US charges Sandworm hackers who mounted NotPetya, other high-profile attacks

The Sandworm Team hacking group is part of Unit 74455 of the Russian Main Intelligence Directorate (GRU), the US Department of Justice (DoJ) claimed as it unsealed an indictment against six hackers and alleged members on Monday.

Sandworm hackers

Sandworm Team attacks

“These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: Ukraine; Georgia; elections in France; efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort,” the DoJ alleges.

“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.”

At the same time, the UK National Cyber Security Centre says that they asses “with high confidence” that the group has been actively targeting organizations involved in the 2020 Olympic and Paralympic Games before they were postponed.

“In the attacks on the 2018 Games, the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony. It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games. The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter,” the UK NCSC said.

“The NCSC assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks. Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.”

The UK government confirmed their prior assessments that many of the aforementioned attacks had been the work of the Russian GRU.

Sandworm Team hackers

Sandworm Team (aka “Telebots,” “Voodoo Bear,” “Iron Viking,” and “BlackEnergy”) is the group behind many conspicuous attacks in the last half a decade, the DoJ claims, all allegedly performed under the aegis of the Russian government.

The six alleged Sandworm Team hackers against which the indictments have been brought were responsible for a variety of tasks:

Sandworm hackers

One of them, Anatoliy Kovalev, has been previously charged by a US court “with conspiring to gain unauthorized access into the computers of US persons and entities involved in the administration of the 2016 US elections,” the DoJ noted.

The US investigation into the group has lasted for several years, and had help from Ukrainian authorities, the Governments of the Republic of Korea and New Zealand, Georgian authorities, and the United Kingdom’s intelligence services, victims, and several IT and IT security companies.

Political and other ramifications

Warrants for the arrest of the six alleged Sandworm Team members have been drawn, but chances are slim-to-nonexistent that arrests will be performed in the near or far future.

The Russian government’s official position is that the accusations are unbased and part of an “information war against Russia”.

It’s unusual to see the US mount criminal charges against intelligence officers that were engaged in cyber-espionage operations outside the US, but the rationale here is that many of the attacks resulted in real-world consequences that were aimed at undermining the target countries’ governments and destabilizing the countries themselves, and that they affected individuals, civilian critical infrastructure (including organizations in the US), and private sector companies.

“The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims,” commented US Attorney Scott W. Brady for the Western District of Pennsylvania.

There are currently no laws and norms regulating cyber attacks and cyber espionage in peacetime, but earlier this year Russian Federation president Vladimir Putin called for an agreement between Russia and the US that would guarantee the two nations would not try to meddle with each other’s elections and internal affairs via “cyber” means.

This latest round of indictments by the US is unlikely to act as a deterrent but, as Dr. Panayotis Yannakogeorgos recently told Help Net Security, indictments and public attribution of attacks serve several other purposes.

Another interesting result of this indictment may be felt by insurance companies and their customers that have suffered disruption due to cyber attacks mounted by nation-states. Some of their insurance policies may not cover cyber incidents that could be considered an “act of war” (e.g., the NotPetya attacks).

The biggest cyber threats organizations deal with today

Microsoft has released a new report outlining enterprise cyberattack trends in the past year (July 2019 – June 2020) and offering advice on how organizations can protect themselves.

Based on over 8 trillion daily security signals and observations from the company’s security and threat intelligence experts, the Microsoft Digital Defense Report 2020 draws a distinction between attacks mounted by cybercriminals and those by nation-state attackers.

The cybercrime threat

In the past year, cybercriminals:

  • Were quick to exploit the fear and uncertainty associated with COVID-19 as a lure in phishing emails, and the popularity of some SaaS offerings and other services
  • Exploited the lack of basic security hygiene and well-known vulnerabilities to gain access to enterprise systems and networks
  • Exploited supply chain (in)security by hitting vulnerable third-party services, open source software and IoT devices and using them as a way into the target organization

More often than not, phishing emails impersonate a well-known service such as Office 365 (Microsoft), Zoom, Amazon or Apple, in an attempt to harvest login credentials.

“While credential phishing and BEC continue to be the dominant variations, we also see attacks on a user’s identity and credential being attempted via password reuse and password spray attacks using legacy email protocols such as IMAP and SMTP,” Microsoft noted.

The attackers’ reason for exploiting these legacy authentication protocols is simple: they don’t support multi-factor authentication (MFA). Microsoft advises on enabling MFA and disabling legacy authentication.

Cybercriminals are also:

  • Increasingly use cloud services and compromised email and web hosting infrastructures to orchestrate phishing campaigns
  • Rapidly changing campaigns (sending domains, email addresses, content templates, and URL domains)
  • Constantly changing and evolving payload delivery mechanisms (poisoned search results, custom 404 pages hosting phishing payloads, etc.)

One of the biggest and most disruptive cybercrime threat in the past year was ransomware – particularly “human-operated” ransomware wielded by gangs that target ogranizations they believe will part with big sums if affected.

These gangs sweep the internet for easy entry points or use commodity malware to gain access to company networks and change ransomware payloads and attack tools depending on the “terrain” they landed in (and to avoid attribution).

“Ransomware criminals are intimately familiar with systems management concepts and the struggles IT departments face. Attack patterns demonstrate that cybercriminals know when there will be change freezes, such as holidays, that will impact an organization’s ability to make changes (such as patching) to harden their networks,” Microsoft explained.

“They’re aware of when there are business needs that will make businesses more willing to pay ransoms than take downtime, such as during billing cycles in the health, finance, and legal industries. Targeting networks where critical work was needed during the COVID-19 pandemic, and also specifically attacking remote access devices during a time when unprecedented numbers of people were working remotely, are examples of this level of knowledge.”

Some of them have even shortened their in-network dwell time before deploying the ransomware, going from initial entry to ransoming the entire network in less than 45 minutes.

Gerrit Lansing, Field CTO, Stealthbits, commented that the speed at which a targeted ransomware attack can happen is really determined by one thing: how quickly an adversary can compromise administrative privileges in Microsoft Active Directory.

“Going from initial infiltration to total ownership of Active Directory can be a matter of seconds. Once these privileges are compromised, an adversary’s ability to deploy ransomware to all machines joined to Active Directory is unfettered, which explains how an adversary can go from initial infiltration to total ransomware infection in such a short period of time,” he noted.

Finally, to counter the threat of supply chain insecurity, Microsoft advises companiessupply to:

  • Vet their service providers thoroughly
  • Use systems to automatically identify open source software components and vulnerabilities in them
  • Map IoT assets, apply security policies to reduce the attack surface, and to use a different network for IoT devices and be familiar with all exposed interfaces

enterprise cyberattack trends 2020

Nation-state threats

The company has been following and mapping the activities of a number of nation-state actors and has found that – based on the nation state notifications they deliver to their customers – the attackers’ primary targets are not in the critical infrastructure sectors.

Instead, the top targeted industry sectors are non-governmental organizations (advocacy groups, human rights organizations, nonprofit organizations, etc.) and professional services (consulting firms and contractors):

enterprise cyberattack trends 2020

Microsoft found the most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and VPN exploits. Web shell-based attacks are also on the rise.

The report delineates steps organizations can take to counter each of these threats as well as to improve their security and the security of their remote workforce.

“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling MFA. Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks,” the Microsoft Security Team concluded.

State-backed hacking, cyber deterrence, and the need for international norms

As time passes, state-backed hacking is becoming an increasingly bigger problem, with the attackers stealing money, information, credit card data, intellectual property, state secrets, and probing critical infrastructure.

state-backed hacking

While Chinese, Russian, North Korean and Iranian state-backed APT groups get most of the spotlight (at least in the Western world), other nations are beginning to join in the “fun.”

It’s a free for all, it seems, as the world has yet to decide on laws and norms regulating cyber attacks and cyber espionage in peacetime, and find a way to make nation-states abide by them.

There is so far one international treaty on cybercrime (The Council of Europe Convention on Cybercrime) that is accepted by the nations of the European Union, United States, and other likeminded allies, notes Dr. Panayotis Yannakogeorgos, and it’s contested by Russia and China, so it is not global and only applies to the signatories.

Dr. Yannakogeorgos, who’s a professor and faculty lead for a graduate degree program in Global Security, Conflict, and Cybercrime at the NYU School of Professional Studies Center for Global Affairs, believes this treaty could be both a good model text on which nations around the world can harmonize their own domestic criminal codes, as well as the means to begin the lengthy diplomatic negotiations with Russia and China to develop an international criminal law for cyber.

Cyber deterrence strategies

In the meantime, states are left to their own devices when it comes to devising a cyber deterrence strategy.

The US has been publicly attributing cyber espionage campaigns to state-backed APTs and regularly releasing technical information related to those campaigns, its legislators have been introducing legislation that would lead to sanctions for foreign individuals engaging in hacking activity that compromises economic and national security or public health, and its Department of Justice has been steadily pushing out indictments against state-backed cyber attackers and spies.

But while, for example, indictments by the US Department of Justice cannot reasonably be expected to result in the extradition of a hacker who has been accused of stealing corporate or national security secrets, the indictments and other forms of public attribution of cyber enabled malicious activities serve several purposes beyond public optics, Dr. Yannakogeorgos told Help Net Security.

“First, they send a clear signal to China and the world on where the United States stands in terms of how governmental resources in cyberspace should be used by responsible state actors. That is, in order to maintain fair and free trade in a global competitive environment, a nation’s intelligence services should not be engaged in stealing corporate secrets and then handing those secrets over to companies for their competitive advantage in global trade,” he explained.

“Second, making clear attribution statements helps build a framework within which the United States can work with our partners and allies on countering threats. This includes joint declarations with allies or multilateral declarations where the sources of threats and the technical nature of the infrastructure used in cyber espionage are declared.”

Finally, when public attribution is made, technical indicators of compromise, toolsets used, and other aspects are typically released as well.

“These technical releases have a very practical impact in that they ‘burn’ the infrastructure that a threat actor took time, money, and talent to develop and requires them to rebuild or retool. Certainly, the malware and other infrastructure can still be used against targets that have not calibrated their cyber defenses to block known pathways for attack. Defense is hard, and there is a complex temporal dimension to going from public indicators of compromise in attribution reports; however, once the world knows it begins to also increase the cost on the attacker to successfully hack a target,” he added.

“In general, a strategy that is focused on shaping the behavior of a threat needs to include actively dismantling infrastructure where it is known. Within the US context, this has been articulated as persistently engaging adversaries through a strategy of ‘defending forward.’”

The problem of attack attribution

The issue of how cyber attack attribution should be handled and confirmed also deserves to be addressed.

Dr. Yannakogeorgos says that, while attribution of cyber attacks is definitely not as clear-cut as seeing smoke coming out of a gun in the real world, with the robust law enforcement, public private partnerships, cyber threat intelligence firms, and information sharing via ISACs, the US has come a long way in terms of not only figuring out who conducted criminal activity in cyberspace, but arresting global networks of cyber criminals as well.

Granted, things get trickier when these actors are working for or on behalf of a nation-state.

“If these activities are part of a covert operation, then by definition the government will have done all it can for its actions to be ‘plausibly deniable.’ This is true for activities outside of cyberspace as well. Nations can point fingers at each other, and present evidence. The accused can deny and say the accusations are based on fabrications,” he explained.

“However, at least within the United States, we’ve developed a very robust analytic framework for attribution that can eliminate reasonable doubt amongst friends and allies, and can send a clear signal to planners on the opposing side. Such analytic frameworks could become norms themselves to help raise the evidentiary standard for attribution of cyber activities to specific nation states.”

A few years ago, Paul Nicholas (at the time the director of Microsoft’s Global Security Strategy) and various researchers proposed the creation of an independent, global organization that would investigate and publicly attribute major cyber attacks – though they admitted that, in some cases, decisive attribution may be impossible.

More recently, Kristen Eichensehr, a Professor of Law at the University of Virginia School of Law with expertise in cybersecurity issues and cyber law, argued that “states should establish an international law requirement that public attributions must include sufficient evidence to enable crosschecking or corroboration of the accusations” – and not just by allies.

“In the realm of nation-state use of cyber, there have been dialogues within the United Nations for nearly two decades. The most recent manifestation is the UN Group of Governmental Experts that have discussed norms of responsible state behavior and issued non-binding statements to guide nations as they develop cyber capabilities,” Dr. Yannakogeorgos pointed out.

“Additionally, private sector actors, such as the coalition declaring the need for a Geneva Convention for cyberspace, also have a voice in the articulation of norms. Academic groups such as the group of individuals involved in the research, debating, and writing of the Tallinn Manuals 1.0 and 2.0 are also examples of scholars who are articulating norms.”

And while articulating and agreeing to specific norms will no doubt be a difficult task, he says that their implementation by signatories will be even harder.

“It’s one thing to say that ‘states will not target each other’s critical infrastructure in cyberspace during peacetime’ and another to not have a public reaction to states that are alleged to have not only targeted critical infrastructure but actually caused digital damage as a result of that targeting,” he concluded.

Biomedical orgs working on COVID-19 vaccines open to cyber attacks

In a recently released report by the UK National Cyber Security Centre (NCSC), whose findings have been backed by Canada’s Communications Security Establishment (CSE) and the US NSA and CISA (Cybersecurity and Infrastructure Security Agency), the agency has warned about active cyber attacks targeting biomedical organizations that are involved in the development of a COVID-19 vaccine.

Biomedical cyber attacks

On Friday, BitSight researchers shared the results of a study that looked for detectable security issues at a number of companies who play a big role in the global search for a vaccine, and found compromised systems, open ports, vulnerabilities and web application security issues.

Biomedical orgs under attack

The report details recent tactics, techniques and procedures (TTPs) used by APT29 (aka “Cozy Bear”), which the NCSC and the CSE believe to be “almost certainly part of the Russian intelligence services.”

The agencies believe that the group is after information and intellectual property relating to the development and testing of COVID-19 vaccines.

“In recent attacks (…), the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified,” the report states.

Among the flaws exploited by the group are CVE-2019-19781 (affecting Citrix’s Application Delivery Controller (ADC) and Gateway), CVE-2019-11510 and CVE-2018-13379 (affecting Pulse Secure VPN endpoints and Fortigate SSL VPN installations, respectively) and CVE-2019-9670 (affecting the Synacor Zimbra Collaboration Suite).

The group also uses spear-phishing to obtain authentication credentials to internet-accessible login pages for target organizations.

After achieving persistence through additional tooling or legitimate credentials, APT 29 uses custom malware (WellMess and WellMail) to execute arbitrary shell commands, upload and download files, and run commands or scripts with the results being sent to a hardcoded Command and Control server. They also use some malware (SoreFang) that has been previously used by other hacking groups.

The report did not identify the targeted organizations nor did it say whether the attacks were successful and whether any information and IP has been stolen.

Biomedical orgs open to cyber attacks

As many security researchers pointed out, Russian cyber espionage groups aren’t the only ones probing these targets, so these organizations should ramp up their security efforts.

BitSight researchers have recently searched for security issues that attackers might exploit. They’ve looked at 17 companies of varying size that are involved in the search for a COVID-19 vaccine, and found:

  • 25 compromised or potentially compromised machines (systems running malware/bots, potentially unwanted applications, spam-sending machines and computers behaving in abnormal ways) in the past year
  • A variety of open ports (i.e., exposed insecure services that should be never exposed outside of a company’s firewall): Telnet, Microsoft RDP, printers, SMB, exposed databases, VNC, etc., which can become access points into a company’s network
  • Vulnerabilities. “14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.”
  • 30 web application security issues (e.g., insecure authentication via HTTP, insecure redirects from HTTPS to HTTP, etc.) that could be exploited by attackers to eavesdrop on and capture sensitive data, such as credentials, corporate email, and customer data.

“These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern,” the researchers pointed out.

“It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.”

APT attacks targeting Linux, Windows and Android remained undetected for nearly a decade

Five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and mobile devices running Android while remaining undetected for nearly a decade, according to BlackBerry.

APT groups

The report provides further insight into pervasive economic espionage operations targeting intellectual property, a subject that the Department of Justice recently said is the focus of more than 1000 open investigations in all of the 56 FBI field offices.

Most large organizations rely on Linux

The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks.

While the majority of the workforce has left the office as part of containment efforts in response to the COVID-19 outbreak, intellectual property remains in enterprise data centers, most of which run on Linux.

Linux runs nearly all of the top 1 million websites online, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).

Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. The report examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead for operations” across a wide swath of targets.

“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,” said Eric Cornelius, Chief Product Architect at BlackBerry.

“These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”

APT groups: Other key findings

The APT groups examined in this report are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts.

The APT groups have traditionally pursued different objectives and focused on a wide array of targets; however, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned.

The research identifies two new examples of Android malware, continuing a trend seen in a previous report which examined how APT groups have been leveraging mobile malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.

One of the Android malware samples very closely resembles the code in a commercially available penetration testing tool, yet the malware is shown to have been created nearly two years before the commercial tool was first made available for purchase.

The report examines several new variants of well-known malware that are getting by network defenders through the use code-signing certificates for adware, a tactic that the attackers hope will increase infection rates as AV red flags are dismissed as just another blip in a constant stream of adware alerts.

The research also highlights a shift by attackers towards the use of cloud service providers for command-and-control and data exfiltration communications which appear to be trusted network traffic.

Hackers try to breach WHO, other COVID-19-fighting orgs

“Elite” hackers have tried – and failed – to breach computer systems and networks of the World Health Organization (WHO) earlier this month, Reuters reported on Monday.

hackers breach WHO

In fact, since the start of the COVID-19 pandemic, the WHO has been fielding an increasing number of cyberattacks, as well as impersonation attempts.

About the attack

The attackers created a malicious site mimicking the WHO’s internal email system in an attempt to phish the agency staffers’ email credentials.

What the attackers were after and who they were is not known, although some sources suspect them to be the Darkhotel espionage crew, which has been active for nearly over decade and whose targets are usually high-profile individuals: executives in various sectors, including defense and energy, and government employees. (The sources did not say why they are inclined to point the finger at the Darkhotel threat actors.)

Costin Raiu, head of global research and analysis at Kaspersky, said that the malicious web infrastructure used in this attack had also been used to target other healthcare and humanitarian organizations in recent weeks.

Coronavirus researchers are being targeted

The Canadian Centre for Cyber Security has also been warning Canadian health organizations about cyber criminals and spies.

“[Sophisticated threat actors] may attempt to gain intelligence on COVID-19 response efforts and potential political responses to the crisis or to steal ongoing key research towards a vaccine or other medical remedies, or other topics of interest to the threat actor,” the federal agency noted.

“Cyber criminals may take advantage of the COVID-19 pandemic, using the increased pressure being placed on Canadian health organizations to extract ransom payments or mask other compromises.”

The agency advised healthcare organizations to be on the lookout for social engineering and spear-phishing attempts and that attackers could exploit critical vulnerabilities and/or compromised credentials.

They also urged all organizations to “become familiar with and practice their business continuity plans, including restoring files from back-ups and moving key business elements to a back-up infrastructure,” and have provided a list of critical vulnerabilities that should be patched and/or mitigated as soon as possible.

Healthcare organizations previously hit

Cybercriminals wielding ransomware have already hit some healthcare organizations involved in the fight against the COVID-19 virus.

The Brno University Hospital, in Brno, Czech Republic, is one of them. London-based Hammersmith Medicines Research is another.

While the latter managed to repel the attack and did not suffer downtime, the attackers published some of the medical data they stole. They later removed the leaked files.