Russia/Ukraine Update - August 2022

August 25, 2022

Since the military invasion of Ukraine, both Russia and Ukraine continue to conduct cyberattacks to gain information, cause disruption and create a climate of intimidation. Additionally, many threat actors and groups have announced their support of one country or the other, groups have split, and others have turned on each other due to the conflict. As tensions have escalated, Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian military actions and estimated cyber-related implications in advisories and Optiv Source Zero blog posts on February 4, February 22, February 24 and June 30. In this update, we’ll provide information on the events of the previous 30 days and what we can expect looking forward.

 

Destructive cyberattacks have been one part of Russia’s strategic movement through Ukraine. But as other countries come to Ukraine’s aid, Russia moves their targeting beyond Ukraine’s borders. While most of the cyberattacks targeting Ukraine were wiper attacks meant to cause disruptions and distractions that facilitated Russia’s military physically moving in, cyberattacks targeting other countries have been found to be espionage-type attacks. There have been 128 reported targets in 42 countries that represent a range of strategic espionage targets. Nearly half of the targets were government agencies and roughly 12% were within the Institutions and Organizations vertical, which include humanitarian groups providing aid to Ukraine’s civilian population and supporting refugees. The remaining victims were companies involved in critical defense or other economic support.

 

Image
russia_ukraine_update822_img1.png

Figure 1: Countries outside Ukraine targeted by Russian cyber espionage since the start of the war in Ukraine (Source: Microsoft)

 

While most attacks have targeted NATO members, Russia’s cyber espionage attacks have targeted organizations in the United States. Additional attacks have targeted Poland, Latvia, Lithuania, Denmark, Norway, Finland and Sweden. According to Microsoft, the attacks launched by Russia against countries other than Ukraine have been successful 29% of the time. Russian APT groups have extremely sophisticated capabilities to implant code, obtain and exfiltrate sensitive information and deploy additional malware payloads.

 

 

Disinformation Campaigns

Disinformation campaigns serve to create a sense of distrust and division between allies and neighbors. Disinformation clouds the judgement and weakens the collective response of allies while the focus is on figuring out the facts. Both delays in response and division can have catastrophic consequences during a time of war. Security researchers with Google’s Threat Analysis Group (TAG) reported that in the month of June 2022, four YouTube channels and one AdSense account were terminated in relation to coordinated influence operations linked to Russia and Azerbaijan.

 

People around the world have turned to social media, including Facebook, Twitter, TikTok and YouTube, to stay updated on the Russia/Ukraine war. Ukrainians use these platforms to show the real effects this war is having on cities and individuals, as well as to raise money for supporting refugees and gain support from other countries. Russia uses the same platforms to obscure facts about the situation and spread disinformation and misinformation.

 

Several Telegram channels have been identified spreading misinformation, including on May 10, 2022, in an account claiming that Polish forces along with troops from Lithuania were planning to invade western Ukraine on May 22, 2022. Other disinformation campaigns have been attempted to undermine and divide the Western coalition, including articles posted on both Russia Today (RT) and South Front. An article from June 09, 2022, stated that Western citizens are less likely to believe in their leaders, but more likely to support their government’s decisions to place sanctions against Russia. Another article published on June 03, 2022, claimed that the U.S. government has made beating Russia in Ukraine a top priority while sacrificing the safety and needs of its citizens.

 

Lastly, efforts have been made to portray refugees from Ukraine in a negative light to citizens of the countries where they are fleeing. Russian news and Telegram sources, including interviews posted on June 07, 2022, included alleged Russian citizens living in Poland stating that Russians were denied employment and renting opportunities, enduring psychologic pressure from Ukrainian refugees and afraid of being attacked by them.

 

Image
russia_ukraine_update822_img2.png

Figure 2: Identified memes that depict alleged German sentiment toward Ukrainian migrants. (Source: Recorded Future)

 

In addition to undermining and dividing the Western coalition on Ukraine, multiple disinformation campaigns have aimed at portraying Ukraine as the source of Nazism and modern-day fascist movements. This misinformation is Likely meant to reduce Western support for Ukraine and influence the public opinion of Russia in this war. On June 06, 2022, an article in Global Research, a pro-Kremlin website, stated that the U.S., who fought against Nazis in WWII, is now training and financially supporting Nazis in Ukraine.

 

Disinformation and misinformation can come from all types of sources, including Russian-state media organizations, pro-Russian accounts, social media, fake groups, alternative theory groups and individuals that wish to support Russia’s actions. Often times these statements and accusations are corroborated through non-verified sources or are poorly sourced in general. It’s Likely that Russian supporters will continue to spread disinformation to garner additional support for Russia and attempt to divide the Western coalition.

 

 

Continued Cyberattacks

In June 2022, the Russian government warned the U.S. and its allies that they risk a “direct military clash” if cyberattacks on its infrastructure continue. In June 2022, Russia’s Ministry of Construction, Housing and Utilities website had been hacked and defaced with the message, “Glory to Ukraine” posted on the homepage. Russia’s foreign ministry blamed threat actors in the U.S. and Ukraine for the increasing attacks on critical infrastructure and state institutions. Websites of Russia state-owned companies, such as banks, airlines and alcohol distribution portals and government agencies have been increasingly targeted in DDoS attacks. Additionally, other attacks have included espionage and wiper malware attacks.

 

While Russia faces increased attacks from threat actors across the world, Ukraine continues to face cyberattacks from Russia state-backed APT groups and threat actors in support of Russia’s actions. Turla, an advanced persistent threat group attributed to Russia’s Federal Security Service (FSB), was observed hosting Android apps on a domain spoofing the Ukrainian Azov, a unit of the National Guard of Ukraine. The apps were hosted on a domain controlled by the actor and disseminated via links on third-party messaging services. Turla distributed the app under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the purported “DoS” consisted of only a single GET request.

 

Both APT28 and Sandworm, Russian APT groups, were observed conducting campaigns exploiting the Follina vulnerability (CVE-2022-30190). One campaign conducted by Sandworm included sending phishing emails with the subject “LIST of links to interactive maps” and contained a malicious document attachment. The attackers targeted more than 500 recipients at various media organizations in Ukraine. Sandworm has been targeting Ukraine consistently over the previous 24 months and have increased significantly since the Russian invasion of Ukraine.

 

In July 2022, the Ukrainian Computer Emergency Response Team (CERT) warned that the Russian-based APT, APT28, was believed to be sending emails containing malicious document, named “Nuclear Terrorism A Very Real Threat.rtf”. The attackers Likely used this name to lure victims into opening the attachment, exploiting the fear Ukrainians have over a potential nuclear attack. The document attempted to exploit the Follina vulnerability to download and launch the CredoMap malware on a target’s device. CredoMap is an information stealing malware that has previously been used by APT28 against Ukrainian organizations.

 

Another attack by a threat actor tracked as UAC-0098 delivered phishing emails with malicious documents with the Follina exploit in password-protected archives, impersonating the State Tax Service of Ukraine. Based on overlaps in infrastructure, tools and a unique crypter, it has been assessed with Moderate Confidence that this threat actor is a previous Initial Access Broker that worked with the Conti ransomware group. The threat actor deployed a Cobalt Strike beacon, which is frequently used to deploy ransomware against victims.

 

 

Looking forward

Along with heavy warfare and fighting in Ukraine between armies, cyberspace has become and remains a secondary battlefield between Russia and Ukraine. Additionally, Russia-based threat actors have targeted countries that are supporting Ukraine, including the EU and the U.S. It’s Likely that both countries will continue to expand their cyberattacks in an attempt to collect intelligence and disrupt operations. It is Likely that Russia cybercriminals and supporters will continue disinformation campaigns as an attempt to gain support for the war and divide the Western coalition.

 

Along with the physical conflict in Russia’s invasion of Ukraine, it’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software and malware.

 

In addition to multiple vulnerabilities, it’s Likely that cybercriminals will use common software and malware in the coming months, such as:

 

  • RDP
  • SMB/Samba
  • UPnP
  • Oracle WebLogic
  • Microsoft Exchange
  • Microsoft SharePoint
  • VMware vCenter, ESXi, vSphere, vAccess
  • VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway
  • Jenkins
  • Content Management System (CMS) platforms
  • WordPress – Joomla!, Drupal, Magento, Adobe Commerce
  • Mimikatz
  • AdFind
  • AnyDesk
  • Rclone
  • Ngrok reverse proxy
  • Zoho MangeEngine
  • LogMeIn
  • TeamViewer

 

 

Tactics and Techniques:

 

Tactic Technique Procedure
Reconnaissance T1593 Search Open Websites/Domains
T1595.002 Active Scanning: Vulnerability Scanning
Resource Development T1587.003 Digital Certificates
T1586 Compromise Accounts
T1584.005 Compromise Infrastructure: Botnet
Initial Access T1133 External Remote Services
T1190 Exploit Public Facing Application
T1566 Phishing
T1078 Valid Accounts
T1199 Trusted Relationship
Execution T1072 Software Development Tools
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
T1204 User Execution
T1204.001 User Execution: Malicious Link
T1204.002 User Execution: Malicious File
Persistence T1053 Scheduled Task/Job
T1098 Account Manipulation
Privilege Escalation T1611 Escape to Host/Exploitation for Privilege Escalation
T1078.001 Valid Accounts: Default Accounts
T1078.002 Valid Accounts: Domain Accounts
Defense Evasion T1127 Trusted Developer Utilities Proxy Execution
T1497 Virtualization/Sandbox Evasion
T1562.001 Impair Defenses: Disable or Modify Tools
T1562.002 Impair Defenses: Disable Windows Event Logging
T1055.001 Process Injection: Dynamic0link Library Injection
Credential Access T1212 Exploitation for Credential Access
T1003 OS Credential Dumping
T1110 Brute Force
Discovery T1120 Peripheral Device Discovery
T1083 File and Directory Discovery
T1135 Network Share Discovery
T1518 Software Discovery
Lateral Movement T1210 Exploitation of Remote Services
T1570 Lateral Tool Transfer
Collection T1213 Data from Information Repositories
Exfiltration T1041 Exfiltration over C2 Channel
Impact T1485 Data Destruction
T1486 Data Encrypted for Impact
T1489 Service Stop
T1489.001 Network Denial of Service – Direct Network Flood
T1531 Account Access Removal

 

It’s Likely that the U.S. and other Western coalition countries will remain attractive targets for Russia-based threat actors for financial gain and espionage attacks. It’s Likely that if the United States imposes harsher and broader sanctions and embargos on Russia, the fallout will result in nearly all ransomware groups being placed under severe restrictions through the U.S. Treasury’s Office of Foreign Asset Control (OFAC). This would result in the inability of ransomware victims in the U.S. to consider negotiations and payments in exchange for preventing data leaks and retrieving decryption keys for compromised files and systems.

 

When Russia invaded Ukraine, U.S.-based organizations began pulling their business from Russia. Multiple ransomware groups, including REvil, Conti and LockBit 2.0, are based in Russia and target multiple U.S.-based organizations daily. The sophistication and technical knowledge of the ransomware groups, the NotPetya attacks and nation-state groups – such as APT28, APT29 and Sandworm – highlight Russia’s ability to create severe disruption and chaos in the United States. U.S.-based organizations are a historically attractive target and it’s Likely that U.S. companies will continue to be targeted, whether by threat actors based in Russia or those in support of the Kremlin’s invasion of Ukraine.

 

 

References

 

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK
https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/
https://blog.google/threat-analysis-group/tag-bulletin-q2-2022/
https://t.me/baltnews/14510
https://www.rt.com/russia/556770-west-anti-russia-propaganda/?utm
https://www.globalresearch.ca/us-battled-ww-ii-nazis-today-us-side-by-side-ukraine/5782550
https://southfront.org/the-u-s-governments-top-priority-now-is-to-defeat-russia-in-ukraine/
https://go.recordedfuture.com/hubfs/reports/ta-2022-0707.pdf
https://cert.gov.ua/article/339662
https://cert.gov.ua/article/341128

Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.