A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Russia/Ukraine Update - December 2022 Breadcrumb Home Insights Blog Russia/Ukraine Update - December 2022 December 20, 2022 As the Russian invasion of Ukraine enters its eleventh month, cyber warfare activity continues on both sides. Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on the Russia-Ukraine conflict and estimated cyber-related implications in Advisories and Optiv Blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31 and November 29. This update will provide information on the events of the previous 30 days and what we can expect looking forward. Russia As reported at the CyberwarCon security conference in November, Russian APT groups targeting Ukraine have shifted tactics, now working to facilitate quicker intrusions to conduct destructive attacks. Attributed to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), this tactical change was presented by Mandiant researchers, who dubbed it, “living on the edge,” in reference to highly targeted edge devices, like firewalls, routers and email servers. Instances of these types of attacks include: An April 2021 attack that involved GRU-linked attackers gaining access to a victim organization via its firewall. This access also led to the attackers deploying a wiper malware against the organization in February and March 2022. A June 2021 attack that involved GRU-linked attackers exploiting stolen credentials to log into a previous victim’s Zimbra mail server and regain access for espionage purposes. A 2021 attack where GRU-linked attackers targeted an organization’s routers through a technique known as GRE tunneling, allowing them to create a backdoor into the victim’s network. Attackers then deployed a wiper malware against the victim at the start of the Russian invasion of Ukraine in February 2022. A January 2022 attack involving the Russian APT group that exploited the ProxyShell vulnerability in Microsoft Exchange servers to get a foothold in an organization. One month later, the group deployed a wiper malware at the start of the Russian invasion. The quick intrusion tactic was previously used by threat groups associated with GRU. In these cases, it’s allowed GRU-linked groups to maintain access to victims that have become prime victim targets since the invasion of Ukraine. While this tactic remains rare in the overall landscape, there’s an Even Chance that Russia-linked threat groups will increase its use, moving away from the typical phishing attacks. Sandworm November also saw new ransomware attacks linked to the notorious Russian military threat group, Sandworm. The ransomware, RansomBoggs, was discovered on multiple Ukrainian organizations’ networks. The malware is written in .NET and its deployment was like other Sandworm attacks. For instance, a PowerShell script used to distribute the malware from the domain controller is nearly identical to the one observed in April 2022 during the Industroyer2 attacks against the energy vertical. Additionally, the script used to deploy the ransomware on the victims’ network, PowerGap, was also used in March 2022 to deliver the CaddyWiper malware. While the ransomware variant itself isn’t highly sophisticated, the group doesn’t appear to be interested in financial profit, but operational disruption. RansomBoggs contains multiple references to the Pixar movie, Monsters, Inc. in the code and the ransom note. The note appears to be written on behalf of the movie’s main protagonist, James P. Sullivan, whose job is to scare children. In the note, named SullivanDecryptsYourFiles.txt, “Sullivan” asks for financial help and apologizes for the inconvenience. The attackers Telegram account and executable are similarly named, and victims are instructed to contact the attackers via the email address, m0nsters-inc[at]proton. The ransomware generates a random, RSA-encrypted key and encrypts files using AES-256 in CBC mode. The ransom note, however, indicates the ransomware uses AES-128. Encrypted files are appended with “.chsch” and depending on the malware variant, the RSA public key can either be hardcoded in the malware sample itself or provided as an argument. Sandworm was also linked to Prestige ransomware attacks targeting transportation companies in Ukraine and Poland in October. All these attacks occurred within an hour and the group ‘s multiple deployment methods included the use of Windows scheduled tasks, encoded PowerShell commands and the Default Domain Group Policy Object. According the Microsoft’s Threat Intelligence Center (MSTIC), this ransomware was attributed to IRIDIUM (Microsoft’s name for Sandworm) based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities and infrastructure with previous victims of the HermeticWiper (aka FoxBlade) malware. Before Sandworm deployed the Prestige ransomware, the group used two utilities: RemoteExec, a commercially available tool for agentless remote code execution; and Impacket WMIexec, an open-source, script-based solution for remote code execution. The group also was observed using WinPEAS, comsvcs.dll and ntdsutil.exe to obtain privilege escalation and credential extraction. Though the initial access vector isn’t known, it’s Likely that the attackers had previous access to highly privileged credentials, given the overlap with other attacks. The Prestige ransomware leverages the CryptoPP C++ library to AES-encrypt each targeted file and appends the file with “.enc”. One version of the analyzed ransomware included a hardcoded RSA X509 public key. Like other ransomware variants, Prestige deletes the backup catalog and all volume shadow copies. Killnet In November, the Russia-aligned hacking group, Killnet, claimed responsibility for significant disruption to multiple websites and organizations in the U.K. via DDoS attacks. The group declared retaliation for the U.K.’s support for Ukraine and claimed that future attacks would target government and healthcare websites, including the London Stock Exchange, the British Army and the Banker’s Automated Clearing System. Image Figure 1: Victims listed on Killnet Telegram Channel In December, security researchers with Lupovis reported that Russian hackers used hijacked networks of organizations in the U.K., the U.S., France, Brazil and South Africa to launch attacks on Ukraine. To lure Russian threat actors and obtain information about their TTPs and overall goals, Lupovis created decoys with honeyfiles that appeared to contain critical information, such as usernames and passwords. Web portals were also designed to mimic Ukrainian government and political sites, but were configured to insecurely attempt to authenticate into an API. Then, high-interaction and ssh services were configured to accept the faux credentials from the portals. Based on this experiment, researchers found that Russian cybercriminals successfully compromised the networks of multiple global organizations – a Fortune 500 company, more than 15 healthcare organizations and a dam monitoring system. Russian cybercriminals were discovered rerouting through these legitimate networks to launch cyberattacks on Ukraine. In the attacks, researchers observed hackers targeting the decoys, conducting reconnaissance and recruiting them into bots to perform DDoS attacks. Additional attacks included targeted SWL injection, remote file inclusion, Docker exploitation, credential theft and exploitation of known vulnerabilities. Compared to unrelated decoys, Ukrainian decoys suffered significantly more DDoS attacks, indicating that organizations residing in or supporting Ukraine are Very Likely to be targeted more often. Callisto In December, the Russia-linked cyberespionage group, Callisto, targeted multiple organizations providing war support for Ukraine, including public and private enterprises in the U.S. and Europe. A highly persistent threat actor, Callisto (aka Seaborgium, Coldriver and Blue Callisto) targets the same organizations over long periods of time using constant impersonation, rapport building and phishing to slowly deepen their intrusion. Active since at least 2017, the group has previously been observed conducting attacks on behalf of the Russian government and primarily focuses on defense and intelligence consulting companies, intergovernmental organizations, think tanks and higher education. In August, MSTIC took actions to disrupt campaigns launched by the group. Despite its actions to disrupt infrastructure, Callisto continued their phishing and credential harvesting operations, focusing on verticals of Russian interest. Targeted organizations included a military equipment company in Poland, logistics companies in the U.S. and Ukraine, a military and tactical equipment provider in the U.S., a cybersecurity firm in Estonia and a U.S. satellite communications firm. Additional victims supported Ukraine publicly and included the International Center on Nonviolent Conflict, the Commission for International Justice and Accountability, the Centre of Humanitarian Dialogue and the Foundation for Support of Reforms in Ukraine. Brute Ratel In December, Microsoft warned that Russian-sponsored cyberattacks are Likely to continue targeting Ukrainian infrastructure and NATO allies in Europe and the U.S. throughout the winter. So far, researchers have observed a pattern of targeted attacks on infrastructure in Ukraine by Sandworm in association with missile strikes, and also accompanied by propaganda campaigns to undermine Western support for Ukraine. Researchers also observed Russia-linked threat actors, including APT29 and Conti ransomware affiliates, using a legitimate red-teaming attack simulation tool, Brute Ratel. As an alternative to Cobalt Strike for Defense Evasion, Command and Control and Persistence, Brute Ratel avoids discovery by endpoint detection and response (EDR) and antivirus tools. Its other capabilities include exploiting vulnerable software and services included on the Optiv gTIC prioritized software and protocols list, including SMB. While Brute Ratel isn’t as widespread as the continued use of Cobalt Strike, it’s Likely that threat actors will keep searching for alternatives to commonly known and detected malware and tools. China In December, the China-linked APT group, Mustang Panda (aka Bonze President, Earth Preta, HoneyMyte, RedDelta and Red Lich), used lures related to the Russia-Ukraine war to attack entities in Europe and the Asia Pacific. The group is known to utilize malicious attachments via phishing emails to gain initial access and to use the PlugX remote access trojan. In the recently observed campaign, Mustang Panda targeted government, education and research verticals with phishing attacks that led to the deployment of PUBLOAD, TONEINS and TONESHELL. The malicious file used in the campaign contained the name “Political Guidance for the new EU approach towards Russia.rar”. In the group’s commonly observed tactic, RAR archive files contain a shortcut to a Microsoft Word file that leverages DLL side-loading to start the execution of the PlugX in memory. Mustang Panda has a history of delivering the PlugX malware using lures related to current events like COVID-19, the regulation of the European Parliament and military exercises. PlugX has been leveraged by China-linked threat groups for more than 10 years, and this recurring use supports Optiv gTIC’s assessment that these actors continue to use older, previously successful tools, malware and tactics to conduct cyberattacks. Ukraine In December, the Russian-language news outlet, Izvestia, reported that bad actors were targeting Russian citizens, specifically employees of Russia-based financial institutions. Threat actors were reportedly using Telegram and Dark Web forums to recruit these employees, asking them to leak their employer’s data in exchange for “foreign” passports and relocation to “Western” countries. The news outlet cited two unnamed informants who work in Russia’s financial services vertical. Additionally, the director of Rostelekom-Solar, a Russia-based cybersecurity intelligence company, confirmed the bribes were offered on Telegram. At the time this update, the actors conducting these bribes is not known, but they’ve increasingly targeted Russia-based organizations with data breaches and cyberattacks since the invasion of Ukraine. It’s Likely the actors are offering an escape from war and partial mobilization as an attractive lure. There’s an Even Chance that the threat actor recruiting these employees is operating in support of Ukraine and attempting to leak data from Russia-based organizations as retaliation for the invasion of the country. However, as the bribes and lures were aired by a Russia-based news outlet and confirmed by a Russia-based company, the reliability of the report cannot be assessed. CryWiper In December, Russian government agencies, including mayors’ offices and courts, were targeted with a new C++ based wiper malware, CryWiper — which is configured to establish persistence via a scheduled task and communicate with a command and control (C2) server to initial the malicious activity. In the attack, the malware terminates the process related to database and email servers, deletes shadow copies of files and modifies the Windows Registry to prevent RDP connections. The wiper then corrupts files, avoiding those with “.exe”, “.dll”, “.lnk”, “.sys” and “.msi” extensions. Files are overwritten with random garbage data, appended with “.CRY” and even attempt to disguise themselves as ransomware with a note demanding 0.5 Bitcoin. But as the malware overwrites and destroys the contents of files rather than encrypting them, paying the ransom demand does not lead to data recovery. CryWiper is the second faux ransomware used to target Russia-based organizations, the first being RURansom in March. Wiper malwares like these are probably preferred by threat actors because their development time is low, they don’t require high sophistication to cause destruction and operational disruption and they’re Likely profitable due to being disguised as a ransomware variant. As with RURansom, it’s Likely CryWiper was used to disrupt in retaliation for, or in support of, Ukraine. There’s also an Even Chance that wiper malware will continue to be used against Russia-based organizations over the next 12 months. Outlook Since the invasion of Ukraine in February, Russia-linked and Russia-supporting groups have conducted cyberattacks and spread disinformation in an attempt to gather information and show their support for Russia. However, the larger strikes intending to cripple critical Ukrainian infrastructure, such as its electrical grid, haven’t been as successful as expected. In successful attacks, Ukraine has recovered quickly to restore systems and communications. Russia’s cyber capabilities have been proven to be significant based off previous cyberattacks linked to associated threat groups. But with many state-sponsored and -supported groups linked to military organizations focused on physical war, it’s Likely that resources typically allocated to cyber capabilities are currently dedicated elsewhere. Additionally, the U.S. and other NATO countries, as well as companies such as Microsoft, have offered their support to Ukrainian experts, including hands-on recovery efforts, communication devices and critical infrastructure operators, as well as financial and technical help to improve resilience against cyberattacks. Despite reports that Russia-linked groups have not been as successful as expected, there’s an Even Chance that these groups could begin targeting critical infrastructure verticals, such as energy, government, manufacturing and transportation, in destructive cyberattacks that include wiper or ransomware malware. There’s an Even Chance that Russian President Putin will refocus efforts on cyberattacks as kinetic military action sees setbacks, such as the retreat from Kherson. It’s Likely that the U.S. and other Western Coalition countries will remain attractive targets for Russia-based threat actors for espionage and financial gain. It’s Likely that as NATO countries, including the U.S., offer support to Ukraine for both cyber or physical warfare, they’ll be targeted by Russia-linked or -supporting threat actors with DDoS attacks, wiper malware, information stealing and ransomware attacks. Other countries with a history of state-sponsored and/or APT attacks that are indirectly aligned or maintaining suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks. It’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software and malware. In addition to multiple vulnerabilities, Optiv’s gTIC assesses it’s Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as: RDP SMB/Samba UPnP Oracle WebLogic Microsoft Exchange Microsoft SharePoint VMware vCenter, ESXi, vSphere, vAccess VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway Jenkins Content management system (CMS) platforms WordPress – Joomla!, Drupal, Magento, Adobe Commerce Mimikatz AdFind AnyDesk Rclone Ngrok reverse proxy Zoho ManageEngine LogMeIn TeamViewer It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups. Table 1: MITRE ATT&CK techniques observed in reported cyberattacks related to the Russia-Ukraine war Tactic Technique Description Reconnaissance T1593 Search Open Websites/Domains T1595.002 Active Scanning: Vulnerability Scanning Resource Development T1583.003 Acquire Infrastructure: Virtual Private Server T1584.005 Compromise Infrastructure: Botnet T1586 Compromise Accounts T1587.003 Develop Capabilities: Digital Certificates T1588.002 Obtain Capabilities: Tool T1588.003 Obtain Capabilities: Code Signing Certificates Initial Access T1078 Valid Accounts T1078.002 Valid Accounts: Domain Accounts T1133 External Remote Services T1190 Exploit Public Facing Application T1195.002 Supply Chain Compromise: Compromise Software Supply Chain T1199 Trusted Relationship T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing Link Execution T1072 Windows Management Instrumentation T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.007 Command and Scripting Interpreter: JavaScript T1072 Software Deployment Tools T1106 Native API T1203 Exploitation for Client Execution T1204 User Execution T1204.001 User Execution: Malicious Link T1204.002 User Execution: Malicious File T1569.002 System Services: Service Execution Persistence T1053 Scheduled Task/Job T1098 Account Manipulation T1098.001 Account Manipulation: Additional Cloud Credentials T1547.009 Boot or Logon Autostart Execution: Shortcut Modification T1574.008 Hijack Execution Flow: Path Interception by Search order Hijacking Privilege Escalation T1055.002 Process Injection: Portable Executable Injection T1078.001 Valid Accounts: Default Accounts T1078.002 Valid Accounts: Domain Accounts T1134.001 Access Token Manipulation: Token Impersonation/Theft T1484.002 Domain Policy Modification: Domain Trust Modification T1611 Escape to Host Defense Evasion T1027.003 Obfuscated Files or Information: Steganography T1027.005 Obfuscated Files or Information: Indicator Removal from Tools T1036.005 Masquerading: Match Legitimate Name or Location T1055.001 Process Injection: Dynamic Link Library Injection T1070 Indicator Removal T1070.001 Indicator Removal: Clear Windows Event Logs T1070.006 Indicator Removal: Timestomp T1127 Trusted Developer Utilities Proxy Execution T1218.005 System Binary Proxy Execution: Mshta T1218.011 System Binary Proxy Execution: Rundll32 T1480 Execution Guardrails T1497 Virtualization/Sandbox Evasion T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion T1550.001 Use Alternate Authentication Material: Application Access Token T1562.001 Impair Defenses: Disable or Modify Tools T1562.002 Impair Defenses: Disable Windows Event Logging Credential Access T1003 OS Credential Dumping T1003.003 OS Credential Dumping: NTDS T1003.006 OS Credential Dumping: DCSync T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow T1110 Brute Force T1110.003 Brute Force: Password Spraying T1111 Multi-Factor Authentication Interception T1212 Exploitation for Credential Access T1552.001 Unsecured Credentials: Credentials in Files T1552.004 Unsecured Credentials: Private Keys T1552.006 Unsecured Credentials: Group Policy Preferences T1555.005 Credentials from Password Stores: Password Managers T1558 Steal or Forge Kerberos Tickets T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting T1606.001 Forge Web Credentials: Web Cookies T1606.002 Forge Web Credentials: SAML Tokens Discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery T1018 Remote System Discovery T1046 Network Service Discovery T1083 File and Directory Discovery T1120 Peripheral Device Discovery T1135 Network Share Discovery T1518 Software Discovery T1526 Cloud Service Discovery Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares T1021.003 Remote Services: Distributed Component Object Model T1570 Lateral Tool Transfer Collection T1005 Data from Local System T1039 Data from Network Shared Drive T1074 Data Staged T1114..002 Email Collection: Remote Email Collection T1213 Data from Information Repositories T1213.002 Data from Information Repositories: SharePoint T1213.003 Data from Information Repositories: Code Repositories T1560.001 Archive Collected Data: Archive via Utility Command & Control T1071 Application Layer Protocol T1071.004 Application Layer Protocol: DNS T1090.003 Proxy: Multi-Hop Proxy T1568.002 Dynamic Resolution: Domain Generation Algorithms T1571 Non-Standard Port T1573.001 Encrypted Channel: Symmetric Cryptography Exfiltrate T1030 Data Transfer Size Limits T1041 Exfiltration Over C2 Channel T1567 Exfiltration Over Web Service T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository Impact T1485 Data Destruction T1486 Data Encrypted for Impact T1498 Service Stop T1498.001 Network Denial of Service: Direct Network Flood T1499.002 Endpoint Denial of Service: Service Exhaustion Flood T1531 Account Access Removal T1561.001 Disk Wipe: Disk Content Wipe T1561.002 Disk Wipe: Disk Structure Wipe References https://www.bleepingcomputer.com/news/security/russian-military-hackers-linked-to-ransomware-attacks-in-ukraine/ https://www.bleepingcomputer.com/news/security/new-ransomware-attacks-in-ukraine-linked-to-russian-sandworm-hackers/ https://www.infosecurity-magazine.com/news/russian-hackers-western-networks/ https://www.securityweek.com/russian-espionage-apt-callisto-focuses-ukraine-war-support-organizations https://twitter.com/ESETresearch/status/1596181925663760386 https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/ https://thehackernews.com/2022/12/chinese-hackers-using-russo-ukrainian.html https://iz.ru/1434535/2022-12-02/insaideram-v-bankakh-za-sliv-stali-predlagat-relokatciiu https://thehackernews.com/2022/12/russian-courts-targeted-by-new-crywiper.html https://blog.polyswarm.io/apt-29-using-brute-ratel By: Andi Ursry Intelligence Analyst | Optiv Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics. Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online. Share: Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.