in July 2009 but has transitioned to cyber espionage three years ago.
"While Stoneflys tools and tactics continue to evolve, there are some common threads between this recent activity and previous attacks, such as its ongoing development of the Preft backdoor and heavy reliance on open-source tools," said Symantec.