The group, which Google refers to as Exotic Lily in research published March 17, is known as an initial access broker. Such groups specialise at breaking into corporate computer networks, and then providing that access to other cybercriminal syndicates that deploy malware that locks computers and demands a ransom.
The Exotic Lily group sent over 5,000 malicious emails a day, Google observed, to as many as 650 organisations around the world, often leveraging a flaw in MSHTML, a proprietary browser engine for Windows. Microsoft issued a security fix for the Windows vulnerability in late 2021. Google did not identify victims by name.
Google also observed that Exotic Lily is associated with notorious Russian-speaking ransomware group Conti. That group, accused of using digital extortion to reap US$200 million in 2021, is currently in turmoil after a suspected insider leaked a trove of internal chat logs, revealing hackers’ tactics to the public.