Russian Cyber Attacks: Threat Actors and New Developments – Critical Start

CRITICALSTART has continuously monitored the evolving Russia-Ukraine cyber threat as it has unfolded over the past six weeks.

Current Ground Situation

As tensions between Russia, NATO, and Ukraine have continued to escalate over the last six weeks, military operations have now commenced as Russian military forces were ordered to cross into Ukraine on February 24^th 2022.  As the situation continues to develop, and sanctions escalate, it is assessed that Russia may conduct additional cyber operations, including attacks on NATO and US assets in conjunction with kinetic military operations.

Cyber Projections

As the situation escalates on the ground in the Ukraine, it is predicted that Russia may conduct cyberattacks in conjunction with kinetic strikes. Of the many Russian-attributed advanced persistent threat groups (APTs), there are a couple that stand out in terms of capabilities to conduct large-scale, targeted attacks. As we continue to monitor internal cyber environments, it seems appropriate to review these APTs:

Sandworm Team (aka Voodoo Bear), a Russian General Staff Main Intelligence Directorate (GRU) threat group, has been conducting malicious cyber operations against the Ukrainian government, companies, and organizations since 2015. These include the deployment of:

• BLACKENERGY, KILLDISK, and INDUSTROYER malware in 2015 and 2016, which attacked Ukraine’s power grid and government agencies
• NotPetya in 2017, which posed as ransomware but ultimately destroyed data and disk structures (wiper) of many organizations around the world using its worm-like features

APT28 (aka Fancy Bear), has been assessed to work with Sandworm team. This GRU affiliated threat group was associated with the following malicious activities:

• Hacking email accounts of campaign advisors for Hillary Clinton
• Hacked networks of the Democratic Congressional Campaign (DCCC) and the Democratic National Party (DNC)
• Distributed stolen emails and documents on the dark web

Gamaredon (aka Primitive Bear), has been conducting operations against Ukrainian government officials and organizations since 2013. Recent activities include:

• Targeting organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis
• Deploying a customer backdoor, Pteranodon/Pterodo, to collect information, execute arbitrary code, and insert other malware

New Malware

One day prior to the Russian ground invasion, a new wiper malware, dubbed HermeticWiper, was discovered targeting multiple Ukrainian organizations. Wiper malware is unique in that it doesn’t steal data, it deletes it entirely, making recovery impossible. It can erase all data from a system that is infected and can even attack the system recovery tools without leaving any traces of the attack.

HermeticWiper abuses legitimate drivers associated with an application called EaseUS Partition Master. It attempts to corrupt the master boot record (MBR) of every physical drive, as well as every partition on these drives. The attackers used a genuine digital certificate issued under the company name ‘Hermetica Digital Ltd’ valid as of April 2021. At this time, there have been no legitimate files signed with this certificate. It’s possible that the attackers used a shell company or appropriated a defunct company to issue this digital certificate. Samples collected indicate this malware has been present since December 2021, implying this cyber campaign has been in the works for nearly two months. This predates the distributed denial-of-service (DDoS) attacks against several Ukrainian websites earlier this month and the WhisperGate malware attack against Ukrainian government websites in January.

Implications

There are many consequences of a malware of this type should it hit critical infrastructure systems. Russia could take down the power grid, turn the heat off in the middle of winter and shut down Ukraine’s military command centers and cellular communications systems. A communications blackout could also provide opportunities for a massive disinformation campaign to undermine the Ukrainian government. We have seen these capabilities on a smaller scale during the 2015 & 2016 attacks on the Ukrainian power grid by Russian actors.

There are currently no indications of Russia using this malware against U.S. based companies, however it is possible given U.S. support of Ukraine. To that end, Critical Start is reviewing the indicators of compromise and creating detections for this malware.

Recommendations

• Verify all critical systems have backups in a secure location.
• Validate remote access activity and require all accounts authenticate using multi-factor authentication
• Ensure all software is up to date
• Disable all non-essential ports and protocols
• Ensure all appropriate security controls have been implemented in cloud environments
• If you are a Critical Start customer, contact your Customer Success Manager as updates to your major incident response plan are made
• Audit user account access, roles, and rights; especially for high value admins, systems, and executives

Read more of our coverage around this evolving situation here.