Nation-State Hackers Adopt Russian Maskirovka Strategy

  /     /     /  
Publicated : 22/11/2024   Category : security


Nation-State Hackers Adopt Russian Maskirovka Strategy


New CrowdStrike report shows blurring of state-sponsored and cybercrime hacking methods.



A wave of surprising twists in both nation-state and cybercrime-related cyberattacks in the past year, along with increasing overlap in their tools and tactics, has ushered in a new era where all is not what it seems.
Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Koreas massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russias data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.
The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called maskirovka, which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment, the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.
The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russias top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraines Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.
The security research community for some time had suspected Russia behind the attacks, but the Five Eyes nations all calling out Russia comes with potential wide political and diplomatic ramifications. When we were in the heat of investigating of NotPetya, a lot of people were talking is this an act of war? NATO talked about Article 5. We are in uncharted territory, says Adam Meyers, vice president of intelligence at CrowdStrike. We dont know what the next steps are, he says, with both IDing Russia and the ongoing Mueller investigation into Russian election-meddling and the Trump campaigns interactions with Russia.
According to
reporting this week by The Washington Post
, US intelligence officials said Russias GRU military hacking unit was behind cyberattacks on the 2018 Winter Olympics network, attempting to appear as attackers out of North Korea, using North Korean IP addresses and other false flags. The GRU hackers had infiltrated some 300 computers tied to the Olympics, according to the report. Some researchers initially IDed North Korea as the culprit, while others dismissed that theory.
We concur with the assessment that Russia likely conducted these attacks, and were most likely motivated by retaliation against the Olympics for the banning of Russian athletes, say John Hultquist, director of intelligence analysis at FireEye, which earlier this year predicted a Russian attack on the Games that would be staged to appear as the handiwork of another nation, such as North Korea. Similarly, we attribute a number of recent compromises against Olympic and other international sporting entities to the Russia-nexus APT28.
Destruction
But NotPetya was a gamechanger, with Russian threat actors posing as ransomware attackers looking to make some cash. NotPetya ultimately had no decryption key, and destroyed kidnapped files.
The fact theyre doing it using ransomware as a cover … effectively gives nation-states the ability to create destructive attacks that are not attributable, CrowdStrikes Meyers says.
The Russian attackers behind NotPetya made a serious attempt to hide their origins and intent, he says. There was a ransom note, but no way to recover the data, he says. It became clearer of their actual targets when the infections were traced to a popular Ukrainian accounting software program. The non-Ukrainian victims were basically collateral damage, but with a catch: Any organization doing business with Ukraine that may have been impacted would be thinking twice about that relationship after the attacks, he says.
Russia of course is not the only nation-state waging destructive attacks under the guise of cybercrime: North Korea long has employed that tactic, first with the Dark Seoul and other DDoS attacks on South Korea and the US that camouflaged actual data theft, and then with its brutal hack, doxing, and data-wiping attack on Sony in 2015. Its WannaCry ransomware campaign had the look-and-feel of a cybercriminal campaign until researchers started connecting the dots to known North Korean code. There was no data destruction element, however. North Korea was actually trying to generate revenue with WannaCry, and not to destroy data, Meyers notes.
WannaCry, of course, weaponized EternalBlue, an NSA-built exploit that was stolen and leaked online, to spread wormlike among Windows machines around the world. The result of trickle-down in the field of cybersecurity has been a proliferation of military-grade weaponry for cyber warfare being pushed down into the masses and commoditized such as EternalBlue,
CrowdStrikes report
says.
Nearly 40% of all attacks spotted by CrowdStrike last year didnt use malware. And CrowdStrikes incident response data shows that now it takes hackers less than two hours to move from patient zero to other machines in the victims network.
Based on observed incidents, CrowdStrike established that the average breakout time in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system they had compromised and move laterally to other machines within the network, the report says.
Related Content:
White House: Russian Military Behind NotPetya Attacks
Cyberattack Aimed to Disrupt Opening of Winter Olympics
8 Nation-State Hacking Groups to Watch in 2018
WannaCry? You’re Not Alone: The 5 Stages of Security Grief
 
 
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Nation-State Hackers Adopt Russian Maskirovka Strategy