Russia-affiliated threat actors have compromised systems belonging to multiple organizations in the US, the UK, France, and other countries and are using them to launch attacks against targets in Ukraine.

Among those whose networks the threat actors have hijacked are at least 15 healthcare organizations, one Fortune 500 company, and one dam-monitoring system, according to a study by threat intelligence and cyber-deception company Lupovis published Dec. 6.

"Russian criminals are rerouting through their networks to launch cyberattacks on Ukrainian [organizations], which effectively means they are using these organizations to carry out their dirty work," Lupovis warned in its report.

Lupovis recently deployed a set of decoy documents, Web portals, and SSH services on the Internet as part of an effort to study Russian threat activity targeting Ukrainian entities. The goal was to find out the extent to which Russia's war in Ukraine had spilled over into the cyber realm, like many predicted it would.

Ukraine-Themed Decoys

The company designed the decoys in a manner as to entice Russian actors looking to compromise Ukrainian targets. For instance, Lupovis labeled decoy documents with names related to Ukrainian government officials and the country's Critical National Infrastructure, and its decoy websites spoofed Ukrainian government and political sites. The decoy documents contained information that adversaries would consider useful, such as usernames, passwords, and addresses to purportedly critical assets and databases on the decoy websites. The company deliberately leaked some of these fake documents in key Dark Web forums.

Lupovis managed to attract three types of adversaries to its decoy sites. One set comprised of opportunistic attackers, or those constantly scanning the Internet for exploitable CVEs and systems. This was a category of threat actor that Lupovis ignored for the purposes of its study. The second category of adversary was comprised of threat actors who landed directly on the decoy sites without following the breadcrumbs that Lupovis had planted on the Dark Web forums. The third set of threat actors were mostly Russia-based adversaries who took the bait, extracted information from the decoy documents, and used it to attack the decoy websites.

In all, between 50 and 60 attackers landed on each of the two decoy sites Lupovis has set up — some of them just minutes after the sites went live. Once on the sites, the attackers carried out a variety of malicious activities, including SQL injection attacks, remote file inclusion tactics, and Docker exploitation attempts. In many cases, threat actors on the decoy sites attempted to make them part of bigger DDoS botnets or to use them to launch attacks against other Ukrainian websites.

The largest group of attackers were independent actors, says Xavier Bellekens, CEO of Lupovis. They often appeared to be acting alone and were part of communities on Telegram, he says. "Some actors were more advanced in their techniques, tactics, and procedures. However, we haven’t yet been able to correlate them against known Russian APTs." 

The primary motivations in many of these attacks appeared to be information stealing, disruption, and using the decoy websites to launch attacks against other Ukrainian targets, he notes.

Going After Healthcare

One of the most disconcerting aspects that researchers at Lupovis observed was the number of attacks on its decoys from other, previously compromised websites and systems belonging to healthcare organizations and entities in other industry sectors, from multiple countries. 

Bellekens says Lupovis was unable to identify the specific groups that were carrying out these attacks, or if any of them were previously known Russian advanced persistent threat groups. "We identified them as Russian if they used scripts containing Cyrillic, tried to access Russian websites, [or] looked for specific information in Cyrillic," he says. "A large number of these adversaries tried to exploit the decoys further to launch attacks against Ukrainian entities."

Lupovis' findings suggests that fears earlier this year about Russian cyberattacks in Ukraine impacting organizations in other countries were correct. "Russian cyberattacks have skyrocketed and any country or business that has allied with Ukraine, or opposed the war, has become a target," according to the report.

Concerns over such attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory earlier this year urging both government and private organizations to assume a Shields Up posture for detecting and responding to attacks from Russian cyber groups. The advisory followed remarks by President Joe Biden regarding the US government's willingness to respond in kind to any attempt by Russia to attack the US in cyberspace or through other asymmetric means.