iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Spear phishing appears to be the new weapon of choice for state-backed Russian threat groups, along with a proliferation of malware tools.
Security researchers have noted a raft of Russian hackings changing their tactics over the last year, changing their tactics, techniques, and procedures while widening their nets in their search for targets.
Threat intelligence platform Flashpoint has observed Russian groups moving away from deploying wiper malware – designed to corrupt or even completely delete data on a targeted system. Wipers were popular among Russian hacking groups at the outset of the war in Ukraine in 2022, but the Ukrainian Computer Emergency Response Team (CERT) saw things start to change around the end of 2023.
Since then, Ukraine’s CERT has responded to more than 1,700 phishing attacks, mostly designed to spread malware and steal credentials to cause further mischief.
Even extortion is now on the cards for Russia’s cyber warriors.
However, despite using different strains of malware in their attacks, the attack chains of Russian threat actors were similar across many of the groups tracked.
“The most common method for infecting victims is by delivering HTML-based droppers that are often packaged in compressed archive or disk image files,” Flashpoint said in a blog post.
“State-sponsored groups such as APT29 persistently leverage HTML attachments to phishing emails that execute the JavaScript-based dropper ROOTSAW. When the HTML file is executed, the victim is presented with a lure while the malicious code executes. The purpose of this is to retrieve and execute a second-stage payload.”
Other actors use HTML file attachments, APT29 – also known as Cozy Bear – uses the WINELOADER backdoor delivered via a .HTA file. Several other Russian threat actors appear to be following suit.
However, while APT29 continues to prefer a range of custom payloads, others are turning to off-the-shelf solutions bought from “illicit marketplaces”.
“These tools are used by other cyber crime actors. Throughout 2023, the most popular malware leveraged by Russian threat actors had been freely available for purchase,” Flashpoint said.
“Even advanced espionage actors such as APT44 have conducted campaigns leveraging Sandworm malware since the start of 2023.”
Beyond custom or turn-key malware solutions, Russian hackers have also been using compromised websites to hide their attack infrastructure, particularly WordPress sites. An entire botnet of machines used by APT28 – aka Fancy Bear – was disrupted by the US Department of Justice earlier this year.
APT28 has also been seen using NTLMv2 hash relay attacks to deliver a PowerShell or VBS script to their targets.
At the same time, Russian threat actors have broadened their horizons in terms of targets. Attacks now target victims far from Ukraine’s borders, and even outside the European Union – North American entities are targets and are now a particular specialty of Storm-097. Poland and other NATO countries are also popular.
“As the Ukraine-Russian War continues, Russian APT groups are continuously adapting their TTPs and malware,” Flashpoint said.
“Many groups share delivery techniques, indicating possible collaboration between members. In addition, the use of paid tools instead of custom payloads suggests that many of these illegal campaigns have proved to be successful.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
