The latest updates from IronNet threat intelligence research

Russian cyber attack campaigns and actors

The latest updates from IronNet threat intelligence research

Updated October 26, 2020.

Despite lacking the national wealth and technological prowess of their Western rivals, the Russian intelligence services have proven to be one of the shrewdest, most effective — and potentially most dangerous — threat actors in cyberspace. Indeed, Russian cyber attacks are a real and present threat. Some of the highest profile examples include:

  • Interference in the 2016 U.S. presidential elections: These operations illustrated the reach and power of cyber-enabled influence operations. 
  • Disruption of the Ukrainian power grid in 2015: Russian cyber actors are credited with the first publicly identified attack on a live power grid, which impacted an estimated 225,000 people.
  • Intrusions into the U.S. power grid: In 2018, the U.S. publicly accused Russia of conducting a two year long coordinated campaign of cyber intrusions into the U.S. grid.
  • Targeting of COVID-19 research: In July 2020, the U.S., U.K., and Canada detailed Russian-driven cyber intrusion campaigns directed against organizations conducting COVID-19 vaccine development.

With these instances serving as precursors, there is now widespread concern (and mounting evidence) within the cybersecurity community that Russian hackers are actively developing deep access into critical infrastructure networks around the globe for the purpose of executing disruptive or destructive physical attacks (should they be called upon to do so by regime leadership).

Russia also harbors a large proportion of the world’s active cyber criminals. Theft and fraud appear to be routinely ignored by the Russian authorities, provided the victims reside in those nations the Kremlin considers its enemies. Putin’s regime offers little help in bringing these criminals to justice, and may in fact be partnering with them, placing these criminal actors beyond the reach of many Western law enforcement agencies.

Some of the most notorious actors in the cyber threat landscape have been traced back to sponsorship by the Russian state. As the digital revolution has accelerated, so, too, has the Russian cyber attack landscape — hold-over Cold War tactics that evolved to take advantage of new electronic methods of communication.

Strategic Russian interests are guided by the desires for Russia to be recognized as a great power, to protect the Russian identity, and to limit global United States power. These themes are evident in components commonly associated with Russian-backed cyber threat campaigns:

  • The weaponization of information through disinformation campaigns and propaganda
  • Attempted interference in democratic processes
  • Strategic positioning within critical infrastructure, perhaps as preparation for potential escalation of hostilities with rival nations.

What does the Russian cyber attack threatscape look like?

To summarize the threat at a more tactical level, we have scoured cybersecurity reporting in order to prepare an overview of cyber threat actors observed more recently, and to which evidence-based analysis has assigned the likelihood of Russian state-sponsorship as probable. Each actor is presented with highlights of more notable campaign activity, with notations on countries and sectors targeted, as well as a mention of behaviors or tactics, techniques, and procedures (TTPs) utilized in order to enable actions on objectives. Footnotes provide links to further, more detailed, reading.

Who are today’s major Russian adversary groups and what are the main tactics and techniques of Russian cyber attack campaigns? Let’s take a closer look at some of these known actors, listed here in order of threat scope and potential:

Ghostwriter

Ghostwriter represents yet another recently identified cyber influence operation likely tied to the Russian intelligence apparatus. The campaign, which has been active from early 2017 through at least May 2020, has focused on disseminating falsified narratives surrounding Lithuania, Latvia, and Poland, and their relations with other NATO allies. The fake stories consistently suggest tensions between the allies or wrongdoing by NATO troops stationed within the Baltic region.

In addition to the activity attributed to Ghostwriter, the Associated Press reported that Russian intelligence services were also using several English-language websites to spread disinformation about the coronavirus pandemic and response in the United States, providing yet another example of concerted effort by the Russian intelligence services to influence public opinion within the West.

The actors behind this campaign have successfully compromised legitimate websites (typically news sites) which they in turn use to post fabricated stories containing false or divisive narratives surrounding the alliance NATO with a focus on Eastern Europe. Various cyber personas are then used to amplify and further disseminate the narratives by posting to blogs, sites allowing user-generated content, or social media. In April 2020, one such fake letter was even posted to the official website of the Polish War Studies Academy.

The tactics and concepts observed during the Ghostwriter campaign are reminiscent of  Operation Secondary Infektion, an online influence operation uncovered in 2019. Secondary Infektion was also designed to exacerbate tension between the NATO countries and relied upon social media to amplify and distribute fake stories. While there are no technical links between these two campaigns, the intent and tactics are strikingly similar.

Known Targets

Poland, Latvia, and Lithuania

Sample TTPs

  • Creation of fabricated narratives designed to exacerbate or create tensions between NATO allies
  • Compromise of news or government websites to facilitate distribution of false information
  • Amplification of false narratives by posting to sites allowing user-generated content, blogs, or social media

AKA

None Identified

 

Sandworm Team 

In October 2020, the US Justice Department announced the indictment of six Russian men who are members of the Sandworm Team. The indictment also lists numerous intrusion campaigns executed by these actors, to include the infamous NotPetya attacks, targeting of French politicians and government entities during the 2017 elections, and efforts to interfere in media and government networks in Georgia in 2018 and 2019. These charges also included the first official acknowledgement by the US government that Sandworm was responsible for the Olympic Destroyer malware used to disrupt the 2018 Winter Olympic Games in PyeongChang, South Korea.

In May 2020, the National Security Agency had issued an advisory warning of ongoing exploitation of a vulnerability in Exim mail transfer agent (MTA) software, which is popular in Unix and Linux-based systems. The advisory also specifically tied this activity to the Sandworm Team, whose actions the US government has publicly attributed to the Russian GRU’s Main Center for Special Technologies (known as the GTsST).

Active since at least 2009, the Sandworm Team is responsible for the first publicly acknowledged cyber incident that resulted in power outages impacting a civilian population, occurring in Ukraine in December 2015. The malware used in this attack, BlackEnergy 3, enabled the actor to gain access to the IT network of a Ukrainian power company, from which they pivoted to the SCADA portion of the network, giving the actor the ability to manipulate the Industrial Control System (ICS) — without the need for customized malware — in order to shut down power in Kiev. This is an often mis-characterized component of the campaign, likely because the BlackEnergy 2 predecessor to BlackEnergy 3 contained ICS targeting components that are not present in BlackEnergy 3. Cybersecurity researchers also note that “Russian operators, such as Sandworm Team, have compromised Western ICS over a multi-year period without causing a disruption,” perhaps in order to stage for future potential Russian cyber attack campaigns.

Known Targets

NATO member countries, Ukraine, Telecommunications, Energy, Government, Education

Sample TTPs

  • Spearphishing utilizing weaponized Microsoft Office documents
  • Denial of Service attacks for the purposes of disrupting communications
  • Remotely controlling SCADA
  • Destruction of files by utilizing KillDisk malware

AKA

BlackEnergy, Voodoo Bear, TEMP.Noble, Iron Viking

 

ELECTRUM

This group is responsible for the CRASHOVERRIDE malware framework (frequently also referred to as Industroyer), which was the first malware to ever specifically target and disrupt electric grid operations. In December 2016, Russian cyber attack by these actors manipulated breakers at a substation in Kiev Ukraine, leading to power disruption and serious damage to equipment.

ELECTRUM has links to Sandworm as their development group, but it appears that the understanding of which team actually carried out the attack has evolved over time. Regardless of the specific threat actor, the behaviors demonstrated are what are important to understand.

Known Targets Ukrainian energy sector
Sample TTPs
  • Maliciously impacting operations by leveraging ICS protocols
  • Establishment of an internal proxy within a compromised network which receives connections from backdoors installed on other systems within the network, and attempts to funnel data to external command and control servers
  • Incorporation of malware modules with data wiping capabilities
Also Known As Sandworm Team

 

Telebots

Telebots is the group attributed to the NotPetya ransomware outbreak, which is the most destructive attack in history from a financial perspective, and is reported to be an evolution of the group or groups responsible for causing the Ukrainian blackouts described in the previous two sections. In 2018, the security firm ESET identified code linkages between NotPetya and CRASHOVERRIDE (which they refer to as the Industroyer attack). The NotPetya attack initially targeted industries in Ukraine after the threat actor was able to effect a supply-chain compromise of Ukrainian accounting software. The incorporation of the EternalBlue exploit for SMB in conjunction with the password dumping tool Mimikatz enabled NotPetya to cripple networks around the globe.

Known Targets Ukrainian financial sector
Sample TTPs
  • Spearphishing with Microsoft Excel attachments containing malicious macros
  • Hiding malicious network activity by abusing legitimate services to host payloads or provide communication mediums for attackers
  • Deployingredundant backdoors within a network
  • Disguising malware backdoors by providing them with names resembling AV-related services
Also Known As Sandworm Team

 

Energetic Bear

This group is assessed as the creator of the Havex RAT, which is one of five known ICS tailored malware families. Energetic Bear campaigns began in 2010 in order to collect intelligence used for espionage (as opposed to attempting destruction or disruption of systems) and have continued through at least 2017. The TTPs leveraged by this threat actor are not unique or particularly novel, but the systematic and deliberate social engineering strategies employed are. Smaller, less defended companies and subcontractors within the energy sector have been targeted — likely as a means for the actor, in turn, to target regional and national-level energy companies and power suppliers.

Known Targets Energy, Aviation, Pharmaceutical, Defense, Petrochemical sectors in the United States and Europe
Sample TTPs
  • Compromise legitimate industrial control systems vendor sites and plant trojanized versions of ICS-related software and applications on those sites
  • Spearphishing emails with PDF attachments embedded with Adobe Flash exploits
Also Known As Dragonfly, Crouching Yeti, Havex, Koala, Iron Liberty

 

DYMALLOY

In October 2020, the U.S FBI. and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory detailing active targeting of U.S. state and local governments and aviation networks by Berserk Bear actors. While the advisory stated that these intrusion did not appear to have disrupted any operations within the targeted networks, the group did successfully exfiltrate data from at least two victims and appeared to be hunting for information such as network configurations, passwords, and vendor purchasing data.

In Spring 2020, it had come to light that German government authorities had issued an advisory to critical infrastructure operators in the country indicating that the Russia-linked Berserk Bear (aka Dymalloy) group had executed “longstanding compromises” within several German companies. Of note, there were no identified production disruptions within industrial networks, per German authorities. Instead, the goal of these campaigns appears to have been to establish persistence within the companies’  IT and/or production / operational technology (OT) networks, presumably to allow for future operations.

Some researchers attribute the activities of this group to an evolution of Energetic Bear activity (referring to earlier activity as Dragonfly and later activity as Dragonfly 2.0); however, Dragos asserts that there are enough technical differences to justify tracking this as a separate group. This group avoids using custom malware, opting for commodity malware families that hinder attempts at applying attribution. Crowdstrike reports that this group has strong ties to Moscow, as targeting aligns closely with likely collection priorities of Russian intelligence.

Known Targets

Industrial Control Systems in Turkey, Europe, and the United States; US state, local, territorial, and tribal (SLTT) government and aviation sectors

Sample TTPs

  • Use of commodity malware such as Goodor, DorShel, and Karagany
  • The chaining or combination of multiple legacy vulnerability exploits with exploitation of the newer Windows Zerologon vulnerability

AKA

Dragonfly 2.0, Berserk Bear

 

APT29

In July 2020, cybersecurity agencies from the UK, Canada, and the US jointly attributed a campaign targeting pharmaceutical companies and academic institutions involved in COVID-19 vaccine development to APT29, a group widely believed to be operating on behalf of Russian intelligence services. 

The group began its intrusions by conducting basic vulnerability scanning against external IP addresses known to belong to the target organizations. The group then deployed publicly known exploits against the vulnerable systems it found, including popular Citrix, Pulse Secure, and Fortinet devices, among others. The APT29 actors then deployed custom malware, known as WellMess or WellMail, to execute commands, upload and download files, and other operational tasks on the victimized systems. Notably, these malicious tools are designed to work on both Windows and Linux-based systems and support command and control communications over multiple networking protocols.

This group has operated since at least 2008, collecting intelligence in support of foreign and security policy decision-making. The primary targets are Western governments and related organizations, but intrusion attempts have been witnessed across a broad spectrum of sectors. Notable compromises include the intrusion into the Democratic National Committee in 2015 and 2016, and intrusions into unclassified networks of a variety of U.S. government departments.

Known Targets

Western governments and related organizations, as well as Western Europe, Brazil, China, Japan, Mexico, New Zealand, South Korea, Turkey, and Central Asian countries

Sample TTPs

  • Heavy waves of spearphishing with messages that contain either links to malicious executables hosted on legitimate but compromised websites, or Microsoft Office attachments with content making the documents appear legitimate in order to disguise embedded macros which enable malware installation
  • System exploitation followed by downloads of steganographic PNG image files from compromised servers
  • Use of malicious shortcut files (LNKs) to deliver payloads
  • Use of benign decoy documents delivered intentionally to evade detection
  • Compromising the infrastructure of various corporations in order to deliver phishing emails

AKA

Cozy Bear, The Dukes, CozyDuke, YTTRIUM, Hammertoss, MiniDionis

 

APT28

In August 2020, the FBI and the NSA released detailed analysis of a malware toolset known as “Drovorub”, which the agencies attributed to a specific military unit within the Russian General Staff Main Intelligence Directorate’s (GRU) 85th Main Special Service Center (GTsSS), and linked this activity to APT28 and previous private sector research. This reporting does not speak to the targets or intent of Drovorub’s operators, but appears to be part of a concerted effort by the US government to publicize and counter Russian cyber threats. 

This espionage-focused group has also operated since at least the mid 2000s, targeting multiple sectors around the world with special focus on defensive sector organizations. Multiple governments have attributed the actions of this group to Russian military intelligence service, and notable operations have targeted organizations such as the International Olympic Committee, the Organisation for the Prohibition of Chemical Weapons, and the Democratic National Committee (similar to APT29). Cybersecurity researchers identify this actor as conducting some of the most far-reaching and sophisticated Russian cyber attack campaigns to date.

Known Targets

Aerospace, defense, energy, government, and media sectors, with victims in the United States, Western Europe, Brazil, Canada, China, Georgia, Iran, Japan, Malaysia, and South Korea

Sample TTPs

  • Registering domains that attempt to appear legitimately associated with victim organizations, and utilizing these domains
    as part of credential harvesting campaigns
  • Abuse of OAuth access tokens in order to gain access to targeted email accounts
  • Capturing information from air-gapped computers via infected USB devices
  • Utilizing complex malware to target routers and IoT devices in order to enable reconnaissance within potential victim networks and potentially set the stage for wiper operations. 

AKA

FANCY BEAR, Pawn Storm, Sednit, SNAKEMACKEREL, Sofacy, STRONTIUM, TG-4127


Fxmsp

In May 2019, the hacking collective Fxmsp gained notoriety for reported breaches of three major antivirus companies.This group targeted intellectual property from each company, including code base, development documentation, and information on Artificial Intelligence (AI) modeling for the purposes of offering up this information for sale, as well as selling network access to victims.

Known Targets Large global organizations and government networks
Sample TTPs
  • Utilization of a network of trusted proxies in order to promote and offer up network accesses for sale in underground markets
  • Creation of a credential-stealing botnet utilized to harvest usernames and passwords
Also Known As N/A

 

WIZARD SPIDER

This cyber criminal group targets large organizations by deploying Ryuk ransomware via Trickbot banking malware. Evidence suggests that the ransom demand varies depending on the size of the targeted organization, and, as of January 2019, the total amount collected by the group was $3.7 million USD. At the end of 2019, researchers identified that WIZARD SPIDER continues to add functionality to the Ryuk variants it delivers in order to maximize the number of systems within a network impacted by file encryption.

Known Targets United States, United Kingdom, Canada
Sample TTPs
  • Trickbot is delivered via spam email or via the Emotet banking trojan
  • Obfuscated PowerShell scripts execute and connect to remote IP addresses for additional tool downloads
  • Lateral movement enabled through the use of Remote Desktop Protocol (RDP)
Also Known As TEMP.MixMaster

 

Turla

Throughout the first half of 2020, the Turla group was linked to multiple cyber espionage operations targeting government entities in Europe and the Caucasus. Researchers at ESET detailed updates to Turla’s ComRAT malware, the heir to the infamous Agent.BTZ, which was used to target two Ministries of Foreign Affairs and a national parliament. Turla actors were also linked to a narrowly focused waterhole campaign targeting Aremenian government officials and politicians and may have been behind an intrusion into the network of the Austrian foreign ministry.

Researchers have linked activity from this threat group to Moonlight Maze, a massive data breach of U.S. government classified information in the late 1990s, and one of the first widely known cyber espionage campaigns in history. Another notable campaign took place in 2008, when Agent.btz malware infected U.S. government classified networks via infected removable media. This group is still in active operation today. More recent operations of this Russian cyber attack campaign and group have been extremely targeted, going through extensive lengths to fingerprint systems, collecting as much information as possible, before making a determination as to whether the target is of interest for further operations. One of the techniques utilized includes attempting to lure visitors of compromised websites to download fake Adobe Flash updates, an approach utilized by cyber criminals across the globe.


Known Targets

Government, Aerospace, NGOs, Defense, Cryptology, and Education sectors in more than 45 different countries throughout the world

Sample TTPs

  • Extensive use of covert exfiltration tactics such as using hijacked satellite connections and covert channel backdoors
  • Waterholing government websites
  • Infecting removable storage devices
  • In-house complex malware development

AKA

Snake, Venomous Bear, Waterbug, Uroburos

 

XENOTIME

This group has been identified as the most dangerous threat actor publicly known, due to its association with malware known as TRITON, designed to target a specific safety instrumented system (SIS) within industrial control systems. SIS are hardware and software controls used to implement safe states in order to avoid adverse safety, health, and environmental consequences, and, as such, targeting of these systems could lead to loss of life scenarios. TRITON was discovered at a petrochemical plant in Saudi Arabia when the attacker was believed to have inadvertently shut down plant operations after gaining access to a SIS engineering workstation to deploy the attack framework. Because TRITON malware samples are now easily discoverable online, the bar has effectively been lowered for other threat actors to enter the ICS arena.

In October 2020, the US Treasury Department imposed sanctions on the Russian Central Scientific Research Institute of Chemistry and Mechanics, effectively cutting off any US business or engagement with the research institute and opening the prospect of sanctions against third party nations that continue to do business with them. The sanctions represent the first public acknowledgement by the US government of the institute’s connection to the Triton malware designed to target industrial safety systems, which had been previously alleged by private sector cybersecurity researchers.

Known Targets Oil, gas, and electric sectors in the Middle East, North America, Europe, and APAC
Sample TTPs
Also Known As TEMP.Veles

 

Gamaredon Group

In Spring 2020, an increase in activity from this group was observed, indicating that Gamaredon, which has been active since at least 2013, remains a present threat to the Ukranian organizations they so brazenly appear to target. These most recent campaigns were highlighted by large waves of malicious emails directed against targets’ and the group’s use of new malware and TTPs.

This group notably conducts espionage and intelligence gathering via Russian cyber attack strategies in support of Russian national interests, and seems to primarily focus efforts on Ukrainian national security targets. Cybersecurity researchers have pointed out that this group’s current activities potentially serve as a testbed for evaluating adversarial response to TTPs, with the implication that the group could pivot to utilizing these tactics against future perceived threats beyond Ukraine.


Known Targets

Ukrainian Government and military, journalists, law enforcement, and NGOs

Sample TTPs

  • Utilization of dynamic DNS domains for command and control servers
  • Deployment of remote manipulation system binaries (RMS) via self-extracting archives and batch command lines
  • Social engineering campaigns to distribute malware through macros embedded with Excel and Word documents

AKA

Primitive Bear

 

FIN7

The operations of this financially motivated threat group have continued well into 2020, despite the U.S. Department of Justice announcing arrests in August 2018 of individuals with ties to the group. This group is known for leveraging Carbanak malware in addition to other tools, in order to enable the theft of more than 15 million customer credit card records from victims spanning hundreds of companies in the United States and abroad. FIN7 operators have engaged in sophisticated social engineering techniques, including actively engaging targets in back and forth dialogue before sending malicious documents leading to malware implants.

Known Targets Predominantly U.S. Retail, Restaurant, and Hospitality sectors
Sample TTPs
  • Extensive use of digital certificates to sign phishing documents, backdoors, and other tools in an effort to appear legitimate
  • Rapid technical innovation for the purposes of detection evasion
Also Known As Anunak, Carbon Spider, Carbanak

Russian cyber attack landscape: in summary

Russian cyber operations represent a very real and sophisticated threat to a wide range of sectors in numerous countries and regions. As the campaigns outlined here illustrate, Russian intelligence services view corporations, governments, and civil society as viable targets for espionage and disinformation operations. In many cases, this simply isn’t a fair fight. The Russia state brings resources to bear that many of the organizations they victimize, even many nations, cannot match.

Nearly all of the campaigns discussed here have been active within just the past several months. Just since May 2020, the U.S. government has publicly attributed multiple distinct campaigns and toolsets to specific Russia state-sponsored groups. While this is not the first time the U.S and its allies have “named and shamed” malicious foreign actors, the pace with which this has occurred is indeed unprecedented. This is not a coincidence. These threats are not hypothetical, not projected to arrive at some distant date — they are here now.

IronNet technology is designed to level the playing field. Collective Defense presents a unique opportunity to identify and correlate sophisticated cyber threats, allowing an organization to rely not only on what they can see within their own networks, but to leverage the accumulated knowledge of the IronDome community to rapidly discover malicious behavior across enterprises or sectors.

Fighting back through Collective Defense

At IronNet, we detect Russian cyber attack campaigns like these and other types of sophisticated cyber attacks through AI-based behavioral analytics and share those discoveries into our Collective Defense ecosystem. This approach allows Collective Defense members to get advanced notice on threats impacting their peers that may be headed their way. This empowers states, sectors, supply chains, companies of all sizes -- and even entire nations --  to work collaboratively for stronger cyber defense against Russian and other nation-state level adversaries.

To learn more, see the full Russia Cyber Threat Report.

Russia Cyber Threat Report

 

About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet Cybersecurity is a global cybersecurity leader that is revolutionizing how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing an extraordinarily high percentage of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today. Follow IronNet on Twitter and LinkedIn.