Russia/Ukraine Update - September 2022

September 29, 2022

As the Russian and Ukrainian war continues, cybercriminals in support of both sides continue to target organizations to obtain sensitive data, disrupt operations and wreak havoc. What’s more, Russia has used the conflict to move their targeting beyond Ukraine.

 

This war has had a rippling effect across the world, including a cybercriminal landscape that’s also been affected as groups split, turn sides and announce support for one country or the other. Since the invasion began, Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian military actions and estimated cyber-related implications in advisories and blog posts on February 4, February 22, February 24, June 30 and August 25. In this update, we’ll provide information on the events of the previous 30 days and what to expect looking forward.

 

 

Russia

Russia has consistently targeted Ukraine in cyberattacks since well before the physical invasion in February 2022. One infamous attack targeted Ukraine’s power grid on December 23, 2015. Attackers were able to take control of the facilities’ SCADA systems. During the attack, malicious actors opened breakers at 30 distribution substations causing more than 200,000 consumers to lose power.1 Since the invasion of Ukraine, Russia’s cyberattacks against Ukraine have increased significantly, as have Russian supporters, including both state-supported and cybercriminal groups that have pledged their allegiance to the Kremlin.

 

In August 2022, The Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the ongoing cyberespionage campaign conducted by the Russia-linked Gamaredon APT group (aka Shuckworm, Primitive Bear, Armageddon). The group has been observed targeting Ukrainian entities with a PowerShell info-stealer malware dubbed GammaLoad. This campaign is reported to have started on July 15, and was detected as recently as August 8, 2022. The attackers started with spear-phishing messages using a self-extracting 7-zip file, which was downloaded via the system’s default browser. Then the attackers used mshta.exe to download an XML file, which was likely masquerading as an HTML application file (See Table 1 below). Following the downloading of the XML file onto victim networks, the attackers executed a PowerShell stealer. In some of the cases, the attackers also delivered two backdoors named Giddome and Pterodo, which are known to be used by the Gamaredon group.2

 

In August 2022, the Microsoft Threat Intelligence Center (MSTIC) observed and took actions to disrupt campaigns launched by the Russia-linked APT group SEABORGIUM. SEABORGIUM is a highly persistent threat actor that targets the same organizations over long periods of time using constant impersonation, rapport building and phishing to slowly deepen their intrusion. SEABORGIUM intrusions have been linked to hacking and leak campaigns where stolen and leaked data is used to shape narratives in targeted countries. Since the beginning of 2022, MSTIC has observed SEABORGIUM campaigns targeting over 30 organizations in NATO countries, particularly the U.S., U.K. and the government sector of Ukraine. SEABORGIUM primarily focuses operations on defense and intelligence consulting companies, non-governmental and intergovernmental organizations, think tanks and higher education.

 

SEABORGIUM conducts reconnaissance on their target individuals before beginning a campaign and focuses on identifying legitimate contacts in the target’s social network. The threat actors Likely leverage social media platforms, personal directories and open-source intelligence (OSINT) to identify targets’ contacts that can be used for impersonation. Once the group has a contact, they create an email address that matches the contact and sends a phishing email. If the target is a personal or consumer target, the threat actor typically begins with a benign email that includes pleasantries, Likely to establish rapport and avoid suspicion. When the victim is an organization, the emails appear to have a more authoritative approach. The goal of these campaigns is to steal sensitive information and harvest credentials.

 

Image
Russia_Ukraine_update_sept_1.png

Figure 1: Phishing email observed in SEABORGIUM campaign, August 2022 (Source: Microsoft)

 

In August 2022, Mandiant reported that the Russia-linked group APT29 (aka Cozy Bear) has been vigorously targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information. Victims have included accounts that APT29 compromised months or even years before. APT29 used multiple new techniques during these attacks:

 

  • Microsoft 365 users with an E5 license have access to a logging feature called Purview Audit. APT29 has been observed disabling Purview Audit on targeted accounts to maintain persistence and prevent their activity from being logged. Once it is disabled, there is no logging available to the organization to confirm which accounts the threat actor targeted for email collection or when.

  • APT29 has been observed taking advantage of the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory and other platforms. APT29 was observed conducting a password guessing attack against a list of mailboxes they had obtained through unknown means. The threat actor successfully guessed the password to an account that had been set up for MFA but never used. This allowed APT29 to login using the credentials and enroll the account in MFA. APT29 was then able to use the account to access the organizations’ virtual private network (VPN) infrastructure that was using Azure AD for authentication and MFA.4

 

In August 2022, Latvia’s Computer Emergency Response Team (CERT.LV) reported that their website was suffering a massive DDoS attack. Latvia attributed the attack to the Russia-linked hacker group Killnet, after Latvia’s parliament announced Russia as a “state sponsor of terrorism.” In May 2022, Killnet declared war against any country that allied with Ukraine during the war, which has included the U.S., the U.K., Germany, Italy, Latvia, Romania, Lithuania, Estonia and Poland. These countries have been targeted each time they announce support for Ukraine, with Latvia and Lithuania targeted the most often. Latvia’s head of CERT.LV stated that Latvia is attacked by hackers almost on a daily basis with around 1,000 targets on some days.5 Finland’s parliament was also targeted by Russia-linked hackers, a group called NoName057(16), in August 2022. The hackers stated on their Telegram channel that they “punished” Finland for its aspiration to join NATO. The cyberattack on Finland’s parliament occurred on the same day U.S. President Joe Biden announced his support for Finland and Sweden to join NATO.6

 

 

Ukraine

There are multiple threat groups, including the IT Army of Ukraine and Anonymous, that have pledged their allegiance to helping Ukraine in the cyberwar that has ensued. These groups are comprised of threat actors from all areas of the world that have come together to support the country. The IT Army of Ukraine was created on February 26, 2022, after the ground invasion of Ukraine and is comprised of more than 1,000 Ukrainian and foreign volunteers. Additionally, after the invasion of Ukraine, the Anonymous hacking group posted on their Twitter for hackers around the world to target Russia, effectively declaring war on Russia in an operation dubbed #OpRussia.

 

 

Anonymous/IT Army of Ukraine

In August 2022, Ukrainian hackers hacked the TV shown in Russian-occupied Crimea and broadcasted an address by President Volodymyr Zelenskyy. The address was broadcast on Russia’s Pervyi Kanal (Channel One).7

 

Image
Russia_Ukraine_update_sept_2.png

Figure 2: Announcement on Strategic Communications Department of the Armed Forces of Ukraine on Telegram (Source: Ukrainska Pravda)

 

In August 2022, the Anonymous hacking group announced via Twitter that two Russian video conferencing services were under attack. The group announced that all services were down. The first, Webinar Group, is used for meetings, online events, training and webinars throughout Russia. The second, Videomost, is another of the top video conferencing apps used throughout Russia for meetings, trainings and online events.

 

On September 06, 2022, Anonymous TV (@YourAnonTV) posted on their Twitter that the IT Army of Ukraine successfully targeted the third largest bank in the Russian Federation, GazpromBank, with a purported DDoS attack. The post stated that the website was down for four hours, making it impossible to send payments and transfers and blocking access to personal accounts and mobile banking. The post included two screenshots that showed the application as unavailable.8

 

Image
Russia_Ukraine_update_sept_3.png

Figure 3: Screenshot included in Anonymous TV Twitter Post (Source: Twitter)

 

In September 2022, the IT Army of Ukraine targeted the Yandex Taxi app causing a major traffic back up in Moscow. The group ordered all available taxis to the same location in Moscow, creating a traffic jam that took place in the center of the Russian city on September 01, 2022. Due to the hack, one of the main streets of Moscow was completely blocked for more than two hours. The Yandex-owned company stated that the security department immediately blocked the intruder and halted the fake taxi requests.9 This incident highlights how even high-level (low-complexity, simple) cyberattacks can result in real-world economic and social disruptions and impact.

 

 

Other Activity

In August 2022, the Russian streaming company, START, confirmed that the personal information of its customers was leaked during a cyberattack. The company did not disclose how many customers were affected, but the incident was listed on the Russian Telegram channel, Information Leaks, which stated the information included 72GB of data for 44 million customers. The leaked information included usernames, email addresses, hashed passwords, IP addresses, country of registration, subscription start and end date and the last login to the service. The breach purportedly affects viewers from Russia, Kazakhstan, China and Ukraine. The hacking group announced that the data came from an exposed MongoDB database program. START announced they fixed the vulnerability that allowed the data breach to occur.10

 

In August 2022, a forum specializing in cyberattacks against Russia and Belarus, DUMPS, appeared and was observed advertising DDoS attacks starting at $80 per hour. The forum only targets organizations in Russia and Belarus and does not offer any services for other countries. The activity centers around data leaks, advertising DDoS attack services, forged and stolen identity documents, and anonymous and bulletproof hosting services. The data-leaks section of the forum appears to be the largest, where users shared data stolen from Russia-based government and private institutions. DUMPS offers prices based on the power of the DDoS attack on offer, with a lower level “layer four” assault lasting one day priced at $500 and a higher “level seven” attack over one day priced at $600. Shorter attacks are offered by the hour. DUMPS appears to support their Ukrainian users while attracting Russian users that are willing to take up cyber-arms against their own country. The site has yet to gain much notoriety, with just 100 users; but could grow significantly if the site gains attention.

 

In September 2022, unknown hackers reportedly started flooding Cobalt Strike servers operated by former members of the Conti ransomware group with anti-Russian messages to disrupt their activity. Although the Conti ransomware group turned off their internal infrastructure in May 2022, their members shifted to other ransomware groups, such as Quantum, Hive and Alphv. The former Conti members have continued to use the same Cobalt Strike infrastructure to conduct new attacks under the other ransomware operations. The threat actor flooding the servers are using the username “Stop Putin!” on multiple computers and changing their computer names to various messages – “Stop the war!”, “15000+ dead Russian soldiers!”, and “Be a Russian patriot!”. The messages are flooding the servers at a rate or about two every second. The messages cause the TeamServer’s Java application to be overloaded and the activity was disrupted similar to a DoS condition. The threat actors are unknown, however, they have been observed resuming the flooding each time a new server believed to be connected to the former Conti members is identified.11

 

In September 2022, the Cyber Department of the Ukrainian Security Service (SSU) dismantled two bot farms that spread Russian disinformation on social networks and messaging platforms via thousands of fake accounts. The bot army was comprised of nearly 7,000 accounts and was used to push content discrediting the defense forces of Ukraine, justify Russia’s armed aggression and destabilize Ukraine’s social and political situation. One of the farms was operated by a 24-year-old native living in the Kyiv region and was used by “representatives of the PR departments of political parties and Russian citizens promoting destructive and provocative material in Ukrainian information space.” The second farm was operated by a user from Odessa and spread panic in the region by pushing disinformation and fake news from the front, selling its services to Russian “clients.” Ukraine has dismantled farms comprising of more than one million bots since the beginning of the war in February 2022.12

 

 

Looking Forward

In September 2022, it was reported that the Ukrainian military made advances which led to Russia Likely ordering the withdrawal of its troops of occupied Kharkiv Oblast west of the Oskil River. Additionally, it was reported that in the south, near Kherson, Russia was Likely struggling to bring sufficient reserves forward across the Dnipro River to the front line. The Ukrainian success reported over the previous 30 days will Likely have significant implications for Russia’s overall operations on the ground. Due to this factor, it is Likely that Russia-based and supporting threat groups will increase their attacks on Ukrainian government and military organizations, as well as those of countries in support of Russia over the next 30 days.13

 

Along with the physical conflict in Russia’s invasion of Ukraine, it’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software and malware.

 

In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:

 

 

  • RDP
  • SMB/Samba
  • UPnP
  • Oracle WebLogic
  • Microsoft Exchange
  • Microsoft SharePoint
  • VMware vCenter, ESXi, vSphere, vAccess
  • VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway
  • Jenkins
  • Content Management System (CMS) platforms
  • WordPress – Joomla!, Drupal, Magento, Adobe Commerce
  • Mimikatz
  • AdFind
  • AnyDesk
  • Rclone
  • Ngrok reverse proxy
  • Zoho MangeEngine
  • LogMeIn
  • TeamViewer

 

 

Table 1: Commonly observed MITRE ATT&CK tactics

 

Tactic Technique Procedure
Reconnaissance T1593 Search Open Websites/Domains
T1595.002 Active Scanning: Vulnerability Scanning
Resource Development T1587.003 Digital Certificates
T1586 Compromise Accounts
T1584.005 Compromise Infrastructure: Botnet
Initial Access T1133 External Remote Services
T1190 Exploit Public Facing Application
T1566 Phishing
T1078 Valid Accounts
T1199 Trusted Relationship
Execution T1072 Software Development Tools
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
T1204 User Execution
T1204.001 User Execution: Malicious Link
T1204.002 User Execution: Malicious File
Persistence T1053 Scheduled Task/Job
T1098 Account Manipulation
Privilege Escalation T1611 Escape to Host/Exploitation for Privilege Escalation
T1078.001 Valid Accounts: Default Accounts
T1078.002 Valid Accounts: Domain Accounts
Defense Evasion T1127 Trusted Developer Utilities Proxy Execution
T1497 Virtualization/Sandbox Evasion
T1562.001 Impair Defenses: Disable or Modify Tools
T1562.002 Impair Defenses: Disable Windows Event Logging
T1055.001 Process Injection: Dynamic0link Library Injection
Credential Access T1212 Exploitation for Credential Access
T1003 OS Credential Dumping
T1110 Brute Force
Discovery T1120 Peripheral Device Discovery
T1083 File and Directory Discovery
T1135 Network Share Discovery
T1518 Software Discovery
Lateral Movement T1210 Exploitation of Remote Services
T1570 Lateral Tool Transfer
Collection T1213 Data from Information Repositories
Exfiltration T1041 Exfiltration over C2 Channel
Impact T1485 Data Destruction
T1486 Data Encrypted for Impact
T1489 Service Stop
T1489.001 Network Denial of Service – Direct Network Flood
T1531 Account Access Removal

 

It’s Likely that the U.S. and other Western Coalition countries will remain attractive targets for Russia-based threat actors for financial gain and espionage attacks. It’s Likely that if the United States imposes harsher and broader sanctions and embargos on Russia, the fallout will result in nearly all ransomware groups being placed under severe restrictions through the U.S. Treasury’s Office of Foreign Asset Control (OFAC). This would result in the inability of ransomware victims in the U.S. to consider negotiations and payments in exchange for preventing data leaks and retrieving decryption keys for compromised files and systems. Other countries that have a history of state-sponsored and/or APT attacks which have indirectly aligned or maintained suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks.

 

When Russia invaded Ukraine, U.S.-based organizations began pulling their businesses from Russia. Multiple ransomware groups, including REvil, Conti and LockBit 2.0/3.0, are based in Russia and target multiple U.S.-based organizations daily. The sophistication and technical knowledge of the ransomware groups, the NotPetya attacks and nation-state groups – such as APT28, APT29 and Sandworm – highlight Russia’s ability to create severe disruption and chaos in the United States. U.S.-based organizations are a historically attractive target and it’s Likely that U.S. companies will continue to be targeted, whether by threat actors based in Russia or those in support of the Kremlin’s invasion of Ukraine.

 

 

References

 

  1. https://jsis.washington.edu/news/cyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks/
  2. https://cert.gov.ua/article/971405
  3. https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
  4. https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft
  5. https://therecord.media/pro-kremlin-hackers-target-latvias-parliament-after-declaring-russia-a-sponsor-of-terrorism/
  6. https://yle.fi/uutiset/3-12569629
  7. https://www.pravda.com.ua/eng/news/2022/08/20/7364150/
  8. https://twitter.com/YourAnonTV/status/1567210769413971970
  9. https://securityaffairs.co/wordpress/135280/hacktivism/anonyomus-hacked-yandex-taxi.html
  10. https://therecord.media/leading-russian-streaming-platform-suffers-data-leak-allegedly-impacting-44-million-users/
  11. https://www.bleepingcomputer.com/news/security/ransomware-gangs-cobalt-strike-servers-ddosed-with-anti-russia-messages/
  12. https://www.bleepingcomputer.com/news/security/ukraine-dismantles-more-bot-farms-spreading-russian-disinformation/
  13. https://twitter.com/DefenceHQ/status/1569188296680415232
Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.