25 November 2022

Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless

ANDY GREENBERG

SINCE RUSSIA LAUNCHED its catastrophic full-scale invasion of Ukraine in February, the cyberwar that it has long waged against its neighbor has entered a new era too—one in which Russia has at times seemed to be trying to determine the role of its hacking operations in the midst of a brutal, physical ground war. Now, according to the findings of a team of cybersecurity analysts and first responders, at least one Russian intelligence agency seems to have settled into a new set of cyberwarfare tactics: ones that allow for quicker intrusions, often breaching the same target multiple times within just months, and sometimes even maintaining stealthy access to Ukrainian networks while destroying as many as possible of the computers within them.

At the CyberwarCon security conference in Arlington, Virginia, today, analysts from the security firm Mandiant laid out a new set of tools and techniques that they say Russia’s GRU military intelligence agency is using against targets in Ukraine, where the GRU’s hackers have for years carried out many of the most aggressive and destructive cyberattacks in history. According to Mandiant analysts Gabby Roncone and John Wolfram, who say their findings are based on months of Mandiant’s Ukrainian incident response cases, the GRU has shifted in particular to what they call “living on the edge.” Instead of the phishing attacks that GRU hackers typically used in the past to steal victims’ credentials or plant backdoors on unwitting users’ computers inside target organizations, they're now targeting “edge” devices like firewalls, routers, and email servers, often exploiting vulnerabilities in those machines that give them more immediate access.

That shift, according to Roncone and Wolfram, has offered multiple advantages to the GRU. It's allowed the Russian military hackers to have far faster, more immediate effects, sometimes penetrating a target network, spreading their access to other machines on the network, and deploying data-destroying wiper malware just weeks later, compared to months in earlier operations. In some cases, it's enabled the hackers to penetrate the same small group of Ukrainian targets multiple times in quick succession for both wiper attacks and cyberespionage. And because the edge devices that give the GRU their footholds inside these networks aren't necessarily wiped in the agency's cyberattacks, hacking them has sometimes allowed the GRU to keep their access to a victim network even after carrying out a data-destroying operation.

"Strategically, the GRU needs to balance disruptive events and espionage," Roncone told WIRED ahead of her and Wolfram's CyberwarCon talk. "They want to continue imposing pain in every single domain, but they are also a military intelligence apparatus and have to keep collecting more real-time intelligence. So they've started 'living on the edge' of target networks to have this constant ready-made access and enable these fast-paced operations, both for disruption and spying."

In a timeline included in their presentation, Roncone and Wolfram point to no fewer than 19 destructive cyberattacks Russia has carried out in Ukraine since the beginning of this year, with targets across the country's energy, media, telecom, and finance industries, as well as government agencies. But within that sustained cyberwarfare barrage, the Mandiant analysts point to four distinct examples of intrusions where they say the GRU's focus on hacking edge devices enabled its new tempo and tactics.

In one instance, they say, GRU hackers exploited the vulnerability in Microsoft Exchange servers known as ProxyShell to get a foothold on a target network in January, then hit that organization with a wiper just the next month, at the start of the war. In another case, the GRU intruders gained access by compromising an organization's firewall in April of 2021. When the war began in February, the hackers used that access to launch a wiper attack on the victim network's machines—and then maintained access through the firewall that allowed them to launch another wiper attack on the organization just a month later. In June 2021, Mandiant observed the GRU return to an organization it had already hit with a wiper attack in February, exploiting stolen credentials to log into its Zimbra mail server and regain access, apparently for espionage. And in a fourth case, last spring, the hackers targeted an organization's routers through a technique known as GRE tunneling that allowed them to create a stealthy backdoor into its network—just months after hitting that network with wiper malware at the start of the war.

Separately, Microsoft’s Threat Intelligence Center, known as MSTIC, revealed today yet another example of the GRU launching repeated cyberattacks on the same Ukrainian targets. According to MSTIC, the hacker group it calls Iridium, more widely known as the GRU hacking unit Sandworm, was responsible for Prestige ransomware attacks that hit transportation and logistics targets in Ukraine and Poland from March to October of this year. MSTIC notes that many of the victims of that ransomware had earlier been hit with the wiper tool HermeticWiper just before Russia’s February invasion—another piece of data-destroying malware linked to the GRU.

The GRU, Roncone and Wolfram point out, have certainly targeted "edge" devices before this new phase of the agency cyberwar in Ukraine. In 2018, the agency's hackers infected more than half a million routers worldwide with malware known as VPNFilter, and they similarly attempted to create a botnet of hacked firewall devices that was discovered just ahead of Russia's Ukraine invasion in February.

But the Mandiant analysts argue that only now are they seeing that hacking of edge devices used to accelerate the agency's pace of operations and to achieve persistence inside networks that lets the GRU pull off repeated intrusions against the same victims. That's meant that instead of having to choose between stealthy cyberespionage and disruptive cyberattacks that destroy the very systems they're spying on, the agency has been able to "have their cake and eat it too," as Roncone puts it.

Ukraine's own cybersecurity agency, known as the State Services for Special Communications and Information Protection, or SSSCIP, agrees with Mandiant's conclusion that Russia has quickened its pace of cyber-operations since the start of the war in February, according to Viktor Zhora, a senior SSSCIP official. He confirms that the GRU, in particular, has come to favor targeting edge devices while other Russian intelligence agencies, such as the FSB, continue to use phishing emails as a common tactic. But he argues that the examples of repeated wiping of the same organization in quick succession, or a wiping attack followed by an espionage operation against the same target, remain relatively rare.

“Operating in a covert mode over the last eight years, having unlimited financial resources, widely available human resources, gave them a lot of opportunities. They used that time to test, to probe and develop new technologies. Now, they’ve needed to increase the density of their attacks, and they require much more resources," says Zhora. "They still try to carry out their expected role, to be Russia's most active and destructive agency. But with sanctions, with the intellectual flow out of Russia, with difficulties in human resources and infrastructure, their operational limits are significantly greater. But we can see in the tactics they use that they're still seeking new opportunities for intelligence and wiping options."

No comments: