Report Details Russian Cyberespionage Efforts in UkraineSymantec Tracks Month-Long Breach of Ukrainian Network as Tensions Mount
In a report published Monday, Symantec's Threat Hunter Team outlines a specific Russian cyberespionage campaign conducted on a Ukrainian network in 2021. This comes as Russia has amassed 100,000 or more troops at Ukraine's eastern border while it reportedly mulls invasion.
Symantec, a part of Broadcom Software, calls the group in question Shuckworm, although it has also been referred to as Gamaredon or Armageddon. Researchers say the group has leveraged phishing emails to inject remote access tools for reconnaissance and possible data exfiltration, and they point to other "living off the land" tools upon which the group has relied.
Symantec says the alleged spies, who are linked to Russia's Federal Security Service, or FSB - the main successor to the Soviet Union's KGB - use malicious Microsoft Word attachments to plant backdoors that allow for persistence and the delivery of more malware. The researchers tracked one incident, with an unnamed victim, that began July 14 and continued until Aug. 18, 2021.
These findings come amid escalating tensions between Russia and Ukraine. Russian President Vladimir Putin has worked to prevent Ukraine's entry into NATO and has requested a NATO troop removal from Eastern Europe - terms that have drawn international condemnation. With the threat of possible invasion looming, foreign policy experts have increasingly pointed to cyberwarfare as a main weapon at the Russians' disposal.
In its report, Symantec says the suspected Russian hackers leveraged a backdoor - Pterodo - and its other variants to execute commands and establish persistence. From there, the actors used a dropper that pushed a virtual network computing file, which allowed the actors to move laterally through the Ukrainian network. Researchers say the hackers were exposed to job descriptions and other sensitive information.
The Symantec Threat Hunting unit did not immediately respond to Information Security Media Group's request on Monday for more details.
The researchers estimate that the threat group is "continuing to conduct cyberespionage attacks against targets in Ukraine," particularly state bodies. They say Shuckworm has improved its sophistication since it began operations around 2013.
The firm also lists top indicators of compromise for Shuckworm, which include:
- Most URL and command-and-control IPs belong to a shortlist of hosting providers, including AS9123 TimeWeb Ltd., which is in Russia.
- Most C&C URLs use a unique URL structure - http + IP /
.php? =<1-integer>,<5-7-rand-alphanums>, or similar.
- Most malicious files are found in the following directories: csidl_profilelinks, csidl+profilesearchers, CSIDL_PROFILEappdatalocaltemp, or CSIDL_PROFILE.
- Nearly all malicious files begin with a "d" and some are hyphenated, including: deceive.exe; deceived.exe; and deep-sunken.exe.
The researchers say that the "activity shows little sign of abating."
Ukraine Discusses Threat Group
A recent report published by the Security Service of Ukraine, or SSU, pointed to similar findings.
According to that report, the Shuckworm, or Armageddon, group has been responsible for over 5,000 attacks against more than 1,500 Ukrainian government systems since 2014.
Ukrainian officials also claimed in late 2021 that the group "is an integral part" of the FSB, comprised of secret service and former law enforcement officers.
"Armageddon does not use complex and sophisticated TTPs, [and] does not try to make an effort to stay secret for a long time," Ukrainian SSU officials wrote. "Staying off the radar is not a group priority. However, [its] activities are characterized by intrusiveness and audacity. … The group focuses on computer systems running Windows, although we know about the test use of the EvilGnome malware (to defeat Linux systems), as well as attempts to get access to Android devices."
Some security experts say these recent events and findings point to potentially devastating cyber activity stemming from the Kremlin or its proxies.
"I suspect this is the tip of the iceberg of direct FSB and GRU efforts, coupled with the efforts of state-sponsored actors that may be contributing," says John Dickson, a former U.S. Air Force officer who served in the Air Force Information Warfare Center. "I anticipate the Russians will step up their attacks [on] ... the Ukrainian grid, [similar to] 2016."
Dickson, who is currently the vice president of the advisory firm Coalfire, adds, "As Russian pressure builds and the standoff with the West persists, the Russians will likely be less worried about attribution, and instead will be more concerned with the effect of their cyber operations."
On Guard Against Russian Intrusions
With fear of an invasion persisting, rhetoric has become more pointed. U.S. President Joe Biden has warned Putin to de-escalate and seek diplomatic solutions and has said the U.S. is prepared to issue severe sanctions if Putin's troops use force.
But experts fear possible kinetic action will first be enabled, or exacerbated, by direct military cyberattacks on Ukrainian infrastructure. The pressing question now: Is the nation prepared?
Cyber defense expert Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and a former special adviser to the U.S. Department of Defense, told NPR on Saturday: "The reality is that you are not going to secure the Ukrainian networks in the next couple weeks here. That's a Herculean task."
Russian actors have previously targeted Ukrainian infrastructure, in 2015 and 2016, and pushed the NotPetya malware variant the following year across Ukrainian systems.
Jonathan Reiber, a former chief strategy officer for cyber policy at the Office of the Secretary of Defense, told Politico on Friday that this conflict could "end up being the first declared hostility where cyberspace operations are a part of an integrated offensive military invasion."
The official claimed that any offensive would likely be accompanied by a complex disinformation campaign to confuse Ukrainian citizens and undermine the government.
Following a Department of Homeland Security alert last week, warning that the Russians could target U.S. networks if the Biden administration intervened, James A. Lewis, senior vice president at the Center for Strategic and International Studies, told ISMG that it would be a "bold move to use the cyber equivalent of force" against other Western nations in retaliation. "I don't think they will," he said.
Still, U.S. suppliers to large companies and government agencies should be on guard against elevated Russian cyberattack potential, says Sai Huda, a former lead faculty member for training at the Consumer Financial Protection Bureau.
Huda, an advisory board member at the Cyber Center of Excellence and CEO of the firm CyberCatch, also says, "Every single supplier is a potential target, directly or indirectly, as a result of the current Russian cyber campaigns and must take another, closer look at their cyber risk position, perform scans, educate employees and perform ongoing testing of cybersecurity controls."