Threat Intelligence

10:00 PM
Connect Directly

Nation-State Hackers Adopt Russian 'Maskirovka' Strategy

New CrowdStrike report shows blurring of state-sponsored and cybercrime hacking methods.

A wave of surprising twists in both nation-state and cybercrime-related cyberattacks in the past year, along with increasing overlap in their tools and tactics, has ushered in a new era where all is not what it seems.

Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea's massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia's data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.

The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called "maskirovka," which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. "Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment," the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.

The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia's top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine's Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.

The security research community for some time had suspected Russia behind the attacks, but the "Five Eyes" nations all calling out Russia comes with potential wide political and diplomatic ramifications. "When we were in the heat of investigating of NotPetya, a lot of people were talking 'is this an act of war?' NATO talked about Article 5. We are in uncharted territory," says Adam Meyers, vice president of intelligence at CrowdStrike. "We don't know what the next steps are," he says, with both ID'ing Russia and the ongoing Mueller investigation into Russian election-meddling and the Trump campaign's interactions with Russia.

According to reporting this week by The Washington Post, US intelligence officials said Russia's GRU military hacking unit was behind cyberattacks on the 2018 Winter Olympics network, attempting to appear as attackers out of North Korea, using North Korean IP addresses and other false flags. The GRU hackers had infiltrated some 300 computers tied to the Olympics, according to the report. Some researchers initially ID'ed North Korea as the culprit, while others dismissed that theory.

"We concur with the assessment that Russia likely conducted these attacks, and were most likely motivated by retaliation against the Olympics for the banning of Russian athletes," say John Hultquist, director of intelligence analysis at FireEye, which earlier this year predicted a Russian attack on the Games that would be staged to appear as the handiwork of another nation, such as North Korea. "Similarly, we attribute a number of recent compromises against Olympic and other international sporting entities to the Russia-nexus APT28."


But NotPetya was a gamechanger, with Russian threat actors posing as ransomware attackers looking to make some cash. NotPetya ultimately had no decryption key, and destroyed kidnapped files.

"The fact they're doing it using ransomware as a cover … effectively gives nation-states the ability to create destructive attacks that are not attributable," CrowdStrike's Meyers says.

The Russian attackers behind NotPetya made a serious attempt to hide their origins and intent, he says. "There was a ransom note, but no way to recover the data," he says. It became clearer of their actual targets when the infections were traced to a popular Ukrainian accounting software program. The non-Ukrainian victims were basically collateral damage, but with a catch: "Any organization doing business with Ukraine that may have been impacted would be thinking twice about" that relationship after the attacks, he says.

Russia of course is not the only nation-state waging destructive attacks under the guise of cybercrime: North Korea long has employed that tactic, first with the Dark Seoul and other DDoS attacks on South Korea and the US that camouflaged actual data theft, and then with its brutal hack, doxing, and data-wiping attack on Sony in 2015. Its WannaCry ransomware campaign had the look-and-feel of a cybercriminal campaign until researchers started connecting the dots to known North Korean code. There was no data destruction element, however. "North Korea was actually trying to generate revenue with WannaCry," and not to destroy data, Meyers notes.

WannaCry, of course, weaponized EternalBlue, an NSA-built exploit that was stolen and leaked online, to spread wormlike among Windows machines around the world. "The result of trickle-down in the field of cybersecurity has been a proliferation of military-grade weaponry for cyber warfare being pushed down into the masses and commoditized" such as EternalBlue, CrowdStrike's report says.

Nearly 40% of all attacks spotted by CrowdStrike last year didn't use malware. And CrowdStrike's incident response data shows that now it takes hackers less than two hours to move from patient zero to other machines in the victim's network.

"Based on observed incidents, CrowdStrike established that the average 'breakout time' in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system they had compromised and move laterally to other machines within the network," the report says.

Related Content:



Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.