Cyber Intelligence Report
Cyber-security information from 19th November to 2nd December 2022.
David Swan Director, CSCIS Cyber Intelligence Defence Centre (CIDC)
Publisher – CSCIS / David Swan, Director CIDC
Release – Dec 2, 2022
Cyber Intelligence Report
This report contains selected cyber-security information from 19th November to 2nd December 2022.
1. Russian hackers are very busy – outside Ukraine. Highly skilled groups such as Sandworm continue to attack Ukraine. Access thieves are stealing network credentials for other hackers. Hacker groups such as Cheshire are creating malware. Established hacker groups such as Black Basta and Hive are earning a fortune. There are some other Russian cyber operations and lastly WHY Russia is deploying hackers.
2. Russian ‘Courses of Action’ for cyber forces, including allies such as ‘patriotic’, mercenary, and domestic criminal hackers are assessed as:
Ongoing: Russian cyber forces, including allied forces, have launched a series of cyber attacks against both strategic targets and general targets as well as vulnerable governments.
Worst Case Scenario: President Putin decides to focus Russia’s cyber attacks on one country (such as Canada) or a small group of vulnerable countries. Assessed as UNLIKELY.
Best Case Scenario: Russia agrees to cease or is forced to cease offensive cyber operations. Assessed as VERY UNLIKELY.
Russian Cyber Operations
3. Russian Operations vs Ukraine: On 21st November, the Sandworm hacking group, part of Unit 74455 of Russian Military Intelligence, the GRU, launched a ransomware attack on Ukraine. Slovak cybersecurity company ESET, named the new ransomware strain ‘RansomBoggs’. The malware was written in ‘.NET’, a Microsoft Operating System, however, its characteristics identify it as a Sandworm creation. “The analysis of the RansomBoggs Ransomware code revealed that the authors make multiple references to the Pixar movie Monsters, Inc. The ransom note, SullivanDecryptsYourFiles.txt, shows the authors impersonating the main character of the movie James P. Sullivan.”
4. Sandworm is considered an elite adversarial hacking group within the GRU and has a notorious track record of striking critical infrastructure. In April Sandworm attacked Ukrainian energy facilities with destructive malware. This was followed by an attempt to establish a ‘botnet’ called “Cyclops Blink”. The U.S. government disabled the botnet. In September Sandworm was been observed impersonating telecommunication providers to target Ukrainian entities with malware. In October, Microsoft reported a similar campaign targeting organizations in Ukraine and Poland with ransomware called Prestige and attributed the attacks to Sandworm.
5. Stealing Account Access: Russia appears to be leveraging the specialties within its hacker community. As many as 34 Russian speaking hacker gangs are distributing, collecting and/or stealing passwords under ‘stealer-as-a-service’ model. At least 50 million passwords were stolen in the first seven months of 2022. That information is valued at $5.8 million (USD). They “also harvested 2.11 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards. victims were located in the U.S., followed by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. In total, over 890,000 devices in 111 countries were infected during the time frame.” In addition to their own thefts, Computer Security Company Cyble said: it has observed a threat actor “distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums”. In multiple cases the attacker was attempting to add their own public key to the admin user’s account. Analysts Comment: These are specialist ‘lockpicks’ who hack networks undetected and then sell network access to other hacker groups.
6. Cheshire Hacker Group: A new addition to the lockpicking and information stealing groups is the Cheshire Hacker Group with its Aurora Stealer Botnet. Cheshire rents Aurora to other groups, describing it as “multi-purpose botnet with stealing, downloading and remote access capabilities.” It can be described as a malware-as-a-service (MaaS). Apparently, there are multiple versions available. A cyber security company described Aurora as: “Aurora is another info stealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader,” … “Sold at a high price on market places, collected data is of particular interest to cybercriminals, allowing them to carry out lucrative follow-up campaigns.“ Analysts Comment: ‘Loaders’ is shorthand for ‘loading other malware’.
7. The effect of the ‘stealer-as-a-service’ success is an explosion in the activity of Russian ransomware groups, more specifically Russian ‘ransomware-as-a-service’ hacker groups. Trend Micro identifies LockBit and Black Basta as the most active ransomware-as-a-service groups. There are a number of other Russian groups such as ‘Hive’ who are also accruing an impressive victim count. Analysts Comment: Figure 1 shows the number of identified victim organizations per quarter in 2022. Estimates place the increase in ransomware victims at more than 15% per quarter.
8. Black Basta: ‘Black Basta’ is known to Canadians for the hacks of the Empire Company (Sobey’s) and Maple Leaf Foods. The current focus of Black Basta is the infiltration of U.S. companies using their ‘Qakbot’ malware. Qakbot creates “an initial point of entry and moves laterally within an organization’s network.” It then encrypts the network while sending data back to its operators. Black Basta then “uses the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as a leverage to extort cryptocurrency payments by threatening to release the stolen information.” “The researchers noticed that once [the hackers] obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.”
9. Hive Ransomware Gang: This is a Russian affiliated ransomware-as-a-service (RaaS) group that started in June 2021. It is best known for its attempt to take down the government in Costa Rica working with the Conti ransomware group. Its current ‘gross’ after a year and a half in operation is estimated at $100 million (USD) with 1,300 business victims. “After gaining access to a victim’s network, the Hive ransomware attempts to identify and terminate processes related to antimalware, backups, and file copying, to stop volume shadow copy services and remove existing copies, and to delete Windows event logs. Prior to encryption, the cybercriminals also exfiltrate data of interest from compromised Windows, Linux, VMware ESXi, and FreeBSD systems.”
10. Other Cyber Operations: Russian hackers continue operations in many other locations. First the Norwegians and now the Dutch are reporting “Russian cyber-reconnaissance at a Netherlands LNG terminal.” Dutch authorities have identified two GRU (Russian Military Intelligence) linked hacker groups attempting to hack “the systems of Gasunie’s LNG terminal in Rotterdam’s port of Eemshaven.”
11. The Russian hacker group ‘Killnet’ was identified as the group that launched a Distributed Denial of Service (DDoS) attack against the web site of the Royal family in the UK. “In messages posted to the Telegram messaging service seen by Computer Weekly, Killnet members said they had attacked the Bankers Automated Clearing Service (BACS), the London Stock Exchange, and the official website of the Prince of Wales.” Killnet is described as: “a prolific political pro-Russian hacking group that moves targets every few weeks based on geopolitical developments … known for staging “aggressive and rhetorical” misinformation campaigns on its Telegram channel, which has almost 100,000 subscribers, and enjoys publicly mocking its victims.”
Why? Why Is Russia Deploying Hackers Against the West?
12. On Dec 1st Russia claimed that American and NATO forces are “directly involved in the Ukraine conflict.” This is not a new claim. In August the claim was that the United States was “directly involved in the conflict in Ukraine …” In September Russia claimed that “NATO Troops were fighting in Ukraine.” Russia is claiming that the ‘foreign fighters’ in the Ukrainian Army represent NATO. The soldiers being referred to are not currently serving in any NATO country’s military. To western observers, the Russian claims are nonsense. To Russians and in particular the Nationalist / Right wing Russian leadership, Ukraine is at most a ‘local issue’ if not a ‘domestic issue’. From that viewpoint, Russia is justified in launching cyber operations against the west. For Putin and Russian leadership, deploying hackers is a punitive action for interfering in Russia’s internal matters.
Don’t Pay Ransomware
13. “It’s also worth noting that paying a ransom isn’t a guarantee that an organization won’t be hit a second or even a third time by Hive or another ransomware operator.
Case in point: In May, an unnamed company was hit by Lockbit ransomware attack, according to Sophos threat researchers. Less than two hours later, a Hive ransomware affiliate attacked the same company and two weeks later, the organization was attacked a third time by a BlackCat ransomware group.”
For more information on the CIDC, this Intelligence Report or to have a dedicated briefing please contact firstname.lastname@example.org