Threat Intelligence

2/27/2018
10:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Nation-State Hackers Adopt Russian 'Maskirovka' Strategy

New CrowdStrike report shows blurring of state-sponsored and cybercrime hacking methods.

A wave of surprising twists in both nation-state and cybercrime-related cyberattacks in the past year, along with increasing overlap in their tools and tactics, has ushered in a new era where all is not what it seems.

Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea's massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia's data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.

The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called "maskirovka," which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. "Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment," the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.

The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia's top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine's Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.

The security research community for some time had suspected Russia behind the attacks, but the "Five Eyes" nations all calling out Russia comes with potential wide political and diplomatic ramifications. "When we were in the heat of investigating of NotPetya, a lot of people were talking 'is this an act of war?' NATO talked about Article 5. We are in uncharted territory," says Adam Meyers, vice president of intelligence at CrowdStrike. "We don't know what the next steps are," he says, with both ID'ing Russia and the ongoing Mueller investigation into Russian election-meddling and the Trump campaign's interactions with Russia.

According to reporting this week by The Washington Post, US intelligence officials said Russia's GRU military hacking unit was behind cyberattacks on the 2018 Winter Olympics network, attempting to appear as attackers out of North Korea, using North Korean IP addresses and other false flags. The GRU hackers had infiltrated some 300 computers tied to the Olympics, according to the report. Some researchers initially ID'ed North Korea as the culprit, while others dismissed that theory.

"We concur with the assessment that Russia likely conducted these attacks, and were most likely motivated by retaliation against the Olympics for the banning of Russian athletes," say John Hultquist, director of intelligence analysis at FireEye, which earlier this year predicted a Russian attack on the Games that would be staged to appear as the handiwork of another nation, such as North Korea. "Similarly, we attribute a number of recent compromises against Olympic and other international sporting entities to the Russia-nexus APT28."

Destruction

But NotPetya was a gamechanger, with Russian threat actors posing as ransomware attackers looking to make some cash. NotPetya ultimately had no decryption key, and destroyed kidnapped files.

"The fact they're doing it using ransomware as a cover … effectively gives nation-states the ability to create destructive attacks that are not attributable," CrowdStrike's Meyers says.

The Russian attackers behind NotPetya made a serious attempt to hide their origins and intent, he says. "There was a ransom note, but no way to recover the data," he says. It became clearer of their actual targets when the infections were traced to a popular Ukrainian accounting software program. The non-Ukrainian victims were basically collateral damage, but with a catch: "Any organization doing business with Ukraine that may have been impacted would be thinking twice about" that relationship after the attacks, he says.

Russia of course is not the only nation-state waging destructive attacks under the guise of cybercrime: North Korea long has employed that tactic, first with the Dark Seoul and other DDoS attacks on South Korea and the US that camouflaged actual data theft, and then with its brutal hack, doxing, and data-wiping attack on Sony in 2015. Its WannaCry ransomware campaign had the look-and-feel of a cybercriminal campaign until researchers started connecting the dots to known North Korean code. There was no data destruction element, however. "North Korea was actually trying to generate revenue with WannaCry," and not to destroy data, Meyers notes.

WannaCry, of course, weaponized EternalBlue, an NSA-built exploit that was stolen and leaked online, to spread wormlike among Windows machines around the world. "The result of trickle-down in the field of cybersecurity has been a proliferation of military-grade weaponry for cyber warfare being pushed down into the masses and commoditized" such as EternalBlue, CrowdStrike's report says.

Nearly 40% of all attacks spotted by CrowdStrike last year didn't use malware. And CrowdStrike's incident response data shows that now it takes hackers less than two hours to move from patient zero to other machines in the victim's network.

"Based on observed incidents, CrowdStrike established that the average 'breakout time' in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system they had compromised and move laterally to other machines within the network," the report says.

Related Content:

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20168
PUBLISHED: 2018-12-17
Google gVisor before 2018-08-22 reuses a pagetable in a different level with the paging-structure cache intact, which allows attackers to cause a denial of service ("physical address not valid" panic) via a crafted application.
CVE-2018-20167
PUBLISHED: 2018-12-17
Terminology before 1.3.1 allows Remote Code Execution because popmedia is mishandled, as demonstrated by an unsafe "cat README.md" command when \e}pn is used. A popmedia control sequence can allow the malicious execution of executable file formats registered in the X desktop share MIME typ...
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.