On February 16, 2022, the Cyber Security and Infrastructure Security Agency (CISA), FBI, and NSA issued joint Cybersecurity Advisory (CSA) (Alert AA22-047A) that Russian-State sponsored cyber actors obtained access to classified documents of U.S. defense contractors through a series of spear phishing attacks.
Following that alert and the recent situation in Ukraine brought on by Russia, CISA issued Alert (AA22-057A) on February 26, 2022, that destructive malware strains WhisperGate and HermeticWiper were being used against Ukraine by Russia.
Back on January 11, 2022, CISA sent (Alert AA22-011A) encouraging the cybersecurity community, particularly critical infrastructure networks, to adopt a heightened state of awareness for Russian state-sponsored cyber operations.
Following the January 11 advisory, Russia’s FSB raided REvil, one of Russia’s ransomware gangs, on January 14, 2022. That raid coincided with an investigation of a cyber attack on 70 internet sites of government bodies, including the security and defense council. Ukraine’s state security service pointed to signs of threat-actor groups associated with Russian intelligence services.
Government organizations targeted by Russian threat actors exploded from roughly 3% in 2019, to 53% since July 2020. (Microsoft Digital Defense Report, 2021)
Over the past two years, Russia’s advanced persistent threat (APT) groups and actors have been responsible for several infamous cyber attacks – the 2020 SolarWinds attack, and 2021 attacks on the Microsoft Exchange Server and Kaseya, an IT solutions developer, as well as other government entities and other public and critical infrastructures in the same time range. Some of Russia’s longest standing APT groups are linked to the Federal Security Service (FSB) and have been running campaigns for nearly 20 years.
With that recent activity, CISA also has put together a “Shields Up” campaign that encourages all organizations to be cautious of any potential impacts from a Russian response to sanctions and be ready for a potential attack. While there are no specific, credible cyber threat to the U.S homeland at this time, given the situation, it’s important to be vigilant to all threats and look at some of the recent history of cyber attacks from Russia to know what threats they may present.
Russian APT Groups
Russia has several advanced persistent threat groups (APT). Some are more active and viciously successful than others, especially recently, while other groups have been operating for almost two decades now.
China has one of the most extensive lists of identified APT groups, and Russia is a big player among the big four (China, Russia, North Korea, and Iran) in terms of identified APT groups that cyber attack businesses, supply chains and critical infrastructures.
Some of the most notable Russian-linked or backed APT groups include:
- Beserk Bear
Several of these groups have been identified or grouped under different monikers over the years depending on the researcher who discovered the groups and their attacks and methods.
These are the most notable groups linked to the biggest cyber attacks, their most identifiable targets, and attack methods.
REvil (aka Sodinokibi)
With the recent news of the raid and their attacks, let’s start with REvil, one of Russia’s more prolific ransomware gangs.
REvil is a Ransomware-as-a-Service operation, which demanded and took a lot of money through the means of ransom extortion over the last few years. REvil gets its name from the Resident Evil movie series, and were (or are, depending on what you believe) the most widespread ransomware threat. They have reportedly been around since 2019, stepping up in the wake of other ransomware groups “shutting down.”
According to IBM’s research, it has been reported that approximately 25% of cybersecurity incidents that needed to be remedied were a result of those affected by ransomware infections from REvil. The group appears to base its ransom requests on the annual revenue of the organization it victimizes. Though some of the payment was recovered by the FBI, the Colonial Pipeline attacks resulted in a $5 million payout in ransom (75 bitcoin at the time). They reportedly were responsible for 16% of ransomware infections in 2020.
Noteworthy Attacks Attributed to REvil
JBS: In May of 2021, the Brazilian meat processing company was hit with a ransomware attack that forced all of the company’s U.S beef plants into a temporary shutdown. The company reportedly paid a ransom of $11 million in bitcoin to the ransomware gang.
Kaseya: In July of 2021, REvil dropped ransomware onto hundreds of managed service providers through Kaseya’s management software. A Swedish grocery store chain was forced to close 800 stores over a period of several days. It affected between 800 and 1,500 businesses around the world. $70 million was demanded by the group to restore encrypted data.
In July of 2021, REvil’s websites reportedly went down, and Kaseya was later able to recover a decryption key from the FBI. Evidence of REvil resurfacing appeared in September with the group posting a new victim on its blog July 8.
In October of 2021, their servers were hacked and taken offline. By January of 2022, Russia’s Federal Security Service claimed to have dismantled REvil and charged members of the organization. The FSB claims that the organization now “ceases to exist.”
While this was one of the few times that the U.S. and Russia have collaborated on cybercrime, it’s important to remember that even when there is any evidence that one ransomware gang goes dark, there is always another that could pop up in its place to take over the business they left behind and round up any victim’s networks that may have been left open that they may have had access too when they were shut down.
Nobelium is a Russian-sponsored threat-actor group that is widely known as the most sophisticated group. The group gains access to multiple enterprises because their actions are undetected. Nobelium has been behind some of the more high profile attacks over the last year.
Noteworthy Attacks Attributed to Nobelium
SolarWinds: In December of 2020, REvil hid malicious code in software updates to the IT company SolarWinds, which services government customers in the military and intelligence services. The attack went undetected for months and was used to spy on private companies and the US government.
In 2020, they were the group that targeted the IT performance monitoring platform, SolarWinds. The SolarWinds attack allowed access to government and enterprise networks globally and spurred a lot of copycat attacks, showing just how powerful and damaging supply chain and third-party attacks can be to gather information and reach more targets.
Once SolarWinds’ systems were breached, the update for Orion Software was compromised and deployed to roughly 18,000 customers. Applying updates and patches as soon as they are available is always highly encouraged for security purposes. In this case with the update for Orion Software, the update was compromised. This is a reminder that continuous monitoring is important and that it is not assumed that there are no threats once a patch or update is applied. The Log4j vulnerability is another good recent example of this. The first updates to patch the vulnerabilities were discovered to have additional flaws and because of the close attention to the situation, additional patches were released quickly to address those vulnerabilities.
Microsoft Exchange Server: In 2021, Nobelium came back with another wide-reaching breach, exploiting the Microsoft Exchange Server, one of the biggest cyber attacks in 2021. Once again, targeting a global IT supplier and gaining network access to other organizations while doing it. The attack was reported to target at least 140 resellers and service providers in the IT supply chain.
Even in late 2021, this group is still a serious threat linked to government and business targets.
Nobelium has attempted to gain access to downstream customers of multiple cloud service providers and managed service providers. They have been observed by Microsoft moving laterally in cloud environment using a large toolkit of sophisticated malware.
Some of the tactics Nobelium has used includes:
- Supply chain attacks
- Password spraying
- Token theft
- API abuse
- Spear phishing
BlackMatter, another Russian-state backed APT group, is a good example of not letting your guard down when you hear about a ransomware group “going dark” or shutting down.
In November of 2021, BlackMatter claimed to be shutting down due to pressure from law enforcement. Operating a Ransomware-as-a-Service website, BlackMatter’s infrastructure still existed despite claiming to go dark, and LockBit, another ransomware site, had BlackMatter’s victims transferred to its website to continue to negotiate ransom demands.
Noteworthy Attacks Attributed to BlackMatter
Olympus: The tech giant that produces photography equipment and manufactures medical devices was targeted by BlackMatter back in 2021. BlackMatter accessed Olympus’ network and was able to encrypt files and demanded a ransom. This was the second ransomware attack Olympus was hit with. The company has over 31,000 employees world wide and BlackMatter was able to penetrate its EMEA IT systems.
New Cooperative: A month prior to the Olympus attack, BlackMatter targeted and shutdown New Cooperative, an Iowa farm services provider with a ransomware attack. BlackMatter claimed to have over 1,000GB of data that was encrypted and exfiltrated including financial documents, social security numbers, R&D files and other personal and company information. Agriculture is one of the 16 US infrastructure sectors considered critical.
Documents from BlackMatter regarding the ransomware incident showed that the group demanded a $5.9 million ransom. A former CIA official told ZDNet at the time that the September 2021 attack was “the fourth crippling and high-profile attack on US critical infrastructure in recent months.”
BlackMatter is a potential rebrand from DarkSide, another RaaS that was active from 2020 to 2021. While active, they demanded ransom payments between $80,000 and $15,000,000 in bitcoin.
Some of their tactics used include:
- Initial access exploiting public-facing web server vulnerabilities
- Remote code execution or remote access tool
- Persistence in maintaining access to systems and networks through vulnerabilities
- Privilege escalation
- Defense evasion
- Credential access
- Discovery to obtain target information on services, networks, systems, accounts, domains and more
- Lateral movement
- Command and Control
This is a Russian-based advanced persistent threat group that has also been identified as “Group 88”, “Belugasturgeon”, “Waterbug”, “WhiteBear”, “Snake”, “Krypton”, and “Venomous Bear.” It has been active, targeting government, military, education and other critical industries since 2004, with heightened activity around 2015.
Noteworthy Attacks Attributed to Turla
San Francisco International Airport: Turla has been linked to the 2020 breach of the San Francisco International Airport, and has targeted mainly Windows machines, but there is also evidence that it has used its espionage platform against macOS and Linux machines.
Sunburst (or SolarWinds): Multiple groups have been linked to the 2020 SolarWinds IT attack. It changes depending on the researcher. Nobelium was designated as the primary threat behind SolarWinds by Microsoft, but Turla’s Sunburst malware code was found planted in the SolarWinds Orion IT monitoring system code. But Turla and its Sunburst malware has also been linked by SolarWinds itself to the attack.
Espionage Tools Used by Turla
As mentioned in the SolarWinds or Sunburst attack, the malware code dubbed Sunburst is one of many tools used by Turla.
The Russian-sponsored group focuses mostly on government-related targets in several countries, using its own espionage toolset. Turla has used many different malware strains, with ComRAT being the oldest in its malware family that has been discovered to have different versions over the years, as recently as 2020.
Turla’s new 2020 version of ComRAT was used in attacks against two Ministries of Foreign Affairs and a national parliament. It uses lateral movement to move within the target organization with malware.
Kazaur: This remote access trojan was another malware threat used by Turla, which has been traced back all the way to 2005 that targeted Windows-based systems.
Crutch: The malware, dubbed “Crutch” is an espionage tool used by Turla as far back as 2015 and has been observed in attacks as late as 2020 against a European government. It bypasses security measures by abusing legitimate tools where the file sharing service, “Dropbox” has been seen as an example containing .zip files with commands for the backdoor, which were uploaded to Dropbox by these operators.
This is another good example of not trusting files from sources you are not familiar with. And, if using Dropbox isn’t a business requirement and you can avoid using it, it certainly makes it easier to identify this kind of activity when it occurs.
SilentMoon: The Turla trojan, SilentMoon, is a custom remote procedure call backdoor that the Russian-backed ground used around 2020 that targeted a European government organization.
BlackByte is a Ransomware-as-a-Service group that emerged in July 2021 exploiting software vulnerabilities and targeted corporations.
It should be noted that BlackByte is not confirmed to be a Russian-backed or affiliated threat actor group, but that signs point to it being based in Russia because it is not coded to encrypt data of systems using Russian languages. That is why BlackByte is listed here with the rest of the groups because you should be aware of their capabilities.
On February 15, the FBI and the U.S. Secret Service issued an advisory on the Ransomware-as-a-Service group BlackByte. The group compromised three U.S. critical infrastructures and reportedly hit the NFL’s San Francisco 49ers with a ransomware attack after the 2022 Super Bowl. The cyber threat actor group claimed to have stolen financial data from the football franchise.
BlackByte has been known to attack its victims by exploiting a known Microsoft Exchange Server vulnerability to gain access to networks to move laterally throughout the network and escalate privileges, which allows them to exfiltrate and encrypt files for ransom purposes.
(aka Gamaredon, Armageddon, Primitive Bear)
This is a cyber hacking group linked to Russia’s Federal Security Service (FSB) that has most recently been linked to spear phishing campaign against Ukraine going back to 2021. A report from Microsoft claims to have observed Actinium targeting or compromising accounts that are critical to Ukraine emergency response system back in October of 2021.
Sandworm (Cyclops Blink)
Cyclops Blink has been confirmed as a new malware attributed to the Russian APT group Sandworm. It replaces the VPN malware that was previously attributed to Sandworm.
On February 23, the U.K’s National Cyber Security Centre along with CISA and the NSA released an advisory about the new malware strain from Sandworm (also known as Voodoo Bear) that has been targeting users of WatchGuard, deploying the malware through a disguised firmware update.
Nation-State Attack Vectors
Nation-state actors use several types of intrusion tactics to attack your network:
- Zero-Day Exploits
- Emails [Spear Phishing, Whaling]
- Malicious Links and Attachments
- Files/Backdoor Malware
- Stolen VPN Credentials
- Brute Force Attempts
- Network Vulnerabilities
- Application Vulnerabilities
- Unsecured IoT Vulnerabilities
- Password Spray
Brute force is Identified as the single biggest attack vector for ransomware.
Many nation-state actors, including Russia, sponsor Ransomware-as-a-Service operations. This includes the aforementioned DarkSide, responsible for the Colonial Pipeline attack, LockBit 2.0, its successor, and REvil.
Signs of an APT Attack
There may be several signs of an APT attack by any nation-state actor, but these signs are ones you don’t want to ignore:
- Unexpected traffic
- Suspicious logons
- Backdoor presence
- Signs of data exfiltration
Once you observe these signs on your network, you should contact your administrator or monitoring service immediately. If an APT actor gains access to your network, these are the types of attempts they will make to exploit it:
- Gain access to intended target through phishing or brute force attempts
- Establish a foothold within the network
- Deepen and expand access to credentials
- Move laterally throughout the network as stealthily as possible
- Lurk inside network and conduct reconnaissance
These are only a few examples and information of Russia’s nation-state cyber actors, which rivals China for one of the largest nation-state cyber threat sponsors. You can learn more about the big four nation-state cyber actors and more information on Russia’s APT groups by listening to our webinar, on-demand, for free: Nation-State Actors: Not Your Average Hackers.