Back to Blog

Russian Cyber Attacks: What We Know so far

By
Luke Richards
|
March 9, 2022

Brief Update on our Perspective: 9 March, 2022

As we move into a new phase of the invasion of Ukraine, and the subsequent cyber operations we have seen, what do you need to know?

At the top level, the most important answer to that question is that Vectra Security Research and Threat intel are working hard to ensure we deliver the best coverage for detecting threats when they happen at any level in your network, and we provide the means to react quickly, effectively, and cut off attacks before they become the next incident response case study.  

On the ground and in media, the war has moved from an aggressive rapid expansion into new territory and has turned to a more pitched battle of words. World leaders move to further sanction and increase their grip on Russian billionaires and assets. There is growing social pressure that corporations pull their products from Russia, the war has now become a lot smaller in the minds of people. In terms of the cyber espionage and battles being fought over computer networks, the tactics have also shifted. When the ground war began, there was a push to disrupt communications and the computer networks of those forces moving to defend positions. The world saw the deployment of three discreet types of attack. Firstly, Ukranian systems were subject to a mass DDoS attack, this was followed up with the well-known HermeticWiper malware used to destroy systems, and also Microsoft saw the deployment of a new Trojan, FoxBlade.  

The Shift to Clandestine Operations

As the focus shifts to more geopolitical matters, so the shift of reporting seems to be a return to a more clandestine operation. In the last few days, we have seen more reports of the attacks which have happened during the ongoing conflict. This is the dust settling after the initial thunder and flash of destructive malware. During the last week of February, Proofpoint were alerted to a new malicious campaign targeting Ukrainian organisations. This campaign was attributed to UNC1151, a group previously linked to a Belarus group of hackers, and the malware delivered was a complex Lua piece of malware, with a basic C2 communication profile1. This was not the only report to surface of quiet attacks, users on Twitter have begun reporting spear phishing attacks using Ukrainian language lures2 which drops the FormBook malware. Whilst this malware is linked with primarily criminal groups3 it is a highly sophisticated piece of malware, and the use of a targeted lure is something Vectra spoke about previously4.

Finally we must remember to not let all our focus be dedicated to looking to attacks overseas, Mandiant recently produced a report detailing an ongoing attack from APT41 targeting US Government targets5. This Chinese state actor were detailed to use multiple attempts to compromise their targets, ranging from their own zero day in a Web facing application, to using the well distributed Log4J vulnerabilities to achieve action on objective. In these cases the threat actor deployed their own sophisticated malware utilising traditional C2 type behaviour, and also deploying persistence through the use of “dead drop” techniques to update C2 IP addresses.

So what now?

Once again, we are asked, well if this is business as usual what should we be doing?  

First and foremost, we must remain vigilant, as it has been shown that whilst the headline grabbing activities will pull our focus to those overseas, we must also keep an eye on what we know to be true: Criminals will jump at an opportunity to use a global event to spread their own malware, sophisticated APT actors will attempt to use the smokescreen created by destructive malware to infiltrate targets of interest in a ground war, and finally, just because this is happening overseas we must not lose focus on our own networks and security.  

--

[1] https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails

[2] https://twitter.com/dsszzi/status/1499740427783651336?s=20&t=fDgbTX1ydsnTRjocdQUopw

[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

[4] https://www.vectra.ai/blogpost/customer-advisory-bulletin-mitigating-detecting-and-responding-to-russian-cyberactivity

Prior Content:  2 March, 2022

A week ago, we wrote about how the state level actors in Russia and other associated groups operate during a cyber security attack, or during an ongoing ground conflict. Looking back over the last seven days, we’d like to offer an updated perspective with a fresh look at what we know about how threat actors from Russia operate.

Additionally, we’d like to call attention to the fact that Microsoft have also identified a new Trojan capable of being used as part of a DDoS attack known as FoxBlade.A!dha and it’s dropper parent FoxBlade.B!dha. These were identified just before the first movements of the Russian military to seize territory in Ukraine, showing how joined up Russian military and Cyber operations truly are.

Malware operators will flood to Russian defence

As with any conflict there are always volunteers, and this hybrid ground / cyber war is no different. One of the first groups to swear allegiance to Russia was the Conti / TrickBot group, although they have since softened this stance. This gang are responsible for some of the largest and most successful ransomware campaigns in the last 5 years. TrickBot and its role in deploying IcedID, CobaltStrike and numerous Ransomware campaigns, is a name most blue team operators know well. It was Reported in late February that the TrickBot project was shut down, dealing a huge blow to the gang. Conti, however, prevail, having recently taken control of the BazarBackdoor malware.

Vectra customers should look for Vectra Threat Intel Match detections with the threat actor listed as WIZARD SPIDER or WIZARDSPIDER this is the internal name for the group. BazarBackdoor which is dropped by the BazarLoader malware communicates over HTTP and DNS to [.]bazar domains, customers should look for Hidden HTTP Tunnel, Hidden HTTPS Tunnel and Hidden DNS Tunnel detection as these are the primary communication methods for the backdoor. These will help correlate potential infections.

The backdoor also has several modular components, which can execute PowerShell commands on the infected host, so other detections to look out for includes Suspicious Remote Execution using WMI methods to execute commands on other hosts. This threat group is also known to use Task Scheduler and SMB to spread laterally, so look for schtask as an operation in Suspicious Remote Execution detections.

Early in the ground campaign, two new malware families emerged in the Information Security conflict, notably WhisperGate and Hermetic wiper. Both are destructive / Ransomware Lite types of malware, which destroy systems and sometimes ask for payment but do not provide a recovery option. At the moment, there are no network IOCs to look for, but Vectra are still able to find ransomware attacks as they happen, and let responders react quickly. An example of this is seen here in a post incident review where a customer did just that using Cognito Detect. Vectra’s CTO also produced a blog post talking about this current wave of ransomware.

The Vectra threat intelligence and services teams are also collating hundreds of indicators and reports to best serve our customers. To this end we have so far published three new saved searches in Recall:

  • Cogntio – TTP – iSession - Cyclops Blink Hardcoded C2 IP Addresses: This saved search is designed to find communications with the hardcoded C2 IP addresses of the Cyclops Blink malware
  • Cognito - TTP - SMB Files - Lockbit Known Ransom Note and Extension
  • Cognito - TTP - SMB Files - Lockbit Known Named Pipe: These two searches are designed to find LockBit activity on the network by looking for the Named Piped communication that is used by the malware to remain hidden. It also looks to identify the transfer of potentially malicious files.

Additional awareness and best practices

Currently, Vectra is working hard to ensure all customers are protected. If you are a Sidekick customer, the analyst team is providing hands on coverage, and are working with Vectra threat intelligence directly to provide the best priority and service possible. To the wider customer base, Vectra threat intelligence is collating 1000s of indicators and independent reports to ensure the best coverage to everyone. We also continue work confirming behaviours of known and engaged malware operators and threat actors, to ensure that detections line up with known malware and threat actor behaviour.

Notable detections to always look out for will be:

  • Hidden [HTTP, HTTPS, DNS] Tunnel: These detections will find malware Command and Control behaviours.
  • External Remote Access: This again will find more traditional Malware command and Control channels.
  • Suspicious Remote Execution: Many threat actors will attempt to spread laterally in an environment using existing channels making these detections more relevant right now.
  • Privilege Anomaly Detections: These detections will show suspicious account usage. Many threat actors look for accounts with high levels of privilege on a network to spread their malware or engage with high value targets such as Active Directory.

There haven’t been wide reports of Cloud based attacks yet, but it is likely that whilst these destructive and noisy attacks are happening, quiet attacks that focus on the cloud are also likely to be happening. Russian state actors are moving to the cloud for their attacks. The CISA put out a report in Februrary 2022 stating that Russian state sponsored attackers breached defence contractors cloud infrastructure.  Based on research from previous compromises, and known threat actor behaviour, Detect for Azure AD and Office 365 environments would expect to see the following types of detections.

  • Azure AD Brute-Force Attempt
  • Azure AD Suspicious Sign On
  • Azure AD MFA-Failed Suspicious Sign On
  • O365 Suspicious Sign-On Activity - This step of the attack can sometimes be the noisiest, however with a remote workforce, detecting this activity becomes something simple log searching is not sufficient. Detect for Cloud will produce detections as listed above to help analysts find the activity.
  • Azure AD Change to Trusted IP Configuration
  • Azure AD Suspicious Operation
  • O365 Suspicious Teams Application - applications and service principals that possess valuable access rights are modified with additional secrets, essentially creating a "backdoor" that attackers use to perform privileged actions on behalf of those applications.
  • Azure AD Newly Created Admin Account
  • Azure AD Redundant Access Creation
  • Azure AD Suspicious Operation
  • Azure AD Unusual Scripting Engine Usage
  • O365 Internal Spear phishing
  • O365 Suspicious Exchange Transport Rule
  • O365 Suspicious Mail Forwarding
  • O365 Suspicious Mailbox Manipulation -There are many ways to gain persistence in a cloud environment. Many detections in Detect for Cloud are built to find activity, ranging from accounts being created in Azure AD, to installation of transport rules, which can redirect email, or in previous attacks have been used as a command and control implant.
  • O365 Risky Exchange Operation
  • O365 Suspicious Download Activity
  • O365 Suspicious Mail Forwarding
  • O365 Suspicious Mailbox Manipulation
  • O365 Suspicious Sharing Activity - During this stage, along with opening up of sharing rights to non-local destinations, target mailbox permissions are modified to give another user (controlled by attacker) read access to target's e-mail, followed by periodic e-mail exfiltration.

Lastly, these TTPs as outlined by MITRE ATT&CK have been associated with Russian State Actors historically and have been updated to include the most recent destructive wiper attacks:


Tactic
   
Technique   
   
Procedure   
Resource Development [TA0042] Develop Capabilities: Malware [T1587.001] Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware.
Initial Access [TA0001] Exploit Public Facing Applications [T1190] Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks.
Supply Chain Compromise: Compromise Software Supply Chain [T1195.002] Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.
Execution [TA0002] Command and Scripting Interpreter: PowerShell [T1059.003] and Windows Command Shell [T1059.003] Russian state-sponsored APT actors have used cmd.exe to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands.
Persistence [TA0003] Valid Accounts [T1078] Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks.
Credential Access [TA0006] Brute Force: Password Guessing [T1110.001] and Password Spraying [T1110.003] Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns.
OS Credential Dumping: NTDS [T1003.003] Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit.
Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003] Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking.
Credentials from Password Stores [T1555] Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords.
Exploitation for Credential Access [T1212] Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers.
Unsecured Credentials: Private Keys [T1552.004] Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates.
Command and Control [TA0011] Proxy: Multi-hop Proxy [T1090.003] Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.
Impact [TA0040] Disk Wipe [T1561] Russian state-sponsored APT actors have wiped hard drives and underlying data structures (like Master Boot Records) during destructive phases to impact the target environment.