Threat Intelligence

2/27/2018
10:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Nation-State Hackers Adopt Russian 'Maskirovka' Strategy

New CrowdStrike report shows blurring of state-sponsored and cybercrime hacking methods.

A wave of surprising twists in both nation-state and cybercrime-related cyberattacks in the past year, along with increasing overlap in their tools and tactics, has ushered in a new era where all is not what it seems.

Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea's massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia's data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.

The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called "maskirovka," which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. "Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment," the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.

The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia's top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine's Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.

The security research community for some time had suspected Russia behind the attacks, but the "Five Eyes" nations all calling out Russia comes with potential wide political and diplomatic ramifications. "When we were in the heat of investigating of NotPetya, a lot of people were talking 'is this an act of war?' NATO talked about Article 5. We are in uncharted territory," says Adam Meyers, vice president of intelligence at CrowdStrike. "We don't know what the next steps are," he says, with both ID'ing Russia and the ongoing Mueller investigation into Russian election-meddling and the Trump campaign's interactions with Russia.

According to reporting this week by The Washington Post, US intelligence officials said Russia's GRU military hacking unit was behind cyberattacks on the 2018 Winter Olympics network, attempting to appear as attackers out of North Korea, using North Korean IP addresses and other false flags. The GRU hackers had infiltrated some 300 computers tied to the Olympics, according to the report. Some researchers initially ID'ed North Korea as the culprit, while others dismissed that theory.

"We concur with the assessment that Russia likely conducted these attacks, and were most likely motivated by retaliation against the Olympics for the banning of Russian athletes," say John Hultquist, director of intelligence analysis at FireEye, which earlier this year predicted a Russian attack on the Games that would be staged to appear as the handiwork of another nation, such as North Korea. "Similarly, we attribute a number of recent compromises against Olympic and other international sporting entities to the Russia-nexus APT28."

Destruction

But NotPetya was a gamechanger, with Russian threat actors posing as ransomware attackers looking to make some cash. NotPetya ultimately had no decryption key, and destroyed kidnapped files.

"The fact they're doing it using ransomware as a cover … effectively gives nation-states the ability to create destructive attacks that are not attributable," CrowdStrike's Meyers says.

The Russian attackers behind NotPetya made a serious attempt to hide their origins and intent, he says. "There was a ransom note, but no way to recover the data," he says. It became clearer of their actual targets when the infections were traced to a popular Ukrainian accounting software program. The non-Ukrainian victims were basically collateral damage, but with a catch: "Any organization doing business with Ukraine that may have been impacted would be thinking twice about" that relationship after the attacks, he says.

Russia of course is not the only nation-state waging destructive attacks under the guise of cybercrime: North Korea long has employed that tactic, first with the Dark Seoul and other DDoS attacks on South Korea and the US that camouflaged actual data theft, and then with its brutal hack, doxing, and data-wiping attack on Sony in 2015. Its WannaCry ransomware campaign had the look-and-feel of a cybercriminal campaign until researchers started connecting the dots to known North Korean code. There was no data destruction element, however. "North Korea was actually trying to generate revenue with WannaCry," and not to destroy data, Meyers notes.

WannaCry, of course, weaponized EternalBlue, an NSA-built exploit that was stolen and leaked online, to spread wormlike among Windows machines around the world. "The result of trickle-down in the field of cybersecurity has been a proliferation of military-grade weaponry for cyber warfare being pushed down into the masses and commoditized" such as EternalBlue, CrowdStrike's report says.

Nearly 40% of all attacks spotted by CrowdStrike last year didn't use malware. And CrowdStrike's incident response data shows that now it takes hackers less than two hours to move from patient zero to other machines in the victim's network.

"Based on observed incidents, CrowdStrike established that the average 'breakout time' in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system they had compromised and move laterally to other machines within the network," the report says.

Related Content:

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.