Behavioural Analysis

Detection Advisory: ProjectRelic and Low-Noise Threat Actors in the UK and EU

This advisory focuses on ProjectRelic, a stealth-oriented cyber threat group active across the UK and Europe, and other associated low-noise actors targeting research institutions and local government bodies. These groups typically avoid encryption-based attacks, instead favouring credential harvesting, passive data theft, and long-term access.

Victims often include public-sector universities, government contractors, and under-resourced IT departments within regional councils and civic services. These actors rarely trigger immediate alerts, operating beneath conventional detection thresholds using system-native tools and externally managed infrastructure.

Primary Threat Actor Profile: ProjectRelic

ProjectRelic is a quiet and methodical threat actor targeting academic and public-sector organisations. Its campaigns rely on exploiting weak perimeter defences and under-monitored systems. Typical targets include policy research groups, university networks, and municipal platforms hosting sensitive but non-classified data.

Its operations are characterised by:

  • Initial access via unpatched CMS, VPNs, and forgotten subdomains
  • Credential harvesting through phishing portals or previously breached credentials
  • Exfiltration of data over slow, encrypted channels (e.g., via HTTPS POST, FTP)
  • Use of lightweight custom droppers such as RelicLoader
  • Minimal lateral movement and no encryption or ransom activity

Associated Low-Noise Threat Groups

The following groups demonstrate similar techniques to ProjectRelic and may operate with comparable objectives:

  • Gallium: Chinese state-linked actor focused on telecoms and academic espionage
  • Silent Ransom (Silk Typhoon): Passive access and data extortion, often without encryption
  • APT27: Known for credential harvesting and long-term cloud persistence in research and government networks
  • TA406: Iranian actor targeting academic and public sector accounts for espionage
  • Dunghill Leak: Low-volume extortion actor leaking municipal and research data via dark web portals
  • Unknown access brokers reselling footholds in UK educational institutions and local authorities

These groups share infrastructure patterns, overlapping target sectors, and tactics such as credential abuse, living-off-the-land execution, and slow, file-based data theft.

Common Techniques Used

Initial Access

  • Exploitation of outdated CMS and legacy VPN endpoints
  • Brute force and credential stuffing using leaked password sets
  • Phishing lures impersonating grant bodies, conference invitations, or student login portals

Credential Harvesting and Privilege Escalation

  • Browser token theft and session hijacking
  • Use of Mimikatz, WDigest, and LSASS dumps via PowerShell or batch scripts
  • Abuse of admin shares and scheduled tasks for silent lateral movement

Exfiltration Techniques

  • Export of .zip, .7z, and .tar.gz archives from university drives or council databases
  • Steady HTTP POST to cloud storage providers (Dropbox, Mega, pCloud)
  • Data uploads via unmonitored SFTP connections
  • File exfiltration camouflaged as legitimate backup or sync processes

Infrastructure and Persistence

  • Use of VPS infrastructure registered under fake university domains
  • Obfuscated PowerShell scripts stored in user temp directories
  • Scheduled tasks or Windows Services named TelemetryAgent, UpdaterService, or AuditLogger
  • Abuse of Microsoft 365 or Google Workspace for cloud-based persistence

Detection Recommendations

Institutions with constrained cyber defence budgets can still detect low-noise actors by:

  • Enabling command-line and PowerShell logging (Event ID 4104 and 4688)
  • Monitoring for unusual archive file creation (.zip, .7z) in shared drives or academic folders
  • Detecting outbound FTP, SFTP, or repeated HTTPS POST to known file-sharing domains
  • Alerting on scheduled tasks created by unprivileged users or service accounts
  • Reviewing admin login events and audit logs for access outside typical hours or locations
  • Monitoring OAuth app registrations in Microsoft 365 or Google Workspace environments

Implement data loss prevention (DLP) policies where possible to detect sensitive document movement. Even simple DLP rules monitoring for file uploads over 1MB can help reveal staging behaviour.

Response and Mitigation

If you suspect an intrusion linked to ProjectRelic or similar threat actors:

  1. Conduct triage on all perimeter services: CMS, VPN, RDP, and webmail
  2. Review backup integrity and offsite storage status
  3. Reset credentials for affected accounts and revoke OAuth tokens
  4. Investigate cloud storage activity logs for file uploads, sharing links, and new device registrations
  5. Engage with a specialist incident response provider for forensic investigation
  6. Prepare for public disclosure if any PII or research data is confirmed to be exposed

Ensure that IT teams are trained to identify passive threat behaviour and that security alerts are reviewed in the context of user and system baselines.

Sector-Specific Guidance

For research institutions

  • Secure access to academic journal portals, student portals, and research collaboration platforms
  • Monitor grant applications and sensitive research IP repositories
  • Protect faculty accounts and SSO integrations across student services

For local government and regional councils

  • Harden document sharing systems, internal bid management platforms, and legacy portals
  • Isolate public-facing services from internal networks
  • Ensure strong authentication and logging on email, HR, and procurement systems

Conclusion

Low-noise threat actors like ProjectRelic pose a serious but often overlooked risk to academic and public-sector institutions. By exploiting weak credentials, unpatched infrastructure, and poor visibility, these actors extract valuable data while remaining undetected for extended periods.

UK institutions must adopt a detection mindset that prioritises visibility, access control, and outbound monitoring, even in the absence of traditional malware or encryption activity.

  • 21 Views

you may also like

Everest Group Alleged to have hit Kaefer

On 8 May 2025 at approximately 05:49 BST, the Everest Ransomware Group purportedly claimed responsibility for a cyber‐intrusion against Kaefer, one of the world’s leading industrial insulation and access specialists.

Stealth-State Actors: Silent Persistence, Slow Exfiltration, and Cloud-Based C2

An insights post exploring the stealthy methods of state-aligned threat actors, including Silent Ransom (Silk Typhoon), and how defenders can detect slow exfiltration and cloud-based command and control in enterprise environments.
Continuous Threat Exposure Management

Continuous Threat Exposure Management

In an era where cyber attacks are not a question of if but when, Continuous Threat Exposure Management has emerged as a crucial strategy for staying one step ahead. For IT directors and C-suite executives, CTEM offers a little easier sleep at night.
Open Source Security Tools

Open-Source Tools for SOC Analysts

PCI-DSS-4.0

PCI DSS 4.0: Significance for Retailers and the Value of SOC-as-a-Service

SOC as a Service

SOC365: The Backbone of SOC as a Service

UK Cyber Defence’s SOC365 is a cutting-edge Security Information and Event Management (SIEM) service platform that forms the backbone of the company’s SOC-as-a-service offering.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence