Russia/Ukraine Update - December 2022

December 20, 2022

As the Russian invasion of Ukraine enters its eleventh month, cyber warfare activity continues on both sides.

 

Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on the Russia-Ukraine conflict and estimated cyber-related implications in Advisories and Optiv Blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31 and November 29. This update will provide information on the events of the previous 30 days and what we can expect looking forward.

 

 

Russia

As reported at the CyberwarCon security conference in November, Russian APT groups targeting Ukraine have shifted tactics, now working to facilitate quicker intrusions to conduct destructive attacks. Attributed to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), this tactical change was presented by Mandiant researchers, who dubbed it, “living on the edge,” in reference to highly targeted edge devices, like firewalls, routers and email servers. Instances of these types of attacks include:

 

  • An April 2021 attack that involved GRU-linked attackers gaining access to a victim organization via its firewall. This access also led to the attackers deploying a wiper malware against the organization in February and March 2022.
  • A June 2021 attack that involved GRU-linked attackers exploiting stolen credentials to log into a previous victim’s Zimbra mail server and regain access for espionage purposes.
  • A 2021 attack where GRU-linked attackers targeted an organization’s routers through a technique known as GRE tunneling, allowing them to create a backdoor into the victim’s network. Attackers then deployed a wiper malware against the victim at the start of the Russian invasion of Ukraine in February 2022.
  • A January 2022 attack involving the Russian APT group that exploited the ProxyShell vulnerability in Microsoft Exchange servers to get a foothold in an organization. One month later, the group deployed a wiper malware at the start of the Russian invasion.

 

The quick intrusion tactic was previously used by threat groups associated with GRU. In these cases, it’s allowed GRU-linked groups to maintain access to victims that have become prime victim targets since the invasion of Ukraine. While this tactic remains rare in the overall landscape, there’s an Even Chance that Russia-linked threat groups will increase its use, moving away from the typical phishing attacks.

 

Sandworm

November also saw new ransomware attacks linked to the notorious Russian military threat group, Sandworm. The ransomware, RansomBoggs, was discovered on multiple Ukrainian organizations’ networks. The malware is written in .NET and its deployment was like other Sandworm attacks. For instance, a PowerShell script used to distribute the malware from the domain controller is nearly identical to the one observed in April 2022 during the Industroyer2 attacks against the energy vertical. Additionally, the script used to deploy the ransomware on the victims’ network, PowerGap, was also used in March 2022 to deliver the CaddyWiper malware. While the ransomware variant itself isn’t highly sophisticated, the group doesn’t appear to be interested in financial profit, but operational disruption.

 

RansomBoggs contains multiple references to the Pixar movie, Monsters, Inc. in the code and the ransom note. The note appears to be written on behalf of the movie’s main protagonist, James P. Sullivan, whose job is to scare children. In the note, named SullivanDecryptsYourFiles.txt, “Sullivan” asks for financial help and apologizes for the inconvenience. The attackers Telegram account and executable are similarly named, and victims are instructed to contact the attackers via the email address, m0nsters-inc[at]proton.

 

The ransomware generates a random, RSA-encrypted key and encrypts files using AES-256 in CBC mode. The ransom note, however, indicates the ransomware uses AES-128. Encrypted files are appended with “.chsch” and depending on the malware variant, the RSA public key can either be hardcoded in the malware sample itself or provided as an argument.

 

Sandworm was also linked to Prestige ransomware attacks targeting transportation companies in Ukraine and Poland in October. All these attacks occurred within an hour and the group ‘s multiple deployment methods included the use of Windows scheduled tasks, encoded PowerShell commands and the Default Domain Group Policy Object. According the Microsoft’s Threat Intelligence Center (MSTIC), this ransomware was attributed to IRIDIUM (Microsoft’s name for Sandworm) based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities and infrastructure with previous victims of the HermeticWiper (aka FoxBlade) malware.

 

Before Sandworm deployed the Prestige ransomware, the group used two utilities: RemoteExec, a commercially available tool for agentless remote code execution; and Impacket WMIexec, an open-source, script-based solution for remote code execution. The group also was observed using WinPEAS, comsvcs.dll and ntdsutil.exe to obtain privilege escalation and credential extraction.

 

Though the initial access vector isn’t known, it’s Likely that the attackers had previous access to highly privileged credentials, given the overlap with other attacks. The Prestige ransomware leverages the CryptoPP C++ library to AES-encrypt each targeted file and appends the file with “.enc”. One version of the analyzed ransomware included a hardcoded RSA X509 public key. Like other ransomware variants, Prestige deletes the backup catalog and all volume shadow copies.

 

Killnet

In November, the Russia-aligned hacking group, Killnet, claimed responsibility for significant disruption to multiple websites and organizations in the U.K. via DDoS attacks. The group declared retaliation for the U.K.’s support for Ukraine and claimed that future attacks would target government and healthcare websites, including the London Stock Exchange, the British Army and the Banker’s Automated Clearing System.

 

Image
russia_ukraine_update_dec_img1.png

Figure 1: Victims listed on Killnet Telegram Channel

 

In December, security researchers with Lupovis reported that Russian hackers used hijacked networks of organizations in the U.K., the U.S., France, Brazil and South Africa to launch attacks on Ukraine. To lure Russian threat actors and obtain information about their TTPs and overall goals, Lupovis created decoys with honeyfiles that appeared to contain critical information, such as usernames and passwords. Web portals were also designed to mimic Ukrainian government and political sites, but were configured to insecurely attempt to authenticate into an API. Then, high-interaction and ssh services were configured to accept the faux credentials from the portals.

 

Based on this experiment, researchers found that Russian cybercriminals successfully compromised the networks of multiple global organizations – a Fortune 500 company, more than 15 healthcare organizations and a dam monitoring system. Russian cybercriminals were discovered rerouting through these legitimate networks to launch cyberattacks on Ukraine. In the attacks, researchers observed hackers targeting the decoys, conducting reconnaissance and recruiting them into bots to perform DDoS attacks.

 

Additional attacks included targeted SWL injection, remote file inclusion, Docker exploitation, credential theft and exploitation of known vulnerabilities. Compared to unrelated decoys, Ukrainian decoys suffered significantly more DDoS attacks, indicating that organizations residing in or supporting Ukraine are Very Likely to be targeted more often.

 

 

Callisto

In December, the Russia-linked cyberespionage group, Callisto, targeted multiple organizations providing war support for Ukraine, including public and private enterprises in the U.S. and Europe. A highly persistent threat actor, Callisto (aka Seaborgium, Coldriver and Blue Callisto) targets the same organizations over long periods of time using constant impersonation, rapport building and phishing to slowly deepen their intrusion. Active since at least 2017, the group has previously been observed conducting attacks on behalf of the Russian government and primarily focuses on defense and intelligence consulting companies, intergovernmental organizations, think tanks and higher education. In August, MSTIC took actions to disrupt campaigns launched by the group.

 

Despite its actions to disrupt infrastructure, Callisto continued their phishing and credential harvesting operations, focusing on verticals of Russian interest. Targeted organizations included a military equipment company in Poland, logistics companies in the U.S. and Ukraine, a military and tactical equipment provider in the U.S., a cybersecurity firm in Estonia and a U.S. satellite communications firm. Additional victims supported Ukraine publicly and included the International Center on Nonviolent Conflict, the Commission for International Justice and Accountability, the Centre of Humanitarian Dialogue and the Foundation for Support of Reforms in Ukraine.

 

 

Brute Ratel

In December, Microsoft warned that Russian-sponsored cyberattacks are Likely to continue targeting Ukrainian infrastructure and NATO allies in Europe and the U.S. throughout the winter. So far, researchers have observed a pattern of targeted attacks on infrastructure in Ukraine by Sandworm in association with missile strikes, and also accompanied by propaganda campaigns to undermine Western support for Ukraine.

 

Researchers also observed Russia-linked threat actors, including APT29 and Conti ransomware affiliates, using a legitimate red-teaming attack simulation tool, Brute Ratel. As an alternative to Cobalt Strike for Defense Evasion, Command and Control and Persistence, Brute Ratel avoids discovery by endpoint detection and response (EDR) and antivirus tools. Its other capabilities include exploiting vulnerable software and services included on the Optiv gTIC prioritized software and protocols list, including SMB. While Brute Ratel isn’t as widespread as the continued use of Cobalt Strike, it’s Likely that threat actors will keep searching for alternatives to commonly known and detected malware and tools.

 

 

China

In December, the China-linked APT group, Mustang Panda (aka Bonze President, Earth Preta, HoneyMyte, RedDelta and Red Lich), used lures related to the Russia-Ukraine war to attack entities in Europe and the Asia Pacific. The group is known to utilize malicious attachments via phishing emails to gain initial access and to use the PlugX remote access trojan.

 

In the recently observed campaign, Mustang Panda targeted government, education and research verticals with phishing attacks that led to the deployment of PUBLOAD, TONEINS and TONESHELL. The malicious file used in the campaign contained the name “Political Guidance for the new EU approach towards Russia.rar”. In the group’s commonly observed tactic, RAR archive files contain a shortcut to a Microsoft Word file that leverages DLL side-loading to start the execution of the PlugX in memory.

 

Mustang Panda has a history of delivering the PlugX malware using lures related to current events like COVID-19, the regulation of the European Parliament and military exercises. PlugX has been leveraged by China-linked threat groups for more than 10 years, and this recurring use supports Optiv gTIC’s assessment that these actors continue to use older, previously successful tools, malware and tactics to conduct cyberattacks.

 

 

Ukraine

In December, the Russian-language news outlet, Izvestia, reported that bad actors were targeting Russian citizens, specifically employees of Russia-based financial institutions. Threat actors were reportedly using Telegram and Dark Web forums to recruit these employees, asking them to leak their employer’s data in exchange for “foreign” passports and relocation to “Western” countries. The news outlet cited two unnamed informants who work in Russia’s financial services vertical. Additionally, the director of Rostelekom-Solar, a Russia-based cybersecurity intelligence company, confirmed the bribes were offered on Telegram.

 

At the time this update, the actors conducting these bribes is not known, but they’ve increasingly targeted Russia-based organizations with data breaches and cyberattacks since the invasion of Ukraine. It’s Likely the actors are offering an escape from war and partial mobilization as an attractive lure. There’s an Even Chance that the threat actor recruiting these employees is operating in support of Ukraine and attempting to leak data from Russia-based organizations as retaliation for the invasion of the country. However, as the bribes and lures were aired by a Russia-based news outlet and confirmed by a Russia-based company, the reliability of the report cannot be assessed.

 

 

CryWiper

In December, Russian government agencies, including mayors’ offices and courts, were targeted with a new C++ based wiper malware, CryWiper — which is configured to establish persistence via a scheduled task and communicate with a command and control (C2) server to initial the malicious activity. In the attack, the malware terminates the process related to database and email servers, deletes shadow copies of files and modifies the Windows Registry to prevent RDP connections. The wiper then corrupts files, avoiding those with “.exe”, “.dll”, “.lnk”, “.sys” and “.msi” extensions. Files are overwritten with random garbage data, appended with “.CRY” and even attempt to disguise themselves as ransomware with a note demanding 0.5 Bitcoin. But as the malware overwrites and destroys the contents of files rather than encrypting them, paying the ransom demand does not lead to data recovery.

 

CryWiper is the second faux ransomware used to target Russia-based organizations, the first being RURansom in March. Wiper malwares like these are probably preferred by threat actors because their development time is low, they don’t require high sophistication to cause destruction and operational disruption and they’re Likely profitable due to being disguised as a ransomware variant. As with RURansom, it’s Likely CryWiper was used to disrupt in retaliation for, or in support of, Ukraine. There’s also an Even Chance that wiper malware will continue to be used against Russia-based organizations over the next 12 months.

 

 

Outlook

Since the invasion of Ukraine in February, Russia-linked and Russia-supporting groups have conducted cyberattacks and spread disinformation in an attempt to gather information and show their support for Russia. However, the larger strikes intending to cripple critical Ukrainian infrastructure, such as its electrical grid, haven’t been as successful as expected. In successful attacks, Ukraine has recovered quickly to restore systems and communications.

 

Russia’s cyber capabilities have been proven to be significant based off previous cyberattacks linked to associated threat groups. But with many state-sponsored and -supported groups linked to military organizations focused on physical war, it’s Likely that resources typically allocated to cyber capabilities are currently dedicated elsewhere. Additionally, the U.S. and other NATO countries, as well as companies such as Microsoft, have offered their support to Ukrainian experts, including hands-on recovery efforts, communication devices and critical infrastructure operators, as well as financial and technical help to improve resilience against cyberattacks.

 

Despite reports that Russia-linked groups have not been as successful as expected, there’s an Even Chance that these groups could begin targeting critical infrastructure verticals, such as energy, government, manufacturing and transportation, in destructive cyberattacks that include wiper or ransomware malware. There’s an Even Chance that Russian President Putin will refocus efforts on cyberattacks as kinetic military action sees setbacks, such as the retreat from Kherson.

 

It’s Likely that the U.S. and other Western Coalition countries will remain attractive targets for Russia-based threat actors for espionage and financial gain. It’s Likely that as NATO countries, including the U.S., offer support to Ukraine for both cyber or physical warfare, they’ll be targeted by Russia-linked or -supporting threat actors with DDoS attacks, wiper malware, information stealing and ransomware attacks. Other countries with a history of state-sponsored and/or APT attacks that are indirectly aligned or maintaining suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks.

 

It’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software and malware.

 

In addition to multiple vulnerabilities, Optiv’s gTIC assesses it’s Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:

 

  • RDP
  • SMB/Samba
  • UPnP
  • Oracle WebLogic
  • Microsoft Exchange
  • Microsoft SharePoint
  • VMware vCenter, ESXi, vSphere, vAccess
  • VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway
  • Jenkins
  • Content management system (CMS) platforms
  • WordPress – Joomla!, Drupal, Magento, Adobe Commerce
  • Mimikatz
  • AdFind
  • AnyDesk
  • Rclone
  • Ngrok reverse proxy
  • Zoho ManageEngine
  • LogMeIn
  • TeamViewer

 

It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.

 

Table 1: MITRE ATT&CK techniques observed in reported cyberattacks related to the Russia-Ukraine war

 

Tactic Technique Description
Reconnaissance T1593 Search Open Websites/Domains
T1595.002 Active Scanning: Vulnerability Scanning
Resource Development T1583.003 Acquire Infrastructure: Virtual Private Server
T1584.005 Compromise Infrastructure: Botnet
T1586 Compromise Accounts
T1587.003 Develop Capabilities: Digital Certificates
T1588.002 Obtain Capabilities: Tool
T1588.003 Obtain Capabilities: Code Signing Certificates
Initial Access T1078 Valid Accounts
T1078.002 Valid Accounts: Domain Accounts
T1133 External Remote Services
T1190 Exploit Public Facing Application
T1195.002 Supply Chain Compromise: Compromise Software Supply Chain
T1199 Trusted Relationship
T1566 Phishing
T1566.001 Phishing: Spearphishing Attachment
T1566.002 Phishing: Spearphishing Link
Execution T1072 Windows Management Instrumentation
T1059 Command and Scripting Interpreter
T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1059.007 Command and Scripting Interpreter: JavaScript
T1072 Software Deployment Tools
T1106 Native API
T1203 Exploitation for Client Execution
T1204 User Execution
T1204.001 User Execution: Malicious Link
T1204.002 User Execution: Malicious File
T1569.002 System Services: Service Execution
Persistence T1053 Scheduled Task/Job
T1098 Account Manipulation
T1098.001 Account Manipulation: Additional Cloud Credentials
T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
T1574.008 Hijack Execution Flow: Path Interception by Search order Hijacking
Privilege Escalation T1055.002 Process Injection: Portable Executable Injection
T1078.001 Valid Accounts: Default Accounts
T1078.002 Valid Accounts: Domain Accounts
T1134.001 Access Token Manipulation: Token Impersonation/Theft
T1484.002 Domain Policy Modification: Domain Trust Modification
T1611 Escape to Host
Defense Evasion T1027.003 Obfuscated Files or Information: Steganography
T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
T1036.005 Masquerading: Match Legitimate Name or Location
T1055.001 Process Injection: Dynamic Link Library Injection
T1070 Indicator Removal
T1070.001 Indicator Removal: Clear Windows Event Logs
T1070.006 Indicator Removal: Timestomp
T1127 Trusted Developer Utilities Proxy Execution
T1218.005 System Binary Proxy Execution: Mshta
T1218.011 System Binary Proxy Execution: Rundll32
T1480 Execution Guardrails
T1497 Virtualization/Sandbox Evasion
T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion
T1550.001 Use Alternate Authentication Material: Application Access Token
T1562.001 Impair Defenses: Disable or Modify Tools
T1562.002 Impair Defenses: Disable Windows Event Logging
Credential Access T1003 OS Credential Dumping
T1003.003 OS Credential Dumping: NTDS
T1003.006 OS Credential Dumping: DCSync
T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
T1110 Brute Force
T1110.003 Brute Force: Password Spraying
T1111 Multi-Factor Authentication Interception
T1212 Exploitation for Credential Access
T1552.001 Unsecured Credentials: Credentials in Files
T1552.004 Unsecured Credentials: Private Keys
T1552.006 Unsecured Credentials: Group Policy Preferences
T1555.005 Credentials from Password Stores: Password Managers
T1558 Steal or Forge Kerberos Tickets
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
T1606.001 Forge Web Credentials: Web Cookies
T1606.002 Forge Web Credentials: SAML Tokens
Discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery
T1018 Remote System Discovery
T1046 Network Service Discovery
T1083 File and Directory Discovery
T1120 Peripheral Device Discovery
T1135 Network Share Discovery
T1518 Software Discovery
T1526 Cloud Service Discovery
Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares
T1021.003 Remote Services: Distributed Component Object Model
T1570 Lateral Tool Transfer
Collection T1005 Data from Local System
T1039 Data from Network Shared Drive
T1074 Data Staged
T1114..002 Email Collection: Remote Email Collection
T1213 Data from Information Repositories
T1213.002 Data from Information Repositories: SharePoint
T1213.003 Data from Information Repositories: Code Repositories
T1560.001 Archive Collected Data: Archive via Utility
Command & Control T1071 Application Layer Protocol
T1071.004 Application Layer Protocol: DNS
T1090.003 Proxy: Multi-Hop Proxy
T1568.002 Dynamic Resolution: Domain Generation Algorithms
T1571 Non-Standard Port
T1573.001 Encrypted Channel: Symmetric Cryptography
Exfiltrate T1030 Data Transfer Size Limits
T1041 Exfiltration Over C2 Channel
T1567 Exfiltration Over Web Service
T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository
Impact T1485 Data Destruction
T1486 Data Encrypted for Impact
T1498 Service Stop
T1498.001 Network Denial of Service: Direct Network Flood
T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
T1531 Account Access Removal
T1561.001 Disk Wipe: Disk Content Wipe
T1561.002 Disk Wipe: Disk Structure Wipe

 

 

References

 

Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.