Cyberwar Bulletin 1: Russia & Ukraine

Updated on Mar 10, 2022

For as long as there have been organizational assets exposed to the Internet, companies have absorbed varying levels of risk. The difference between managing your attack surface in a continuous, proactive way – and being the target of cyberwar tactics – is sometimes hard to delineate.

However, one delineation that could be made would be this – how do you know if you are being randomly targeted or purposefully targeted as part of something bigger? Only intelligence and valid insights can tell you that. 

The Russia-Ukraine conflict has brought a new level of fear to most organizations in North America from a cybersecurity standpoint. The reason is that intelligence confirms that organizations have to be more aware, and certainly more vigilant of potential attacks on their systems now that the political climate has been dramatically altered over the past two weeks.

Typically, government entities, public sector companies, critical infrastructure, healthcare, and financial institutions are all targeted repeatedly in many different ways by groups emanating from a multitude of geolocations and nation-state affiliations.

In this bulletin, Securin has performed real-time research on behalf of its customers, partners and followers to uncover data that can provide insights into new tools, techniques and signals around potential Russian-based attacks that could ultimately serve as indicators worthy of assessment and analysis. We took a deep dive into our data to look at Russian threat actors’ cyber activities:  their arsenal, their techniques, and the methods used as they up-level their targeting of Western companies.

Note: This is a developing story. Securin experts will continue their research and publish their analysis as and when new threat groups emerge.

Our research shows that cumulatively, these four groups have been known to exploit unpatched instances of 35 unique vulnerabilities.

Securin has warned about 29 of the 35 APT vulnerabilities in its blogs, reports and PatchWatch sections.

30 vulnerabilities are covered in CISA’s Known Exploited Vulnerabilities released as part of the Binding Operational Directive for federal agencies and public sector organizations.

Gamaredon

Gamaredon is an Advanced Persistent Threat (APT) group that has been in existence since 2013. Also going by the names Primitive Bear, Armageddon, and seven other aliases, the threat group with origins in Russia is known to target defense, law enforcement agencies, non-governmental organizations, power plants, water facilities, and government agencies, primarily in Ukraine.

The Gamaredon group has been observed deploying RMS (Remote Manipulator System), UltraVNC, Pterodo/Pteranodon, PowerShell, FileStealer, USBstealers as part of its gamut of tools to compromise networks. In November 2021, the Security Service of Ukraine (SSU) attributed conclusive links between five individuals operating under the guidance of the Federal Security Service (FSB) in Moscow, and Gamaredon.

 Gamaredon

 Vulnerabilities Associated

 4

 Vendors Affected

 2

 CVSS Severity

 Critical     –    0

 High         –    3

 Medium    –    1

 Public Exploits Available

 CVE-2017-11882, CVE-2018-20250, CVE-2017-0199

Nobelium

Nobelium is the infamous mastermind behind 2020’s SolarWinds attack that affected over 18,000 customers, including government and private agencies. Since the supply chain scare, the threat group has resurfaced in multiple campaigns, as called out by Securin. Operational since 2008, the group is referred to by 16 other names including APT29 and Cozy Bear.

The Nobelium group is also known to continually expand their attack arsenal, most recently adding two new backdoors – Tomiris and FoggyWeb, and two sophisticated malware families – GoldMax, a Linux variant, and TrailBlazer, a new implant.

 Nobelium

 Vulnerabilities Associated

 23

 Vendors Affected

 13

 CVSS Severity

 Critical     –  13

 High         –   9

 Medium    –  1

 Public Exploits Available

 CVE-2009-3129, CVE-2010-0232, CVE-2013-0640,

 CVE-2013-0641, CVE-2014-1761, CVE-2018-13379,

 CVE-2019-11510, CVE-2019-1653, CVE-2019-17026,

 CVE-2019-19781, CVE-2019-2725, CVE-2019-7609,

 CVE-2019-9670, CVE-2020-0674, CVE-2020-14882,

 CVE-2020-5902, CVE-2021-1879, CVE-2021-21972,

 CVE-2021-26855, CVE-2015-1641, CVE-2016-7255

Wizard Spider

Wizard Spider is a Russia-based threat actor that began its operations in 2014. It also goes by the names Grim Spider and Gold Blackburn among others, and is popular as the player behind two prominent and highly notorious ransomware groups of recent times – Ryuk and Conti.

The Wizard Spider group prominently deploys malware tools such as TrickBot and BazarLoader in its attacks, with its primary targets being the defense, financial, government, health care and telecommunications sectors all over the world. Recently, the developers  behind the TrickBot trojan moved to the Conti group to aid with further improvements in BazarLoader.

 Wizard Spider

 Vulnerabilities Associated

 7

 Vendors Affected

 1

 CVSS Severity

 Critical     –   1

 High         –   5

 Medium    –   1

 Public Exploits Available

 CVE-2017-0144, CVE-2020-1472, CVE-2017-0143,

 CVE-2017-0148, CVE-2017-0145, CVE-2017-0146,

 CVE-2017-0147

UNC1151 (GhostWriter)

The latest threat actor to join the bandwagon is the UNC1151 uncategorized group, also believed to be behind the GhostWriter campaign. The group has been associated with several information operations  since March 2017, aligned with Russian security interests.

The group is known to be deploying a backdoor as part of their campaign, the code for which is publicly available on GitHub. The backdoor is a variant of Micro backdoor, a C2 tool built to target Windows machines. UNC1151 is an evolving group that is well- positioned for more sophisticated and far-reaching campaigns with malicious intent, researchers warn.

 UNC1151/GhostWriter

 Vulnerabilities Associated

 1

 Vendors Affected

 1

 CVSS Severity

 Critical     –   0

 High         –   1

 Medium    –   0

 Public Exploits Available

 NA

Vulnerabilities Associated with Russian Threats

Early Warning

Of the 35 vulnerabilities, Securin’s experts had predicted a high probability of exploitability for 33 of the vulnerabilities much before the spurt in activity of the associated APT groups, in relation to the Russia-Ukraine cyber war.

Here is a look into the early warnings based on Securin’s research.

Amidst the Cyber War fears, the Senate, on March 03, 2022, passed major cybersecurity legislation, mandating critical infrastructure owners and civilian federal agencies to report cyberattacks and ransomware payments to CISA within 72 hours and 24 hours of occurrence, respectively. The major push to this legislation is the fear of retaliatory cyber attacks by Russian entities for technology sanctions imposed by the United States and Europe.

In 2021, the US faced increasing attacks on essential industries such as oil & gas, food supply chain, water supply, healthcare, etc. The repercussions of these attacks were devastating, impacting the common man on the streets.

Indicators of Compromise to Watch Out For

Check out the next blog in this series where we delve deep into Ransomware threats in this cyberwar. This is a developing story. Stay tuned to this page for more updates.

Are American companies and public sector department patched for these vulnerabilities? Talk with our experts to check your attack surface and strengthen your cybersecurity posture.

Share This Post On