Russian Cyber Espionage Under The Microscope

  /     /     /  
Publicated : 22/11/2024   Category : security


Russian Cyber Espionage Under The Microscope


New report shows level of coordination and strategy by three main groups of cyberspies out of Russia.



A study of published intelligence on three major malware families used in Russias cyber espionage operations shows a highly coordinated, targeted, and stealthy strategy.
Researchers at Recorded Future studied Uroburous, Energetic Bear, and APT28, three main malware families out of Russia being used for cyberspying. In a report scheduled for publication today, RecordedFuture analyzed intelligence on the operations from public reports by various security vendor research teams and found, among other things, that the three attack groups dont operate in a vacuum. For one thing, they appear to avoid hitting the same targets: Theres very little cohabitation of the [three] malware families, says Christopher Ahlberg, CEO and co-founder of Recorded Future. It seems to indicate some level of tactical and organizational coordination.
Russia mostly has been known for its notorious cybercrime underground, but its cyber espionage activity over the past year has come into sharper focus after a wave of publicized targeted cyberspying campaigns. China, meanwhile, has been spotted operating pervasive cyber espionage to pilfer intellectual property.
China has economic objectives, Ahlberg says. Russia wants to show the world they are strong politically. Energy is incredibly important to them [as well]… They also want to sell gas to Western Europe and oil to other nations, he says.
Theres more of a focus on commodity markets and geopolitical interests, he notes.
Uroburous,
Energetic Bear
, and APT28 use their own attack vectors, exploits and vulnerabilities, and toolkits. Each also appears to have a different objective, according to Recorded Futures analysis.
Uroburous -- the name used by G Data Software AG -- is also known as Epic Turla by Kaspersky Lab, Snake by BAE Systems, and SnakeNet, and has been around since at least 2008. Its main targets: governments, embassies, defense industry, research and education, and the pharmaceutical industry. The initial attack vector is either spear phishing emails or watering hole attacks via phony Flash player updates.
The spear phish typically comes with an attachment that includes an executable RAR SFX (self-extracting archive) that contains the malware that is then extracted and installed on the victims machine.
Energetic Bear
, the name CrowdStrike has given the attack group, is also known as Crouching Yeti by Kaspersky, Koala Team by iSIGHT Partners, and Dragonfly by Symantec. This group focuses on aviation, defense, energy, industrial controls systems (ICS), and petroleum pipeline operators. Spear phishing and watering hole attacks are also its initial vectors.
Its main goal is to remain inside its targets network for the long-term. This may be the work of a military group pre-positioning itself for a computer network attack as a tool to fulfill military or political goals. Parallels can be drawn between Energetic Bear and Stuxnet in terms of its victimology and focus on ICS equipment, Recorded Future says in its report.
APT28, as its known by FireEye/Mandiant, is also called Tsar Team by iSIGHT Partners, Sednit by Eset, Fancy Bear by CrowdStrike, and
Operation Pawn Storm
by Trend Micro. This attack group goes after NATO, Eastern European government and military agencies, defense, and Russian adversaries, the report notes.
FireEye/Mandiant late last month identified the attackers as Russian government-backed. The attackers infamously use targeted phishing attacks against Outlook Web Access users via typo-squatted domains associated with the defense industry.
According to the
Recorded Future report
:
From espionage, cyber warfare, and tracking regional geopolitical foes, Russia continues to build a cyber capability with the potential to impact organizations worldwide. The scope of Russian cyber operations has only recently been discovered by cybersecurity firms. In contrast, Chinese cyber operations have been known for over a decade due to their sloppy operational procedures and direct attribution. Russia however, continues to lead the way in stealthier malware and operations making their efforts harder to identify and analyze. Although these intrusions have been identified and are widely attributed to Russia’s government, there are several others whose attribution to the Russian Federation is less clear like MiniDuke, CosmicDuke, BlackEnergy Bot, SandWorm, and Quedagh.

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russian Cyber Espionage Under The Microscope