More Russian Attacks Against Ukraine Come to Light
The WhisperGate attack is not the only operation believed to have been conducted by Russia-linked threat actors against Ukraine in recent months. Symantec on Monday disclosed the details of an espionage operation that it has tied to a known group.
For years, Russian advanced persistent threat (APT) actors have been observed launching various cyberattacks against Ukrainian targets, with some of these groups believed to be part of or under the direct supervision of Moscow’s secret service.
Over the past months, at least two Russian state-sponsored groups have been observed launching cyberattacks against Ukraine, namely Gamaredon, also known as Armageddon, Primitive Bear and Shuckworm, and potentially Sandworm, which is also referred to as Iron Viking, Telebots and Voodoo Bear.
Active since at least 2013 and mainly focused on targets in Ukraine, Gamaredon relies on phishing emails for the distribution of off-the-shelves tools (such as RMS and UltraVNC) and customized malware (Pterodo/Pteranodon).
In a November 2021 report, The Security Service of Ukraine (SSU) noted that the threat actor has started using in-memory tools for credential theft and lateral movement, also pointing out an overall increase in sophistication over the past years.
During the summer of 2021, Gamaredon targeted n organization in Ukraine, and Symantec kept a close eye on the group’s activity on the victim’s network. The attack started on July 14, with a malicious document that deployed the Pterodo backdoor on an employee’s computer.
Next, the attackers executed several scripts and created a scheduled task for persistence, executed various commands and installed new versions of the backdoor, after which they ceased activity, only to return two days later to execute more scripts and other variants of the malware.
On July 28, the attackers returned to execute another Pterodo variant that executed a dropper for a VNC client. Until August 19, the threat actor continued to return to the infected machine to run more scripts and other variants of their malware.
“During the course of this investigation, specifically post VNC client installation, a number of documents were opened from various locations on the compromised machine. It is unclear if this was legitimate user activity or the activity of the attackers attempting to collect and exfiltrate sensitive information. Titles of the documents accessed ranged from job descriptions to sensitive information pertaining to the targeted organization,” Symantec notes.
Separately, there’s the WhisperGate attack that hit multiple Ukrainian organizations earlier this month, but which hasn’t been yet attributed to a specific threat actor. According to CrowdStrike, the incident bears similarities with the activities conducted by Russian state-sponsored APTs.
Two weeks ago, CrowdStrike published a technical analysis of the attack, saying that it hasn’t found overlaps with the NotPetya attack or other activity attributed to Sandworm – a group likely part of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Historically, Sandworm has tried to hide its activity targeting Ukraine, by mimicking ransomware attacks and adopting hacktivist personas that took public responsibility for some of the group’s offensive operations and released data stolen from various government or private organizations.
While initially the APT would deploy destructive malware (such as BlackEnergy or KillDisk) in a more targeted manner, the group switched to supply chain compromise, other deployment techniques, and worm-like propagation mechanisms that amplified the reach of attacks (such as the NotPetya campaign or the BadRabbit attack).
According to a new report from Crowdstrike, while the WhisperGate attack has a relatively constrained scope compared to Sandworm’s NotPetya campaign, it’s yet unclear whether this was intentional or whether the same threat actor is behind both of them.
“The likely manual malware distribution vector employed and the focus on targeting of government networks — and other destructive attacks against IT service providers, likely in an attempt to cover up evidence of initial intrusion vectors — indicates that limited impact was intentional in this case,” CrowdStrike says.
The security firm also notes that, shortly after the attacks, there were attempts to distribute data purportedly stolen from Ukrainian government organizations, which may suggest that the hackers were attempting to “execute an IO campaign to successively release personally identifiable information (PII),” although Ukrainian officials strongly denied that any data was stolen.
“This use of IO mirrors earlier VOODOO BEAR TTPs, where the CyberBerkut and Sprut group personas contemporaneously released private data from Ukrainian organizations. The introduction of publicly visible website defacements during the WhisperedDebate activity provides an additional facet to the operation that can be easily picked up and amplified by media outlets,” CrowdStrike says.
It’s likely that the purpose of the attempted data leaks was to lower public trust in Ukrainian government institutions amid increasing tensions with Russia. Such offensive operations against Ukraine are expected to continue and to involve destructive malware, likely masquerading as ransomware.