Russia/Ukraine Update - November 2022

November 29, 2022

At the time of this update, the Russia and Ukraine war has continued for nearly 10 months with no indication that it will end soon. On the digital front, cybercriminals have shown their support for both sides of the war, targeting organizations and government agencies to obtain sensitive data, disrupt operations, and wreak general havoc in Ukraine and beyond.

Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian actions and estimated cyber-related implications in Advisories and Optiv Blog posts on February 4, February 22, February 24, June 30, August 25, September 29 and October 31. This update will provide information on the malware variants observed in cyberattacks, as well as the threat groups observed conducting attacks in support of Russia. While not exhaustive, the list of malware and groups discussed in this blog includes the most notable or destructive variants and the actors associated with them.

Variants

Russia-based and Russia-supporting threat actors were attributed to multiple cyberattacks over the previous nine months of the war, including ransomware, wiper, espionage and distributed denial of service (DDoS) attacks. In this time, both known and unknown threat groups have consistently deployed malware against Ukrainian organizations and Western organizations supporting Ukraine.

The following malware variants were observed:

WhisperGate (WhisperKill): Used to target Ukrainian government agencies in January 2022, this two-stage malware overwrites victims’ Master Boot Record (MBR) with a ransom note. But while it’s disguised as ransomware, WhisperGate doesn’t contain a recovery mechanism for victims to pay the ransom. After overwriting a system’s MBR, the malware downloads a malicious file corrupter that locates files in specific directories once it’s executed in memory.

Cyclops Blink: A malicious Linux ELF executable attributed to the Sandworm APT group. The malware consists of a core component and additional modules that are executed as child processes. These built-in modules are executed on startup and provide discovery system information, as well as the functionality to upload and download files and update the malware version. However, additional modules can be added via tasking from the C2 server.

HermeticWiper (aka FoxBlade, KillDisk): HermeticWiper was deployed against Ukrainian organizations in February 2022 using a signed driver and targeting Windows devices to manipulate the MBR, resulting in subsequent boot failure. The malware was named after the digital certificate used to sign the identified sample. HermeticWiper was a custom-written application with few standard functions. It followed a proven method of abusing a benign partition management driver, empntdrv.sys, to get direct access to the filesystem without calling Windows APIs. The wiper not only corrupts MBR and volume boot records, but also wipes files by defragmenting (rendering recovery impossible). This malware was attributed to the Sandworm (aka Black Energy, UAC-0082) APT group, which will be discussed more in the following section of this report.

HermeticRansom (aka SonicVote, PartyTicket): A ransomware variant written in the Go programming language that was used as a decoy alongside the deployment of the HermeticWiper malware in February 2022. HermeticRansom was found to be an amateur variant with poor control over its concurrent threads and commands. Its folder organization and naming conventions within the binary were found to taunt the United States, with names referring to the Biden administration, such as “403forBiden.” The malware superficially encrypts files and doesn’t properly initialize the encryption key, indicating the malware was Likely designed as a distraction from the actions of the HermeticWiper malware.

HermeticWizard: Another malware that was signed by the same code-signing certificate as HermeticWiper. A DLL file developed in C++, HermeticWizard was deployed as a worm against Ukrainian organizations in February 2022. It tries to find other machines on the local network, gathers known local IP addresses and then tries to connect to them to see if they’re reachable. For each IP address, the malware tries to open a TCP connection and scans ports in a random order. When it finds a reachable machine, it drops a WMI spreader.

IsaacWiper (aka Lasainraw): A wiper malware deployed against a Ukrainian government network in February 2022. Focused on data destruction, IsaacWiper was compiled with Visual Studio 2015 and written in a combination of C, C++ and assembly languages. It was observed being deployed as both an EXE and a DLL. Once executed, the malware overwrites all physical disks and logical volumes on a victim’s machine. While IsaacWiper doesn’t contain any code overlap with WhisperGate and HermeticWiper, its targeting is in line with these two wipers.

AcidRain: A wiper malware reportedly used to target Viasat’s KA-SAT network in February 2022, impacting several thousands of customers in Ukraine and tens of thousands across Europe. Viasat hasn’t confirmed this, but analysis of the tool indicates its deployment was Likely. AcidRain overwrites files and symbolic links with random data from the memory buffer in a recursive loop. The same operation is also used to wipe disk devices, loop devices, memory block devices and multimedia card block devices. Once the malware wipes a device, it forces a reboot.

DoubleZero (FiberLake): A .NET wiper malware developed with the C# programming language and used to target Ukrainian organizations in March 2022. DoubleZero uses two methods to destroy files. The first overwrites files with zero blocks of 4,096 bytes. The second uses API-calls, NtFileOpen, NtFsControlFile (code: FSCTL_SET_ZERO_DATA). The malware begins by targeting all non-system files and overwriting them. Then it compiles a list of system files by mask, sorts them and overwrites them. In the last step, the computer turns off.

LoadEdge: A backdoor malware containing functionalities such as file execution, upload, download and deletion, as well as system information obtainment and an interactive reverse shell over TCP port 137. LoadEdge communicates with the command and control (C2) server using HTTP protocol and JSON formatted data. It’s been attributed to the InvisiMole threat group and is reportedly an updated version of the group’s TCP downloader component, which is used to download backdoor modules. In March 2022, CERT-UA warned that this malware was targeting Ukrainian government agencies via phishing emails.

CaddyWiper: A Ukraine-focused wiper that’s relatively small in size and believed to have been deployed via Group Policy Object against energy providers in March and April 2022. The malware’s file destruction algorithm is composed of two stages: the first overwrites files and the second destroys the physical disk layout, the partition and the tables. For the file destruction, CaddyWiper takes ownership of the files by modifying their ACL entries and then simply overwriting them with zeros. The wiper then attempts to set the layout of all the physical drives on the system numbered 9 to 0. This wipes out all extended information on the physical drive’s partitions.

GrimPlant: A relatively simple backdoor malware that allows remote execution of PowerShell commands. Deployed alongside GraphSteel, the malware communicates with the C2 using port 80 and is based on the open-source Remote Procedure Call (RPC) framework, gRPC. The communications are encrypted with TLS using the certificate hardcoded in the binary. GrimPlant is configured to send a message every 10 seconds to the C2 server that includes information about the infected endpoint. The malware and the messages run in an infinite loop, waiting for command from the server. This malware was deployed via phishing attacks against Ukrainian government agencies in March and April 2022.

Industroyer2: A sophisticated malware attributed to the Sandworm APT group and targeting industrial control systems. The malware abuses the IEC 60870-5-104 (IEC 104) protocol used in electric power control systems. Consisting of a backdoor, loader and several payload modules, its only feature is to cause electric outages by disrupting operation of transmission substations. It was deployed against a Ukrainian energy provider in April 2022, however, the Ukrainian CERT thwarted the attack, preventing the disconnection of electrical substations and adverse impacts on the organization’s infrastructure.

AwfulShred and SoloShred: Both malicious shell scripts designed to corrupt Linux systems. These malware variants were part of a wave of attacks deployed against an energy facility of Ukraine in April 2022. The destructive activity of both scripts relies on a shred command with one overwrite pass, chosen to increase the data damage. AwfulShred is more sophisticated; prior to wiping the data, it disables and corrupts Apache, HTTP and SSH services, deactivates the swap file and clears bash history. The malware then forces the system to reboot, which makes the host inoperable.

CredoMap: A .NET credential stealer attributed to the Russia-based threat group APT28 (aka Fancy Bear, Sofacy, UAC-0028). The malware steals cookies and saved passwords from Chrome, Edge and Firefox browsers. Deployed via phishing emails, it exploited the Follina (CVE-2022-30190) vulnerability to target Ukrainian organizations between April and June 2022. However, there have been different versions of the malware identified, with some exfiltrating the data via email to a compromised account and others doing so via HTTP POST requests to the web backend.

DarkCrystal (DCRat): A commercial Russian backdoor that has been actively sold on cybercriminal forums since at least 2019. The remote access trojan’s (RAT) price starts at 500 RUB (US $6) for a two-month subscription. The malware can be used for a variety of purposes, including surveillance, reconnaissance, information theft, DDoS attacks and dynamic code execution. It communicates with the C2 via HTTP using GET and POST requests. The RAT has been used by a variety of threat actors and was deployed via phishing emails that targeted Ukrainian telecommunications and media organizations in June 2022.

Pterodo: A backdoor malware attributed to the Gamaredon threat group. Pterodo’s multiple variants all communicate with different C2 servers. Backdoor.Pterodo.B is a modified self-extracting archive that contains obfuscated VBScripts in resources that can be unpacked by 7-Zip. One of the files is designed to gather system information, and another adds a layer of persistence. Backdoor.Pterodo.C is also designed to drop VBScripts on the infected machine, but first conducts API hammering. Backdoor.Pterodo.D drops VBScripts as well, with the first running ipconfig /flushdns and then calling the second script, which has two layers of obfuscation and downloads the final payload. Finally, Backdoor.Pterodo.E engages in API hammering and drops two VBScripts to the victim’s home directory.

Giddome: A backdoor malware attributed to the Gamaredon threat group and deployed via phishing emails. Giddome contains multiple capabilities that include recording and capturing audio with the microphone on the victims’ system, taking screenshots and sending them to remote servers, keylogging and remote file downloading and execution capabilities. Attacks targeting Ukrainian organizations with Giddome malware were coupled with detections for AnyDesk and Ammyy Admin remote desktop protocol (RDP) tools.

RomCom RAT: A remote access trojan (RAT) targeting Ukrainian military institutions between July and October 2022. Reporting has linked the RomCom RAT to the Cuban ransomware affiliate, Tropical Scorpius. The threat actor distributed the malware by deploying spoofed versions of Advanced IP Scanner and PDF Filler. RomCom can gather system information, take screenshots, support auto-deletion and more. Early campaigns included spoofed websites to distribute the spoofed software. In October 2022, the threat actor began targeting Ukrainian military institutions with phishing emails that contained embedded links to fake websites. RomCom doesn’t exclusively target Ukraine and has been deployed towards organizations in the U.S., Brazil and the Philippines. The malware is consistently updated and improved, indicating that it will Likely remain a credible threat.

Graphite: A fileless malware deployed in-memory only and used to deliver post-exploitation frameworks. It’s been attributed to the Russia-linked threat group, APT28, against organizations and individuals operating in defense and government verticals across Europe and Eastern Europe. Activity was first discovered in February 2022, however, the campaign’s domains were still active in September 2022, indicating it’s Likely still active. The malware is delivered via a phishing email using a template potentially linked to The Organisation for Economic Co-operation and Development (OECD). The attachment is a PowerPoint file containing two slides with the same content in English and French. The PowerPoint exploits a code execution technique that’s triggered when the victim starts the presentation mode and moves the mouse. The malware communicates with the C2 by abusing the Microsoft Graph service.

Prestige Ransomware: A ransomware variant used to target Ukrainian transportation organizations in October 2022. Security researchers with Microsoft have linked the ransomware to the IRIDIUM threat group. Initial Access is not known; however, researchers indicate that the threat actor Likely gained prior access to highly privileged credentials prior to deploying the ransomware. All the infections occurred within one hour and the methods to deploy them varied across victim environments. Like other variants, the ransomware attempted to stop the MSSQL Windows service to ensure successful encryption and attempted to delete Volume Shadow Copies and backups after encryption.

BEATDROP and BOOMMIC: BEATDROP has been observed in APT29 campaigns and is used to deploy a malicious payload onto compromised systems. BOOMMIC was used to establish a foothold within the network, achieve persistence and fetch payloads to load them into memory.

Groups

APT29 (aka Cozy Bear, The Dukes): A Russia-linked threat group attributed to the Russian Foreign Intelligence Service (SVR) that has been active since at least 2008. APT29 is considered highly sophisticated and has continued to evolve tactics since their creation. The group launched multiple large scale phishing campaigns despite public attention, targeting the government, education, telecommunications, technology and health care industries in Europe, Asia and North America. It has conducted supply chain attacks, such as the SolarWinds incident of 2020, as well as phishing campaigns, password sprays and stolen credentials to gain Initial Access.

APT28 (aka Fancy Bear, Sofacy): A Russia-linked threat group attributed to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation Unit 26165 and active since at least 2004. APT28 has been observed targeting U.S. politicians, organizations and nuclear facilities. In June 2022, the group deployed a document weaponized with the Follina (CVE-2022-30190) exploit to download and execute a .NET stealer.

Sandworm (aka Black Energy): A Russia-linked threat group attributed to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation Unit 74455 and active since at least 2009. Sandworm was attributed with November 2015 attacks that deployed a destructive KillDisk component against Ukrainian news and media companies. These were followed by December 2015 attacks that deployed a destructive KillDisk component against electricity distribution companies. In 2022, Sandworm was tied to multiple attacks against Ukraine, including the Cyclops Blink attacks in February and the unsuccessful Industroyer2 attacks against an energy provider in April.

Gamaredon (aka Shuckworm, Primitive Bear): A threat group active since at least 2014, attributed to the Russian Federal Security Service (FSB) and targeting Ukraine almost exclusively. This group, like many others, relies on social engineering tactics to gain Initial Access. Gamaredon is not considered highly sophisticated but is determined and focused on Ukrainian organizations with multiple variants of the same malware to help prevent detection. The group focuses primarily on espionage activity, however, their backdoor tools can deploy additional payloads, which could lead to more severe cyberattacks such as wiper or ransomware malware.

DragonFly (aka Energetic Bear, Crouching Yeti): A Russia-linked threat group attributed to the Russian FSB Unit 71330 that has been active since at least 2010. Historically targeting organizations in the energy, transportation, defense, aerospace, and industrial verticals in western Europe and North America, the group was observed exploiting internet-facing infrastructure and network applications with brute force attacks, then leveraging compromised infrastructure.

IRIDIUM: A Russia-linked threat group that overlaps with the Sandworm APT group and has been linked to the Prestige ransomware variant. IRIDIUM has been active since the start of the Russia-Ukraine war in February 2022 uses commonly observed tools like RemoteExec and Impacket.

InvisiMole: A threat group that’s been active since at least 2013 conducting targeted cyberespionage operations in Ukraine and Russia. Security researchers with ESET identified evidence of collaboration between the InvisiMole group and Gamaredon group. The InvisiMole malware was observed using server infrastructure known to be used by the Gamaredon group. Additionally, InvisiMole uses legitimate tools during their campaigns and uses a “living-off-the-land” technique. The group was also observed using the EternalBlue and BlueKeep exploits during attacks.

UNC2589 (Ember Bear, Bleeding Bear, UAC-0056): Active since at least March 2021, this Russia-linked threat group conducts cyberespionage campaigns against organizations in Ukraine and Georgia. UNC2589 was attributed with the January 2022 WhisperGate malware attacks as well as GrimPlant and GraphSteel attacks against Ukrainian organizations.

Killnet: A pro-Russian threat group that announced their allegiance on Twitter in March 2022 when they posted a video declaring a war on the threat group “Anonymous,” who announced support for Ukraine. Since then, Killnet has been observed conducting distributed denial of service (DDoS) attacks against entities supporting Ukraine, including the leading political party website in France, several Lithuanian government websites and multiple websites in the U.S.

UAC-0098: A suspected pro-Russian threat group that has conducted multiple campaigns against Ukrainian organizations. UAC-0098 historically deployed the IcedID banking trojan that led to ransomware attacks. It has previously acted as an Initial Access Broker (IAB) for various ransomware groups, including Quantum and Conti. More recently, the group conducted phishing campaigns and repeatedly targeted Ukrainian hotels from April to June 2022. In other campaigns, UAC-0098 impersonated the National Cyber Police of Ukraine, using an Indian hotel’s compromised accounts to send phishing emails, and also impersonated representatives of Elon Musk and StarLink.

Recent Cyber Activity

In October 2022, the Ukrainian CERT discovered phishing emails spoofed to appear as if they were sent from the “Press Service of the General Staff of the Armed Forces of Ukraine.” Clicking the email link, however, took victims to a webpage that lured them to download a new version of PDF Reader. Running this file resulted in the download of the RomCom malware.

The Ukrainian CERT linked the RomCom RAT in these incidents to the Cuba ransomware affiliate known as Tropic Scorpius. As of July 2022, the group was attributed with 27 Cuba ransomware attacks targeting organizations in professional and commercial services, government, manufacturing, transportation, technology, retail, real estate, financial services, energy, utilities, construction, engineering and education verticals. While these attacks are likely financially motivated, Tropical Scorpius appears to take advantage of geopolitical events to target organizations in Ukraine and supporting countries.

In November 2022, Ukraine CERT reported that the Somnia ransomware was being deployed by FRwL (From Russia with Love), aka Z-Team and UAC-0118. This group is believed to have purchased access from an IAB, who gained Initial Access by luring victims to download Advanced IP Scanner software containing Vidar, a stealer malware used in the absence of two-factor authentication to access a user’s Telegram account and steal session data.

In the November incident, a victim’s account was used to transfer VPN connection configuration files to users. When they established a VPN connection, attackers were able to gain an unauthorized access to the corporate network. Attackers used tools such as Cobalt Strike, Netscan, Rclone, Anydesk and Ngrok.

CERT-UA reported that several Ukrainian organizations have been impacted by Somnia since Spring 2022 but did not provide any more information related to the victims. While early versions of the ransomware used the symmetric 3DES algorithm, new versions use the AES algorithm. Although Somnia is a ransomware variant, this version doesn’t allow for the possibility of data decryption due to the dynamics of the key and initialization vector.

Outlook

On November 9-10, 2022, the NATO’s 2022 Cyber Defence Pledge Conference was held in Rome at the Ministry of Foreign Affairs and International Cooperation. At the conference, the NATO Secretary General warned of the real and growing threat from cyberspace, urging NATO countries to increase their investment to cyber defenses. Additionally, Microsoft released their 2022 Microsoft Digital Defence Report (MDDR) and identified a significant increase in nation-state cyber activity, Likely due to the increased nation-state activity of Russia-linked groups targeting Ukraine and supporting countries.

Since the invasion of Ukraine in February 2022, Russia-linked and Russia-supporting groups have conducted cyberattacks and spread disinformation. Between February 24 and April 8, 2022, Microsoft reported 37 destructive malware attacks against Ukraine, however, larger strikes that would have crippled critical infrastructure, such as its electrical grid, were not successful. In attacks that were successful, Ukraine recovered quickly, to restore systems and communications.

Recently at the Aspen Cyber Summit, a senior Pentagon official stated that Russia’s cyber personnel “underperformed” during the initial invasion of Ukraine, which has Likely prompted Russia to rely less on digital attacks currently. This comes at odds with the previously wide-accepted belief in Russia’s formidable cyber capabilities, supported by the 2015 and 2017 attacks on Ukrainian power grids that caused billions of dollars in damage and widespread outages. When tensions began escalating in January and February 2022, many cyber experts and government agencies believed the war would result in significant cyberattacks.

At the 2022 Blackberry Security Summit in October, Victor Zhora, the deputy chairman of Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), stated that the cyberattacks on Ukrainian infrastructure had devolved into a chaotic series of opportunistic events but that the country has been able to remain resilient. Zhora stated that the Ukrainian government was the target of Russia-linked cyberattacks since at least 2014, which provided them the experience to withstand the wave of attacks expected with the invasion.

Russia’s cyber capabilities are Likely still significant based on previous cyberattacks reportedly linked to affiliated threat groups. However, as many nation-state groups are linked to military organizations, it’s Likely that resources typically allocated to cyber capabilities are currently dedicated to the physical war. Additionally, the U.S. and other NATO countries, as well as companies like Microsoft, have supported Ukrainian experts with hands-on recovery efforts, communication devices, critical infrastructure operators and financial and technical help to improve cyber resilience against cyberattacks.

Despite reports of Russia-linked groups’ limited success, there’s an Even Chance that they could begin targeting critical infrastructure verticals, such as energy, government, manufacturing and transportation, in destructive cyberattacks that include wiper or ransomware malware. There’s also an Even Chance that Russian President Putin will refocus efforts on cyberattacks as kinetic military action sees setbacks, such as the retreat from Kherson.

It’s Likely that the U.S. and other Western Coalition countries will remain attractive targets for Russia-based threat actors for financial gain and espionage attacks. It’s also Likely that as NATO countries, including the U.S., offer support to Ukraine for both cyber and physical warfare, they’ll be targeted in cyberattacks by Russia-linked or Russia-supporting threat actors, including DDoS, wiper malware, information stealing and ransomware attacks. Other countries with a history of state-sponsored and/or APT attacks that have indirectly aligned or maintained suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks.

It’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the continued success of compromise when employing the same techniques as well as the low resource requirement of reusing open-source and commercially available tools, software and malware.

In addition to multiple vulnerabilities, Optiv’s gTIC assesses it’s Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:

It’s Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.

Table 1: MITRE ATT&CK techniques observed in reported cyberattacks attributed to Russia-linked and Russia-supporting groups

References