Russia/Ukraine Update - December 2022
December 20, 2022
As the Russian invasion of Ukraine enters its eleventh month, cyber warfare activity continues on both sides.
Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on the Russia-Ukraine conflict and estimated cyber-related implications in Advisories and Optiv Blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31 and November 29. This update will provide information on the events of the previous 30 days and what we can expect looking forward.
Russia
As reported at the CyberwarCon security conference in November, Russian APT groups targeting Ukraine have shifted tactics, now working to facilitate quicker intrusions to conduct destructive attacks. Attributed to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), this tactical change was presented by Mandiant researchers, who dubbed it, “living on the edge,” in reference to highly targeted edge devices, like firewalls, routers and email servers. Instances of these types of attacks include:
- An April 2021 attack that involved GRU-linked attackers gaining access to a victim organization via its firewall. This access also led to the attackers deploying a wiper malware against the organization in February and March 2022.
- A June 2021 attack that involved GRU-linked attackers exploiting stolen credentials to log into a previous victim’s Zimbra mail server and regain access for espionage purposes.
- A 2021 attack where GRU-linked attackers targeted an organization’s routers through a technique known as GRE tunneling, allowing them to create a backdoor into the victim’s network. Attackers then deployed a wiper malware against the victim at the start of the Russian invasion of Ukraine in February 2022.
- A January 2022 attack involving the Russian APT group that exploited the ProxyShell vulnerability in Microsoft Exchange servers to get a foothold in an organization. One month later, the group deployed a wiper malware at the start of the Russian invasion.
The quick intrusion tactic was previously used by threat groups associated with GRU. In these cases, it’s allowed GRU-linked groups to maintain access to victims that have become prime victim targets since the invasion of Ukraine. While this tactic remains rare in the overall landscape, there’s an Even Chance that Russia-linked threat groups will increase its use, moving away from the typical phishing attacks.
Sandworm
November also saw new ransomware attacks linked to the notorious Russian military threat group, Sandworm. The ransomware, RansomBoggs, was discovered on multiple Ukrainian organizations’ networks. The malware is written in .NET and its deployment was like other Sandworm attacks. For instance, a PowerShell script used to distribute the malware from the domain controller is nearly identical to the one observed in April 2022 during the Industroyer2 attacks against the energy vertical. Additionally, the script used to deploy the ransomware on the victims’ network, PowerGap, was also used in March 2022 to deliver the CaddyWiper malware. While the ransomware variant itself isn’t highly sophisticated, the group doesn’t appear to be interested in financial profit, but operational disruption.
RansomBoggs contains multiple references to the Pixar movie, Monsters, Inc. in the code and the ransom note. The note appears to be written on behalf of the movie’s main protagonist, James P. Sullivan, whose job is to scare children. In the note, named SullivanDecryptsYourFiles.txt, “Sullivan” asks for financial help and apologizes for the inconvenience. The attackers Telegram account and executable are similarly named, and victims are instructed to contact the attackers via the email address, m0nsters-inc[at]proton.
The ransomware generates a random, RSA-encrypted key and encrypts files using AES-256 in CBC mode. The ransom note, however, indicates the ransomware uses AES-128. Encrypted files are appended with “.chsch” and depending on the malware variant, the RSA public key can either be hardcoded in the malware sample itself or provided as an argument.
Sandworm was also linked to Prestige ransomware attacks targeting transportation companies in Ukraine and Poland in October. All these attacks occurred within an hour and the group ‘s multiple deployment methods included the use of Windows scheduled tasks, encoded PowerShell commands and the Default Domain Group Policy Object. According the Microsoft’s Threat Intelligence Center (MSTIC), this ransomware was attributed to IRIDIUM (Microsoft’s name for Sandworm) based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities and infrastructure with previous victims of the HermeticWiper (aka FoxBlade) malware.
Before Sandworm deployed the Prestige ransomware, the group used two utilities: RemoteExec, a commercially available tool for agentless remote code execution; and Impacket WMIexec, an open-source, script-based solution for remote code execution. The group also was observed using WinPEAS, comsvcs.dll and ntdsutil.exe to obtain privilege escalation and credential extraction.
Though the initial access vector isn’t known, it’s Likely that the attackers had previous access to highly privileged credentials, given the overlap with other attacks. The Prestige ransomware leverages the CryptoPP C++ library to AES-encrypt each targeted file and appends the file with “.enc”. One version of the analyzed ransomware included a hardcoded RSA X509 public key. Like other ransomware variants, Prestige deletes the backup catalog and all volume shadow copies.
Killnet
In November, the Russia-aligned hacking group, Killnet, claimed responsibility for significant disruption to multiple websites and organizations in the U.K. via DDoS attacks. The group declared retaliation for the U.K.’s support for Ukraine and claimed that future attacks would target government and healthcare websites, including the London Stock Exchange, the British Army and the Banker’s Automated Clearing System.
Figure 1: Victims listed on Killnet Telegram Channel
In December, security researchers with Lupovis reported that Russian hackers used hijacked networks of organizations in the U.K., the U.S., France, Brazil and South Africa to launch attacks on Ukraine. To lure Russian threat actors and obtain information about their TTPs and overall goals, Lupovis created decoys with honeyfiles that appeared to contain critical information, such as usernames and passwords. Web portals were also designed to mimic Ukrainian government and political sites, but were configured to insecurely attempt to authenticate into an API. Then, high-interaction and ssh services were configured to accept the faux credentials from the portals.
Based on this experiment, researchers found that Russian cybercriminals successfully compromised the networks of multiple global organizations – a Fortune 500 company, more than 15 healthcare organizations and a dam monitoring system. Russian cybercriminals were discovered rerouting through these legitimate networks to launch cyberattacks on Ukraine. In the attacks, researchers observed hackers targeting the decoys, conducting reconnaissance and recruiting them into bots to perform DDoS attacks.
Additional attacks included targeted SWL injection, remote file inclusion, Docker exploitation, credential theft and exploitation of known vulnerabilities. Compared to unrelated decoys, Ukrainian decoys suffered significantly more DDoS attacks, indicating that organizations residing in or supporting Ukraine are Very Likely to be targeted more often.
Callisto
In December, the Russia-linked cyberespionage group, Callisto, targeted multiple organizations providing war support for Ukraine, including public and private enterprises in the U.S. and Europe. A highly persistent threat actor, Callisto (aka Seaborgium, Coldriver and Blue Callisto) targets the same organizations over long periods of time using constant impersonation, rapport building and phishing to slowly deepen their intrusion. Active since at least 2017, the group has previously been observed conducting attacks on behalf of the Russian government and primarily focuses on defense and intelligence consulting companies, intergovernmental organizations, think tanks and higher education. In August, MSTIC took actions to disrupt campaigns launched by the group.
Despite its actions to disrupt infrastructure, Callisto continued their phishing and credential harvesting operations, focusing on verticals of Russian interest. Targeted organizations included a military equipment company in Poland, logistics companies in the U.S. and Ukraine, a military and tactical equipment provider in the U.S., a cybersecurity firm in Estonia and a U.S. satellite communications firm. Additional victims supported Ukraine publicly and included the International Center on Nonviolent Conflict, the Commission for International Justice and Accountability, the Centre of Humanitarian Dialogue and the Foundation for Support of Reforms in Ukraine.
Brute Ratel
In December, Microsoft warned that Russian-sponsored cyberattacks are Likely to continue targeting Ukrainian infrastructure and NATO allies in Europe and the U.S. throughout the winter. So far, researchers have observed a pattern of targeted attacks on infrastructure in Ukraine by Sandworm in association with missile strikes, and also accompanied by propaganda campaigns to undermine Western support for Ukraine.
Researchers also observed Russia-linked threat actors, including APT29 and Conti ransomware affiliates, using a legitimate red-teaming attack simulation tool, Brute Ratel. As an alternative to Cobalt Strike for Defense Evasion, Command and Control and Persistence, Brute Ratel avoids discovery by endpoint detection and response (EDR) and antivirus tools. Its other capabilities include exploiting vulnerable software and services included on the Optiv gTIC prioritized software and protocols list, including SMB. While Brute Ratel isn’t as widespread as the continued use of Cobalt Strike, it’s Likely that threat actors will keep searching for alternatives to commonly known and detected malware and tools.
China
In December, the China-linked APT group, Mustang Panda (aka Bonze President, Earth Preta, HoneyMyte, RedDelta and Red Lich), used lures related to the Russia-Ukraine war to attack entities in Europe and the Asia Pacific. The group is known to utilize malicious attachments via phishing emails to gain initial access and to use the PlugX remote access trojan.
In the recently observed campaign, Mustang Panda targeted government, education and research verticals with phishing attacks that led to the deployment of PUBLOAD, TONEINS and TONESHELL. The malicious file used in the campaign contained the name “Political Guidance for the new EU approach towards Russia.rar”. In the group’s commonly observed tactic, RAR archive files contain a shortcut to a Microsoft Word file that leverages DLL side-loading to start the execution of the PlugX in memory.
Mustang Panda has a history of delivering the PlugX malware using lures related to current events like COVID-19, the regulation of the European Parliament and military exercises. PlugX has been leveraged by China-linked threat groups for more than 10 years, and this recurring use supports Optiv gTIC’s assessment that these actors continue to use older, previously successful tools, malware and tactics to conduct cyberattacks.
Ukraine
In December, the Russian-language news outlet, Izvestia, reported that bad actors were targeting Russian citizens, specifically employees of Russia-based financial institutions. Threat actors were reportedly using Telegram and Dark Web forums to recruit these employees, asking them to leak their employer’s data in exchange for “foreign” passports and relocation to “Western” countries. The news outlet cited two unnamed informants who work in Russia’s financial services vertical. Additionally, the director of Rostelekom-Solar, a Russia-based cybersecurity intelligence company, confirmed the bribes were offered on Telegram.
At the time this update, the actors conducting these bribes is not known, but they’ve increasingly targeted Russia-based organizations with data breaches and cyberattacks since the invasion of Ukraine. It’s Likely the actors are offering an escape from war and partial mobilization as an attractive lure. There’s an Even Chance that the threat actor recruiting these employees is operating in support of Ukraine and attempting to leak data from Russia-based organizations as retaliation for the invasion of the country. However, as the bribes and lures were aired by a Russia-based news outlet and confirmed by a Russia-based company, the reliability of the report cannot be assessed.
CryWiper
In December, Russian government agencies, including mayors’ offices and courts, were targeted with a new C++ based wiper malware, CryWiper — which is configured to establish persistence via a scheduled task and communicate with a command and control (C2) server to initial the malicious activity. In the attack, the malware terminates the process related to database and email servers, deletes shadow copies of files and modifies the Windows Registry to prevent RDP connections. The wiper then corrupts files, avoiding those with “.exe”, “.dll”, “.lnk”, “.sys” and “.msi” extensions. Files are overwritten with random garbage data, appended with “.CRY” and even attempt to disguise themselves as ransomware with a note demanding 0.5 Bitcoin. But as the malware overwrites and destroys the contents of files rather than encrypting them, paying the ransom demand does not lead to data recovery.
CryWiper is the second faux ransomware used to target Russia-based organizations, the first being RURansom in March. Wiper malwares like these are probably preferred by threat actors because their development time is low, they don’t require high sophistication to cause destruction and operational disruption and they’re Likely profitable due to being disguised as a ransomware variant. As with RURansom, it’s Likely CryWiper was used to disrupt in retaliation for, or in support of, Ukraine. There’s also an Even Chance that wiper malware will continue to be used against Russia-based organizations over the next 12 months.
Outlook
Since the invasion of Ukraine in February, Russia-linked and Russia-supporting groups have conducted cyberattacks and spread disinformation in an attempt to gather information and show their support for Russia. However, the larger strikes intending to cripple critical Ukrainian infrastructure, such as its electrical grid, haven’t been as successful as expected. In successful attacks, Ukraine has recovered quickly to restore systems and communications.
Russia’s cyber capabilities have been proven to be significant based off previous cyberattacks linked to associated threat groups. But with many state-sponsored and -supported groups linked to military organizations focused on physical war, it’s Likely that resources typically allocated to cyber capabilities are currently dedicated elsewhere. Additionally, the U.S. and other NATO countries, as well as companies such as Microsoft, have offered their support to Ukrainian experts, including hands-on recovery efforts, communication devices and critical infrastructure operators, as well as financial and technical help to improve resilience against cyberattacks.
Despite reports that Russia-linked groups have not been as successful as expected, there’s an Even Chance that these groups could begin targeting critical infrastructure verticals, such as energy, government, manufacturing and transportation, in destructive cyberattacks that include wiper or ransomware malware. There’s an Even Chance that Russian President Putin will refocus efforts on cyberattacks as kinetic military action sees setbacks, such as the retreat from Kherson.
It’s Likely that the U.S. and other Western Coalition countries will remain attractive targets for Russia-based threat actors for espionage and financial gain. It’s Likely that as NATO countries, including the U.S., offer support to Ukraine for both cyber or physical warfare, they’ll be targeted by Russia-linked or -supporting threat actors with DDoS attacks, wiper malware, information stealing and ransomware attacks. Other countries with a history of state-sponsored and/or APT attacks that are indirectly aligned or maintaining suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks.
It’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software and malware.
In addition to multiple vulnerabilities, Optiv’s gTIC assesses it’s Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:
- RDP
- SMB/Samba
- UPnP
- Oracle WebLogic
- Microsoft Exchange
- Microsoft SharePoint
- VMware vCenter, ESXi, vSphere, vAccess
- VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway
- Jenkins
- Content management system (CMS) platforms
- WordPress – Joomla!, Drupal, Magento, Adobe Commerce
- Mimikatz
- AdFind
- AnyDesk
- Rclone
- Ngrok reverse proxy
- Zoho ManageEngine
- LogMeIn
- TeamViewer
It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.
Table 1: MITRE ATT&CK techniques observed in reported cyberattacks related to the Russia-Ukraine war
Tactic | Technique | Description |
---|---|---|
Reconnaissance | T1593 | Search Open Websites/Domains |
T1595.002 | Active Scanning: Vulnerability Scanning | |
Resource Development | T1583.003 | Acquire Infrastructure: Virtual Private Server |
T1584.005 | Compromise Infrastructure: Botnet | |
T1586 | Compromise Accounts | |
T1587.003 | Develop Capabilities: Digital Certificates | |
T1588.002 | Obtain Capabilities: Tool | |
T1588.003 | Obtain Capabilities: Code Signing Certificates | |
Initial Access | T1078 | Valid Accounts |
T1078.002 | Valid Accounts: Domain Accounts | |
T1133 | External Remote Services | |
T1190 | Exploit Public Facing Application | |
T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | |
T1199 | Trusted Relationship | |
T1566 | Phishing | |
T1566.001 | Phishing: Spearphishing Attachment | |
T1566.002 | Phishing: Spearphishing Link | |
Execution | T1072 | Windows Management Instrumentation |
T1059 | Command and Scripting Interpreter | |
T1059.001 | Command and Scripting Interpreter: PowerShell | |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | |
T1059.007 | Command and Scripting Interpreter: JavaScript | |
T1072 | Software Deployment Tools | |
T1106 | Native API | |
T1203 | Exploitation for Client Execution | |
T1204 | User Execution | |
T1204.001 | User Execution: Malicious Link | |
T1204.002 | User Execution: Malicious File | |
T1569.002 | System Services: Service Execution | |
Persistence | T1053 | Scheduled Task/Job |
T1098 | Account Manipulation | |
T1098.001 | Account Manipulation: Additional Cloud Credentials | |
T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification | |
T1574.008 | Hijack Execution Flow: Path Interception by Search order Hijacking | |
Privilege Escalation | T1055.002 | Process Injection: Portable Executable Injection |
T1078.001 | Valid Accounts: Default Accounts | |
T1078.002 | Valid Accounts: Domain Accounts | |
T1134.001 | Access Token Manipulation: Token Impersonation/Theft | |
T1484.002 | Domain Policy Modification: Domain Trust Modification | |
T1611 | Escape to Host | |
Defense Evasion | T1027.003 | Obfuscated Files or Information: Steganography |
T1027.005 | Obfuscated Files or Information: Indicator Removal from Tools | |
T1036.005 | Masquerading: Match Legitimate Name or Location | |
T1055.001 | Process Injection: Dynamic Link Library Injection | |
T1070 | Indicator Removal | |
T1070.001 | Indicator Removal: Clear Windows Event Logs | |
T1070.006 | Indicator Removal: Timestomp | |
T1127 | Trusted Developer Utilities Proxy Execution | |
T1218.005 | System Binary Proxy Execution: Mshta | |
T1218.011 | System Binary Proxy Execution: Rundll32 | |
T1480 | Execution Guardrails | |
T1497 | Virtualization/Sandbox Evasion | |
T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion | |
T1550.001 | Use Alternate Authentication Material: Application Access Token | |
T1562.001 | Impair Defenses: Disable or Modify Tools | |
T1562.002 | Impair Defenses: Disable Windows Event Logging | |
Credential Access | T1003 | OS Credential Dumping |
T1003.003 | OS Credential Dumping: NTDS | |
T1003.006 | OS Credential Dumping: DCSync | |
T1003.008 | OS Credential Dumping: /etc/passwd and /etc/shadow | |
T1110 | Brute Force | |
T1110.003 | Brute Force: Password Spraying | |
T1111 | Multi-Factor Authentication Interception | |
T1212 | Exploitation for Credential Access | |
T1552.001 | Unsecured Credentials: Credentials in Files | |
T1552.004 | Unsecured Credentials: Private Keys | |
T1552.006 | Unsecured Credentials: Group Policy Preferences | |
T1555.005 | Credentials from Password Stores: Password Managers | |
T1558 | Steal or Forge Kerberos Tickets | |
T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | |
T1606.001 | Forge Web Credentials: Web Cookies | |
T1606.002 | Forge Web Credentials: SAML Tokens | |
Discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery |
T1018 | Remote System Discovery | |
T1046 | Network Service Discovery | |
T1083 | File and Directory Discovery | |
T1120 | Peripheral Device Discovery | |
T1135 | Network Share Discovery | |
T1518 | Software Discovery | |
T1526 | Cloud Service Discovery | |
Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares |
T1021.003 | Remote Services: Distributed Component Object Model | |
T1570 | Lateral Tool Transfer | |
Collection | T1005 | Data from Local System |
T1039 | Data from Network Shared Drive | |
T1074 | Data Staged | |
T1114..002 | Email Collection: Remote Email Collection | |
T1213 | Data from Information Repositories | |
T1213.002 | Data from Information Repositories: SharePoint | |
T1213.003 | Data from Information Repositories: Code Repositories | |
T1560.001 | Archive Collected Data: Archive via Utility | |
Command & Control | T1071 | Application Layer Protocol |
T1071.004 | Application Layer Protocol: DNS | |
T1090.003 | Proxy: Multi-Hop Proxy | |
T1568.002 | Dynamic Resolution: Domain Generation Algorithms | |
T1571 | Non-Standard Port | |
T1573.001 | Encrypted Channel: Symmetric Cryptography | |
Exfiltrate | T1030 | Data Transfer Size Limits |
T1041 | Exfiltration Over C2 Channel | |
T1567 | Exfiltration Over Web Service | |
T1567.001 | Exfiltration Over Web Service: Exfiltration to Code Repository | |
Impact | T1485 | Data Destruction |
T1486 | Data Encrypted for Impact | |
T1498 | Service Stop | |
T1498.001 | Network Denial of Service: Direct Network Flood | |
T1499.002 | Endpoint Denial of Service: Service Exhaustion Flood | |
T1531 | Account Access Removal | |
T1561.001 | Disk Wipe: Disk Content Wipe | |
T1561.002 | Disk Wipe: Disk Structure Wipe |
References
- https://www.bleepingcomputer.com/news/security/russian-military-hackers-linked-to-ransomware-attacks-in-ukraine/
- https://www.bleepingcomputer.com/news/security/new-ransomware-attacks-in-ukraine-linked-to-russian-sandworm-hackers/
- https://www.infosecurity-magazine.com/news/russian-hackers-western-networks/
- https://www.securityweek.com/russian-espionage-apt-callisto-focuses-ukraine-war-support-organizations
- https://twitter.com/ESETresearch/status/1596181925663760386
- https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/
- https://thehackernews.com/2022/12/chinese-hackers-using-russo-ukrainian.html
- https://iz.ru/1434535/2022-12-02/insaideram-v-bankakh-za-sliv-stali-predlagat-relokatciiu
- https://thehackernews.com/2022/12/russian-courts-targeted-by-new-crywiper.html
- https://blog.polyswarm.io/apt-29-using-brute-ratel
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.