Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 PM
Connect Directly

Nation-State Hackers Adopt Russian 'Maskirovka' Strategy

New CrowdStrike report shows blurring of state-sponsored and cybercrime hacking methods.

A wave of surprising twists in both nation-state and cybercrime-related cyberattacks in the past year, along with increasing overlap in their tools and tactics, has ushered in a new era where all is not what it seems.

Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea's massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia's data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.

The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called "maskirovka," which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. "Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment," the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.

The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia's top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine's Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.

The security research community for some time had suspected Russia behind the attacks, but the "Five Eyes" nations all calling out Russia comes with potential wide political and diplomatic ramifications. "When we were in the heat of investigating of NotPetya, a lot of people were talking 'is this an act of war?' NATO talked about Article 5. We are in uncharted territory," says Adam Meyers, vice president of intelligence at CrowdStrike. "We don't know what the next steps are," he says, with both ID'ing Russia and the ongoing Mueller investigation into Russian election-meddling and the Trump campaign's interactions with Russia.

According to reporting this week by The Washington Post, US intelligence officials said Russia's GRU military hacking unit was behind cyberattacks on the 2018 Winter Olympics network, attempting to appear as attackers out of North Korea, using North Korean IP addresses and other false flags. The GRU hackers had infiltrated some 300 computers tied to the Olympics, according to the report. Some researchers initially ID'ed North Korea as the culprit, while others dismissed that theory.

"We concur with the assessment that Russia likely conducted these attacks, and were most likely motivated by retaliation against the Olympics for the banning of Russian athletes," say John Hultquist, director of intelligence analysis at FireEye, which earlier this year predicted a Russian attack on the Games that would be staged to appear as the handiwork of another nation, such as North Korea. "Similarly, we attribute a number of recent compromises against Olympic and other international sporting entities to the Russia-nexus APT28."


But NotPetya was a gamechanger, with Russian threat actors posing as ransomware attackers looking to make some cash. NotPetya ultimately had no decryption key, and destroyed kidnapped files.

"The fact they're doing it using ransomware as a cover … effectively gives nation-states the ability to create destructive attacks that are not attributable," CrowdStrike's Meyers says.

The Russian attackers behind NotPetya made a serious attempt to hide their origins and intent, he says. "There was a ransom note, but no way to recover the data," he says. It became clearer of their actual targets when the infections were traced to a popular Ukrainian accounting software program. The non-Ukrainian victims were basically collateral damage, but with a catch: "Any organization doing business with Ukraine that may have been impacted would be thinking twice about" that relationship after the attacks, he says.

Russia of course is not the only nation-state waging destructive attacks under the guise of cybercrime: North Korea long has employed that tactic, first with the Dark Seoul and other DDoS attacks on South Korea and the US that camouflaged actual data theft, and then with its brutal hack, doxing, and data-wiping attack on Sony in 2015. Its WannaCry ransomware campaign had the look-and-feel of a cybercriminal campaign until researchers started connecting the dots to known North Korean code. There was no data destruction element, however. "North Korea was actually trying to generate revenue with WannaCry," and not to destroy data, Meyers notes.

WannaCry, of course, weaponized EternalBlue, an NSA-built exploit that was stolen and leaked online, to spread wormlike among Windows machines around the world. "The result of trickle-down in the field of cybersecurity has been a proliferation of military-grade weaponry for cyber warfare being pushed down into the masses and commoditized" such as EternalBlue, CrowdStrike's report says.

Nearly 40% of all attacks spotted by CrowdStrike last year didn't use malware. And CrowdStrike's incident response data shows that now it takes hackers less than two hours to move from patient zero to other machines in the victim's network.

"Based on observed incidents, CrowdStrike established that the average 'breakout time' in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system they had compromised and move laterally to other machines within the network," the report says.

Related Content:



Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same add...
PUBLISHED: 2020-03-30
An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a pa...
PUBLISHED: 2020-03-30
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your applicati...