• News
  • Positive Technologies: Mythic Likho resumes targeted attacks on Russian critical infrastructure
News

Positive Technologies: Mythic Likho resumes targeted attacks on Russian critical infrastructure

Mythic Likho is evolving its toolkit and collaborating with other APT actors

The Cyberthreat Intelligence team at Positive Technologies Expert Security Center (PT ESC TI) has conducted a comprehensive analysis of Mythic Likho, an APT group targeting Russia's critical information infrastructure (CII). The attackers craft unique phishing materials for each victim, using custom malware alongside a wide array of additional tools. To store and deliver malware, the group employs compromised websites of Russian companies and fraudulent sites. Their goal is to encrypt valuable data and demand a ransom for its restoration.

Mythic Likho designs attack scenarios and phishing content based on the victim's operations, location, partners, and employees. The attackers send emails to corporate addresses, impersonating representatives of government agencies, retailers, or media outlets. Notably, the initial emails often lack malicious links; the attackers first establish trust with the recipient. To advance the attack, Mythic Likho uses a combination of compromised legitimate sites and fake sites designed to mimic the victim's industry or masquerade as legitimate services and cloud storage providers.
 

The group wields a diverse toolkit, including the HuLoader and ReflectPulse loaders,1 their custom-developed Loki backdoor,2 and various paid or open-source malware, along with a dozen other programs. Attackers deliver these payloads via forged official letters, contracts, receipts, invoices, photos, or resumes hosted on compromised or phishing sites. Once the backdoor is inserted in the victim's network, the attackers harvest credentials, move laterally across the infrastructure, exfiltrate sensitive data, encrypt it, and leave instructions on how to restore access.

1 A loader is a special program that secretly delivers malware to the victim's computer.

2 A backdoor is malicious software or an undisclosed feature in legitimate software designed to gain unauthorized access to a system.

"Mythic Likho targets large, high-revenue enterprises, primarily in mechanical engineering, mining, and manufacturing. Attackers meticulously plan every step of the attack, using complex payload delivery chains, constantly refining their software, and maintaining strict anonymity for their malicious infrastructure. Furthermore, in several campaigns, they employed tools from the arsenal of (Ex)Cobalt, another group attacking Russian organizations. This suggests Mythic Likho is composed of experienced professionals with deep technical expertise and ties to the broader cybercriminal community."

Viktor Kazakov
Viktor KazakovLead Cyberthreat Intelligence Specialist, Positive Technologies Expert Security Center

Experts predict Mythic Likho will remain a threat to Russian critical infrastructure for the foreseeable future. Researchers recommend using network sandboxes (PT Sandbox) to extract and scan email attachments for malware, as well as PT ISIM to maintain the cyber resilience of industrial infrastructures. Essential defenses include endpoint protection with regularly updated databases (MaxPatrol EPP) and tools for detecting and responding to complex attacks (MaxPatrol EDR). MaxPatrol VM helps identify infrastructure vulnerabilities. PT NAD detects network requests related to Mythic Likho's malware and tools, while PT NGFW blocks them. MaxPatrol SIEM identifies incidents, including phishing, in real time and provides detailed information on them. Finally, experts advise consulting threat intelligence data on the PT Fusion portal to proactively strengthen defenses.