Russia’s Nation-State Hackers: A Serious Threat To Global Security

Uploaded on 2024-06-28 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Russia, Education & Research, Directors Reports

Russia’s Nation-State Hackers: A Serious Threat To Global Security

Research Report: This article is exclusive to premium customers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.

The Russian invasion of Ukraine in February 2022 has increased and renewed the interest in information warfare, with the widespread dissemination of propaganda and misinformation on global social media. Russia has LONG been employing hackers as a method of propaganda, theft and attack. 

Russian-language criminals operating ransomware as a service continue to be responsible for most high profile cyber crime attacks against the US, UK, EU as well as Ukraine.

The US National Security Agency (NSA), Federal Bureau of Investigation (FBI), and co-authoring agencies warn that Russian Foreign Intelligence Service (SVR) cyber actors are exploiting a publicly known vulnerability to compromise victims globally, including in the United States and in allied countries.  Some of these high profile Russian-language groups are known to have links with the Russian state government. 

This activity also came from a large-scale Russian propaganda campaign on social media, especially in countries that abstained from voting on the United Nations Resolution ES-11/1 such as India, South Africa, and Pakistan. 
Russian state hackers are increasingly attempting to deploy backdoors on the devices of targets in NATO countries and Ukraine, according to new research from Google’s Threat Analysis Group.

Attacks On Microsoft

Russian state-backed hackers gained access to some of Microsoft’s core software systems in a hack that was disclosed in January 2024, revealing a more extensive and serious intrusion into Microsoft’s systems than previously known. Microsoft believes that the hackers have used information stolen from Microsoft’s corporate email systems to access some of the company’s source code repositories and internal systems, the tech firm has said in a filing with the US Securities and Exchange Commission.

Hackers broke into Microsoft's corporate email system and accessed the accounts of members of the company's leadership team, as well as those of employees on its cyber security and legal teams, the company has said.
Microsoft, which is based in Redmond, Washington, said the hackers from Russia's SVR foreign intelligence agency were able to gain access by compromising credentials on a "legacy" test account, suggesting it had outdated code.  After gaining a foothold, they used the account's permissions to access the accounts of the senior leadership team and others. The brute-force attack technique used by the hackers is called "password spraying."

Fancy Bear Attacks

Russia's notorious hacking group Fancy Bear is targeting European governments with cyber attacks, the European Union's cyber emergency response team has warned officials. Fancy Bear, also known as APT28, is a Russian intelligence-affiliated hacking group that the United States said was behind the 2016 hacks of the Democratic National Committee which contributed to Donald Trump's election win. 

The warning comes amid growing concerns that this year's elections in major nations around the world will be targeted by hacking groups from countries with a cyber offensive program against Europe, like Russia and China.

APT28, have exploited various industries, including aerospace and defence, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology and transportation, according to officials.
Targeted countries have included Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates and the US. It is believed APT28 is the primary Russian group hacking into the routers, but there are other Russian groups as well.

Russian state-affiliated hacking groups have plagued European countries with cyberattacks, cyberespionage and disinformation campaigns for years, in what EU countries deem are attempts to derail their domestic politics. 

Fancy Bear in particular is one of Moscow's most crafty threat groups that has been operating for at least 15 years. It specialises in infiltrating government and critical industry organisations across the West and using hacked information to disrupt politics.

European Union Under Attack

And recently least seven European governments have been targeted with spear phishing campaigns, which include using custom-tailored lures to target specific, high-profile targets to download malicious software or give away access to digital systems. Other researchers have found that the tactics of hackers from Center 18, a unit within Russia’s Federal Security Service (FSB), have evolved in recent months to more sophisticated efforts involving .pdf files. 

The FSB is the successor agency to the KGB, which operated throughout the Cold War - Russian President Vladimir Putin was director of the FSB for a period in the 1990s. The group linked to the FSB - and specifically the part of it known as Centre 18 - has been targeting the UK by stealing information from those in political and public life since at least 2015, it is believed. It is claimed the group remains active. The researchers dub the hackers COLDRIVER and said that since November 2022 they have lured victims into downloading backdoors onto their devices through the documents.

For years, Center 18 has been a key part of the Russian government’s hacking operations, participating in efforts to compromise systems used by the US government, among others.

Bots have played a disproportionate role in the dissemination of pro-Russian messages and amplified its proliferation in early-stage diffusion, especially on platforms like Twitter, where pro-Russian messages received 251,000 retweets and thereby reached around 14.4 million users. Of these "spreaders", around 20.28% of the spreaders are classified as bots, most of which were created at the beginning of the invasion.

Five Eyes Warnings

Recently the cyber security authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom, collective know as the Five Eyes, have published a joint Cybersecurity Advisory. The intent of this joint Advisory is to warn organisations that Russia’s invasion of Ukraine could expose organisations both within and beyond the region to increased malicious cyber activity. 

The Five Eyes Advisory are provides recommendations to critical infrastructure organisations following a series of attacks launched by apparent pro-Russia hacktivists against industrial control systems (ICS) and other operational technology (OT) systems. Malicious cyber actors linked to Russia’s Foreign Intelligence Service (SVR) are adapting their techniques in response to the increasing shift to cloud-based infrastructure. Hackers have mainly targeted internet-exposed human-machine interfaces (HMIs), typically leveraging default passwords and outdated VNC software. 

The Five Eyes government agencies have been tracking these types of attacks since 2022, but the new alert was prompted by recent attacks for which pro-Russia hacktivists have taken credit. 

“Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the water & sewage (WSS) operators,” the Advisory reads. “Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.” This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and US allies and partners.

“Russian cyber actors continue taking advantage of known vulnerabilities for intelligence collection,” said Rob Joyce, Director of the US NSA’s Cybersecurity Directorate. “It is critical to ensure systems are patched quickly, and to implement the mitigations and use the IOCs listed in this report to hunt for adversary persistent access.”
Evolving intelligence indicates that the Russian government is exploring options for potential cyber attacks 

Sandworm 

A Russian nation-state hackers with links to Russian military intelligence has become a significant global threat by taking important role in the current war in Ukraine. Mandiant, a leading cyber security firm owned by Google has detected various operations by the group, known as Sandworm, in exploits which serve geopoltical  Russian interests. Mandiant's report coincides with , a US court laying charges against Russian military intelligence officers for their apparent engagement with the 2016 US presidential election, according to the FBI.

Mandiant researchers report that “We have observed the group sustain access and espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America.

“With a record number of people participating in national elections in 2024, Sandworm’s history of attempting to interfere in democratic processes further elevates the severity of the threat the group may pose in the near-term.”
Sandworm is said to have penetrated electoral systems a record of and Institutions and has also “attempted to interfere with democratic processes in select countries by leaking politically sensitive information and deploying malware to access election systems and misreport election data,” Mandiant report. Sandworm has since established itself as Russia’s leading offensive cyber unit, with operations alongside the Russian military in the conflict with Ukraine. Sandworm is also reportedly sponsored by the Russian military intelligence and is “actively engaged in the full spectrum of espionage, attack, and influence operations.” 

The researchers conclude that the group’s attempts range across many different fields, as long as it serves the political interests of the Russian Military. “We assess with high confidence that Sandworm is seen by the Kremlin as a flexible instrument of power capable of servicing Russia’s wide-ranging national interests and ambitions, including efforts to undermine democratic processes globally.”

Sandworm's operations extend beyond Ukraine, with operations worldwide in key political, military, and economic hotspots, Mandiant say.

With a record number of people participating in national elections this year 2024l, Sandworm’s history of attempting to interfere in democratic processes increases the likely severity of the threat the group may pose in the near-term. 

Other Warnings

US agencies are warning North American and European water treatment systems operators to be wary of and take steps to prevent a surge of Russia-linked hackers trying to break into their operational technology. The advisory, which also includes French, Canadian and British authorities, says that pro-Russia activists are “targeting and compromising” operational technology platforms that underpin wastewater and water treatment systems, at times posing physical threats to safety.

The alert says that water operators are employing poor security standards that have allowed the hackers to breach their networks, including the use of default passwords that are included when the water system management tools are first installed. 

Russia’s government run economy enable it to centrally manage contracts for military and intelligence operations. A leak in 2023 uncovered this relationship, showing a vast network of military consultants working on behalf of the Kremlin, including Sandworm.   

Counter Attacks

Researchers say that over the past year, at least 14 state-sponsored hacker groups from around the world have targeted Russia and some former Soviet Union members, Azerbaijan, Belarus, Kyrgyzstan, and Kazakhstan, with destructive or espionage campaigns.

Some of these groups were likely linked to Ukraine, which is in an ongoing war with Russia; others acted in the interests of their own countries, including North Korea and China, according to the report by the Russian company FACCT, a spin-off of the cyber security firm Group-IB, which exited the Russian market in 2023. FACCT.referred to its report as "the most comprehensive source of strategic and tactical data on cyber threats" in Russia and certain former USSR states. Western security companies often have limited visibility in these regions due to their exit from the market when Russia invaded Ukraine.

In its espionage findings, the research illustrates how nations seen as partners or allies use cyberspace to spy on one another.

Another hacktivist group, known as Belarusian Cyber Partisans have launched at least six attacks last year against Belarus and Russia. At least two of them were carried out with the use of an unknown encryption virus, while others were defacement campaigns designed to change the appearance of the website or involve confidential data breaches. Researchers also discovered groups that pursue both financial and political interests. One of them is the criminal syndicate Comet Twelve, in which Comet demands a ransom for decryption and non-distribution of stolen data, while Twelve destroys the victim’s networks without making financial demands. Both groups use the same infrastructure, tactics, and attack tools.

Conclusion

There are many examples where Russia over the last six years has demonstrated the capability and utility of patriotic organisations in combined arms campaigns. The hybridisation that results in the use of an open source malware kit to attack the Ukrainian power grid or patriotic hackers taking part in attacking a foreign government’s networks as part of a kinetic attack demonstrates the extent to which outsourcing can empower and obfuscate nation-state actions.

What you see is not always reality. Russia has been extremely resourceful in the past few years in creating a hacking engine that appears to be a lot larger than it is. 

Regardless of size, Russia has the most technically advanced and bold cyber criminal community in the world and are more than capable of causing significance damage with whomever they attack from countries to corporations. 
Russia’s ability to control these private hacking groups is eroding. With the advent of crypto currencies and the globalization of hacking operations, Russia’s ability to coerce hackers working with them diminishes. 

Nationalism is unlikely to be enough going forward to keep these advanced groups operating within “acceptable” bounds for the Russian government. While these risks manifest in the approach we see others taking, thus far they have created a structure that produces more significant checks on the activity of these private actors.

References: 

CISA:    NSA:

NCSCSecurity Week:

NextGov:   Wilson Center

WashPo:   The Record:

FACCT:     Wikipedia:

Google:     Politico

NPR:  ABC:  BBC

The Record

National Crime Agency:

Image: Ideogram

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible




 

« Europe's Digital Market Act Comes Into Force
Cybersecurity Is A Serious Concern For The Mid-Market »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ON-DEMAND WEBINAR: Navigating cloud security: The importance of posture management tools

ON-DEMAND WEBINAR: Navigating cloud security: The importance of posture management tools

Watch this webinar to see how cloud security posture management (CSPM) tools can fit into your cloud security strategy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

RISA

RISA

RISA solutions help to secure networks, improve overall network security, and achieve government regulatory compliance.

ASIS International

ASIS International

ASIS International is a global community of security practitioners with a role in the protection of assets - people, property, and/or information.

AEI Cybersecurity

AEI Cybersecurity

AEI brings together companies, Research Centres, Universities, and other organizations interested in promoting new cybersecurity technologies.

SBS CyberSecurity

SBS CyberSecurity

SBS CyberSecurity is a premier cybersecurity consulting and audit firm.

Avansic

Avansic

Avansic is a leading provider of e-discovery and digital forensics services to attorneys, litigation support teams, and business communities.

CyberSeek

CyberSeek

CyberSeek provides detailed, actionable data about supply and demand in the cybersecurity job market.

Governikus

Governikus

Governikus provides solutions for secure data transport, authentication, the use of electronic signatures and cryptography as well as for long-term storage.

Arc4dia Labs

Arc4dia Labs

Arc4dia have developed SNOW, a cyber security solution to combat the world’s most sophisticated cyber threats.

Outsource UK

Outsource UK

Outsource UK is an independent recruitment company supplying highly-skilled technology, change and engineering talent to clients within a range of specialist sectors including Cyber Security.

Absio

Absio

Absio provides the technology you need to build data security directly into your software by default, and the design and development services you need to make it happen.

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

Palantir

Palantir

Palantir software empowers entire organizations to answer complex questions quickly by bringing the right data to the people who need it.

OwnBackup

OwnBackup

OwnBackup proactively prevents you from losing mission-critical data and metadata with automated backups and rapid, stress-free recovery.

Symmetry Systems

Symmetry Systems

Symmetry Systems is a provider of data store and object-level security (DSOS) solutions that give organizations visibility into, and unified access control of, their most valuable data assets.

Karate Labs

Karate Labs

Karate is an open-source unified test automation platform combining API testing, API performance testing, API mocks & UI testing.

Winslow Technology Group (WTG)

Winslow Technology Group (WTG)

Winslow Technology Group is a leading provider of IT Solutions, Managed Services, and Cybersecurity Services dedicated to providing exceptional business outcomes for our customers since 2003.