Russian Cyber Operations: State-led Organised Crime

Uploaded on 2018-12-10 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Russia, INTELLIGENCE--International, GOVERNMENT-National, FREE TO VIEW, TECHNOLOGY--Hackers

Russia is emulating approaches used by cyber-criminals as it blurs the line between state and non-state activities in cyberspace. 

The recent activities of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, Russia’s military intelligence, otherwise known by its traditional (if slightly inaccurate) acronym of the GRU, on the territories of the UK and other European countries are by now well documented. 

However, less media and public attention is paid to the GRU’s hostile cyber activities, despite the fact that last month, the UK and its allies directly attributed a series of hostile cyber-attacks to the Russian military intelligence service. 

This provides a better understanding of some of the Russian offensive cyber-attack tools, the nature of certain Russian cyber operations and a glimpse into future trends in Russian cyber activity. And here is a brief rundown through some of the tools at Moscow’s disposal.

Bad Rabbit ransomware encrypts hard drives and renders IT inoperable. 
Most public references to Bad Rabbit appeared last month, and they also featured in the UK’s National Cyber Security Centre (NCSC) report, which states that it caused disruption to the underground railways system in the Ukrainian capital of Kiev, as well as to Odessa airport, Russia’s central bank and two Russian media outlets. Here we have a clear example that Russia has the technical capability to disrupt critical national infrastructure.

However, looking beyond the actors behind the malware and disruption caused, the infection methodology is one commonly used by cyber criminals. Trend Micro, a major Japanese cyber security company, claims that Bad Rabbit spreads via fake Adobe Flash updates, tricking users into clicking the malware by falsely alerting the user that their Flash player requires an update. 

Once the victim’s PC is infected and user data is encrypted, Bad Rabbit reboots the system and a classic ransom message is then displayed. Once Bad Rabbit has accessed one computer within a corporate network, it may use the ‘Eternal Romance’ exploit kit to spread to other computers within the network. An exploit kit is a reconnaissance tool that scans for vulnerabilities in systems to work out weak points for attackers to compromise.

Next up is VPNFilter malware, which was attributed to Russian state-sponsored actors in a joint Technical Alert issued by Britain’s NCSC, together with the US’s FBI and the Department for Homeland Security in April. VPNFilter malware permits attackers to perform ‘man-in-the-middle’ attacks by intercepting traffic that passes through vulnerable routers. 

It has infected thousands of home and small business routers, and network devices worldwide. Once initialised, it downloads an image from Photobucket.com, a US image-hosting website, that enables a connection between the compromised device and the attackers’ command-and-control server. This allows for malware to be downloaded onto the compromised device, before further stages increase the malicious capability of the malware.

Using VPNFilter, attackers can intercept web traffic and insert malicious code that enables them to exfiltrate data, collect files, disable access to the compromised router, and skim website log-in credentials. VPNFilter changes HTTPS requests to ordinary HTTP requests, meaning data that is meant to be encrypted is sent insecurely. 

Finally, the malware contains a ‘kill’ command, which if executed, removes all traces of it, before permanently shutting down the compromised router. Despite the complex and multi-functional nature of this malware, hard-resetting the device to its factory state (after backing up data) will remove it.

The attributions from the international community continue, with reference to additional attack tools used by the Russian threat group known as APT28. ¬X-Agent is a remote access tool used by APT28 to enable attackers to extract files and record keystrokes. 

A legitimate piece of software called CompuTrace has been modified by APT28 to provide the GRU with the ability to modify system memory. Meanwhile, X-Tunnel provides APT28 with a secure tunnel to an external command-and-control server from where the attacker can send malicious commands to compromised networks and devices. 

Finally, Zebrocy is a tool that logs keystrokes and uploads files. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros. Again, this is another common delivery mechanism used by both state actors and organised criminals and requires human intervention to grant permission to install the malware.

The NCSC and its international partners state that the GRU is ‘almost certainly responsible’ for multiple successful and attempted cyber-attacks, using the various tools and techniques listed above. 

However, just because there is now near certainty on the identity of the threat actor behind these cyber-attacks, this will not change the steps to defend against them. 

Most risk can be reduced through basic risk-management techniques. For compromised routers, users should install the latest firmware version, change the router’s username and password, and switch-off insecure interfaces (for example, remote web admin access or unused protocols like Telnet). 

Education and awareness can help users to spot fraudulent Adobe Flash updates and malicious links. Finally, the cyber threat intelligence community should work together to share indicators of compromise.

However, although they use widely known infection methods, this is not to say that Russian state attackers do not deploy a suite of malware that enables technically advanced cyber operations. 

The threat intelligence company FireEye published a report on APT28 stating that attack tools developed by this group can be easily modified to assist a specific operation, and within this group there is a philosophy of implementing zero-day attacks. According to FireEye, the group has access to skilled developers who conduct technical counter-analysis.

Now that there has been a step change in approach with the attribution of cyber-attacks, policymakers will wonder how the Russian state’s cyber machine will react. It seems likely that Russian state actors will continue to operate in a way that mirrors the activity of organised cybercrime groups. This creates a plausible narrative that these attacks are not state-led, and the techniques used by organised criminals suit the strategic aims of Russian state actors. 

The GRU has been deploying malware with delivery mechanisms commonly used in cybercrime campaigns, which meant that the recent cyber-attacks were initially perceived to be criminal in nature (rather than state-led). Added to this, Russian organisations have been part of the collateral damage from GRU-led cyber-attacks, making attribution even more complicated.

The GRU may seek to outsource more of its malicious cyber activity to organised criminals for greater plausible deniability. This poses a question as to what role law enforcement agencies should play in investigating cyber-related hostile state activity. 

The blurred lines between state and criminal cyber activity has the potential to create confusion as to how law enforcement and the security services should work together to investigate, disrupt and prosecute malicious cyber actors.

Attribution alone is unlikely to deter the Russian state from carrying out cyber-attacks. It is likely that similar style cyber-attacks will occur in the coming years and the GRU will continue to deploy malware and exploit kits that infect victims at scale, including Russian citizens. There may be an increase in automated attacks that successfully infect even more victims and provide greater anonymity for the attacker. 

For all the hyperbole relating to Western offensive cyber capability, the most effective tool to tackle the threat will be robust cyber risk-management strategies at both national and organisational level, together with diplomatic, legal and economic measures to deter future attacks.

RUSI

You Might Also Read:

What Is The GRU & Who Does It Hack?:

Russian Cyber Strategy And Tactics:

 

 

« Facebook CEO Zuckerberg Backed Sharing Customer Data
Germany Detects New Russian Cyber-Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

QA Systems

QA Systems

QA Systems provides software testing solutions for safety and business critical sectors and software safety and security standards.

Homeland Security Advanced Research Projects Agency (HSARPA)

Homeland Security Advanced Research Projects Agency (HSARPA)

HSARPA's Cyber Security Division (CSD) was set up to address DHS cyber operational and critical infrastructure protection requirements.

High Sec Labs (HSL)

High Sec Labs (HSL)

High Sec Labs develops high-quality, cyber-defense solutions in the field of network and peripheral isolation.

IDpendant

IDpendant

IDpendant offers a wide range of services, including authentication technology, client security products, single sign on systems, encryption solutions, card and mobile device management systems.

Ensign InfoSecurity

Ensign InfoSecurity

Ensign InfoSecurity is Southeast Asia’s largest pure-play cybersecurity firm.

DQM GRC

DQM GRC

DQM GRC are one of the UK's leading providers of data governance, e-privacy and GDPR services, to commercial organisations across all industries in the UK.

SpyCloud

SpyCloud

SpyCloud is a leader in account takeover (ATO) prevention, protecting billions of consumer and employee accounts either directly or through product integrations.

Clario Tech

Clario Tech

Clario is a simple, comprehensive, personalized protection app. It comes with a full suite of intelligent security software and intelligent people to help you live a better, safer digital life.

Theta432

Theta432

THETA432 is a cybersecurity firm that provides 24/7/365 managed prevention, detection, response, Hybrid SOC, cyber defense monitoring services with dynamically defined defense (3D™).

Rimstorm

Rimstorm

Rimstorm’s mission is to significantly improve the security of your data using award-winning, state-of-the-art technology combined with cyber managed security services.

Valtix

Valtix

Valtix is the first and only multi-cloud network security platform delivered as a service that enables cloud teams to meet the most stringent security requirements in a cloud-first & simple way.

MedSec

MedSec

MedSec is the only company of its type focused solely on cybersecurity for hospitals and medical device manufacturers, offering both a cybersecurity software solution and consulting services.

Normalyze

Normalyze

Normalyze are solving some of the most painful problems enterprise IT security teams face in the cloud and data security space. We help enterprises protect all the data they run in the cloud.

Sitehop

Sitehop

Sitehop is a cybersecurity technology company developing and supplying FPGA hardware-enforced cyber security solutions for networks.

eMudhra

eMudhra

eMudhra is a leader in Identity and Transaction Management Solutions.

Diverto

Diverto

Diverto is a company that provides a high level of information security to companies, institutions and other organisations in an information-centric world.