Today’s blog post has been written by #TeamAwen member Abinash Ramesh.
On 20th April 2022, the Five Eyes intelligence alliance released a Cyber Security advisory (CSA) on the impact of Russia’s invasion of Ukraine on the wider cyber world. Russian organisations have previously targeted Ukrainian critical national infrastructure with the infamous ‘NotPetya’ and ‘BlackEnergy’ attacks (more details from NCSC UK and CISA USA).
Malicious cyber activity comes in many different forms, with different names, attack vectors and methods to boot.
The ‘NotPetya’ attack is a malicious data encryption tool, purportedly created by Russia’s GRU Main Center of Special Technologies, that infected software used by most of Ukraine’s financial and government institutions. Once infected, the tool quickly spreads via the trusted network that these devices are connected to and demands ransom in Bitcoins to release the hijacked device. Even if the ransom is paid, the device may not be unlocked as the tool was designed only to encrypt and not decrypt the data, therefore data will be lost forever regardless of payment of the ransom. The BlackEnergy attack targeted industrial control systems (ICS) and SCADA specifically in the power sector. Although it was focused on the power sector, BlackEnergy has been known to target governments and media. It was distributed by spear phishing emails with a malicious Excel document with macros to infect the computer. Spear phishing is where a malicious actor disguises themselves as a trusted individual in order to get the target to click a link or open an attachment.
The Five Eyes alliance has released a list of Russian state-sponsored cyber operations and Russian aligned cybercrime groups listed below.
Russian State-Sponsored Cyber Operations
The Russian Federal Security Service (FSB) including FSB’s Center 16 and Center 18
BERSERK BEAR, also known as Crouching Yeti, Dragonfly among many other names has targeted CNI in Western Europe and North America. It has been active since 2005 and uses a technique known as waterholing which works by identifying a website frequented by users within a targeted organisation or sector. The website is then compromised in order to distribute malware. It’s objective is to obtain credentials to enable access inside the network and locate valuable assets to retrieve data.
Russian Foreign Intelligence Service (SVR)
The most notable CNI attack by this group is the SolarWinds Orion. In summary, it used a supply chain attack to insert malicious code into the Orion system. A supply chain attack is when an attacker targets a third party with access to the organisation’s systems rather than hacking the organization directly.
Russian General Staff Main Intelligence Directorate(GRU), 85th Main Special Service Center (GTsSS)
The most notable attack by this organisation is Drovorub. It works by infecting the Linux kernel with a rootkit to communicate directly with the attacker's server allowing files to be downloaded and uploaded, forwarding network traffic and executing commands with root privileges
GRU’s Main Center for Special Technologies (GTsST)
This organisation deployed the NotPetya attack against Ukraine's financial, energy and government organisations. In addition, it’s also responsible for the BlackEnergy attack to steal credentials and render infected computers unusable.
Russian Ministry of Defence, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)
This organisation hasn’t deployed any cyberattacks as of April 2022 but is responsible for developing destructive ICS malware. It has been sanctioned by the UK’s Foreign, Commonwealth and Development Office for an incident in 2017 where they were found guilty of manipulating industrial safety systems on a foreign oil refinery using their Triton malware. The malware is custom built to disable safety alarms in ICS and disables the safeguarding measures of these systems.
Russian-Aligned Cyber Threat Groups
These groups operate differently to the groups listed above as they are more likely to be financially motivated. They can still be a threat mainly from ransomware and DDOS attacks.
The CoomingProject
This group extorts their victims by threatening to expose leaked data. They have a data leak website which in the two months leading up to 13th February 2022 published data of at least 36 companies and organisations. Although most of the data had been leaked on a previous website before, websites like this increase the chances of the data falling into the wrong hands.
Killnet
Killnet has just last month claimed credit for conducting a DDOS attack against Bradley International Airport in Connecticut. A DDOS attack is when an attacker aims to try and disrupt a website by flooding it with requests. While this may not cause any data to go into the wrong hands, this can still cause websites, services and CNI to be down for hours resulting in time and money lost. One of the ways a DDOS attack can be conducted is via a botnet as you would not be restricted by your IP address.
MUMMY SPIDER
This group distributes the Emotet botnet. Discovered in 2014 and initially used as a banking trojan, it evolved into a method to deliver additional malware and ransomware. For example, WIZARD SPIDER’s Trickbot. While it appears that it was taken down in January 2021 , it appears to have been resurrected in a spam email campaign.
WIZARD SPIDER
Developer of the TrickBot malware and Conti ransomware, this group’s modus operandi is attacking via multiple vectors from Emotet, spear phishing or just weak Remote Desktop Protocol credentials. Once its Trickbot malware has infected the system, the Conti ransomware is deployed to demand a ransom. They target many different organisations such as construction, engineering, manufacturing and even US healthcare and first responders network.
SALTY SPIDER
Developers of the Sality botnet, which was first discovered in 2003 but has since evolved into a P2P malware loader much like the Emotet botnet. In February 2022, they conducted DDOS attacks against Ukrainian web forms used to discuss events relating to Russia’s invasion of Kharkiv
SCULLY SPIDER
Also known as Gold Opera, this group operates a malware-as-a-service model using it’s own DanaBot botnet that maintains command and control infrastructure to sell device access to affiliates to distribute their own malware. Similar to Emotet, it started off as a banking trojan but expanded beyond banking last year and has been used to distribute other malware and ransomware. It has also been used in DDOS attacks against Ukrainian government organisations.
SMOKEY SPIDER
Yet another botnet that is being used as a vector for distributing malware and ransomware. Its more recent known attack was a DDOS attack against Ukrainian targets.
The Xaknet Team
There is not much known about this group as they were only active as early as March 2022, however they have already leaked email contents of a Ukrainian government official.
Summary
These groups target many different critical national infrastructure (CNI) using a variety of attack vectors such as ransomware, malware, spear phishing among others. It is crucial that we stay ahead of attackers as any attacks against CNI can cause great harm to people, loss of service, revenue and even lives. Although there is no such thing as 100% protection, there are many steps that can be taken in order to mitigate and reduce the chances of an attack. The first step is ensuring that your devices are up to date with the latest firmware.
The UK government’s cyber security division, NCSC, has published actions to take when cyber threat is heightened. At Awen Collective we can provide friendly advice in a no-obligation chat, please feel free to contact us today.