Russia compromises major UK and US organisations to attack Ukraine

Before the war in Ukraine broke out many security experts across the world predicted it would be the first conflict where cyberattacks would play an equal role to physical assaults.

Ten months on, and it looks like these predictions were correct.

Since the invasion, Russian cyberattacks have skyrocketed and any country or business that has allied with Ukraine, or opposed the war, has become a target.

From Medibank to the Los Angeles Unified School District, to GSE Energy, over the last year adversaries from Russia have upped the cyber-ante launching a tsunami of devastating attacks across the world.

Our colleagues within the cybersecurity community have been actively analysing Russian threat actors. These investigations have been aimed at learning more about how Russian gangs are affiliated with the Putin government, and also at understanding how threat operators are linked and their modus operandi.

So, we at Lupovis, wanted to get in on the action and showcase how our cyber deception platform can help governments and cybersecurity defenders learn more about Russian adversaries.

Our intelligence focused on deploying decoys on the internet, which were used to lure Russian threat actors so we could analyse their tactics, techniques and procedures (TTPs).

The findings from our study were shocking. The most concerning revealed that Russian criminals have hijacked the networks UK, US, French, Brazilian and South African businesses, including a Fortune 500 outfit, and over 15 healthcare organisations to launch attacks on Ukraine.

So, here is our tell all… and don’t miss the ending, as that’s where we reveal our findings…

Decoys

Decoys are cybersecurity solutions that engage attackers through a sequence of collaborative lures.

The information generated by the decoys is then used in two ways, the first being to lure adversaries on the deceptive assets, rather than real, critical infrastructure, and in turn protecting crown jewels and ensuring business continuity.

The second one, is to collect threat intelligence on the adversaries, including TTPs, the CVEs attempted, to help generate context.

Hooking in the hackers

In order to obtain data on Russian threat actors, we built five decoys and made them look attractive to Russian adversaries by giving them enticing names related to Ukrainian government officials and Ukrainian Critical National Infrastructure (CNI). The main goal of the operation was to gain usable threat intelligence on adversaries targeting Ukraine.

The decoys included:

• Honeyfiles decoy, this decoy is used to generate beacon documents (word, excel, etc). The documents contain critical information for adversaries and send a beacon when opened. This information can include usernames, passwords or the address to other critical network elements such as web servers and database. The aim was to leak these fake documents in key forums, amongst key groups.
• The next two decoys were web portals, these were designed to mimic Ukrainian political and governmental sites. They were also configured to insecurely attempt to authenticate into an API. The way in which the authentication was purposely created could allow for credential to the next decoy type to be found.
• The final two decoys were high interaction and ssh services, these were configured to accept the faux credentials from the web portals and report a critical attack if the full chain was followed.

Leaking the bait:

Initially, our honey files service was used to create documents containing key pieces of information that could be used by adversaries to progress onto the decoys. This information allowed for correlation between opening a document and adversaries interacting with a decoy. Our team then leaked information and documents on telegram channels, hacking forums and then on ‘pastebin’. Using similar but different information, allowed us to determine where the attackers gained their information and how effective each of these locations were for luring Russian adversaries.

The decoys attracted three different types of adversaries, each who were motivated differently:

• The opportunistic adversary. These are adversaries that may or may not be Russian. They scan the internet continuously and look for known CVEs and other information that can be exploited.
• Third-party adversaries. These are Russian adversaries that landed on the decoy without following the breadcrumbs and bait. This might have through reconnaissance on their own, or it might have been shared information. (i.e., Adversary1 opens the document, collects the data, shares the target, but not all the breadcrumbs with Adversary2).
• Bait Adversaries. These are Russian adversaries that opened the documents, extracted the key information and proceeded to interact and carry out attacks against the decoys.

Of these three different adversaries, we instantly dismissed the opportunistic adversaries as they are mainly composed of bots and scanners and present little to no value for threat intelligence.

However, third-party and bait adversaries were mainly composed of human attackers. When an adversary was identified as using one of the breadcrumbs leaked, we automatically tagged them with an ‘Indicator of Intelligence’.

Our Indicator of Intelligence allows us to differentiate between bots (noise) and humans. This also allows us to differentiate ‘script kiddies’ and the more interesting, motivated adversaries.

So, what did we discover?

• The most concerning finding from our study is that Russian cybercriminals have compromised the networks of multiple global organisations, including a Fortune 500 business, over 15 healthcare organisations and a Dam Monitoring System. These organisations were based in the UK, France, the US, Brazil and South Africa, and Russian criminals are rerouting through their networks to launch cyberattacks on Ukrainian, which effectively means they are using these organisations to carry out their dirty work.
• The world has seen a massive rise in healthcare organisations suffering ransomware attacks over the last year. Given that our research shows over 15 healthcare organisations had been compromised by Russian criminals, this could suggest the attackers are working under the radar on their networks and using their access to launch attacks on other institutions. Then once they are discovered, they then launch ransomware attacks on the healthcare organisation’s systems or perform data breaches. This would suggest attackers are maximising every tool in their arsenal to compromise an organisation before moving on to their next victim.
• We saw 50 – 60 human attackers on the decoys and many of the attackers reached the decoys within a minute of them going live.
• Human adversaries carried out a variety of attacks on the decoys ranging from the reconnaissance on the ‘lure information’ they contained to exploiting them to recruit them into bots to perform DDoS attacks.
• Further attacks included: targeted SQL injection; remote file inclusion; Docker exploitation; usage of leaked Ukrainian credentials; and use of known CVEs.  
• Use of custom scripts to attack other Ukrainian websites, Ukrainian institutions and / or website supporting the Ukrainian efforts.
• Decoys also faced multiple DDoS attacks, when compared to the number and ferocity seen on other, non-Ukrainian decoys, it was clear that decoys supporting the Ukrainian efforts enticed a stronger response.

Conclusion:

Our study highlights the inner workings on Russian cybercriminals and just how embedded they are within organisations’ networks across the world.

Security defenders, organisations and governments can use this intelligence to understand Russian threat actors and the techniques they are deploying to target victims, and to compromise organisations to carry out their dirty work.

Decoys are an effective way to detect and protect against cyber adversaries.

Through deceptive-based cyber tools and decoys, we can lure threat actors towards enticing targets and trick them into thinking they are reaching something of value. Through this reconnaissance, we can also understand how threat actors operate and how they share information across their peers.

All, while ultimately turning the hunters into the hunted.

Get access to our threat intelligence feed via our API