Attackers Allegedly Target Russian Federal Networks

Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russian Federal Executive Authorities Hit by Cyberattacks in 2020

Attackers Allegedly Target Russian Federal Networks

An unidentified nation-state hacking group targeted several Russian federal agencies as part of part of a cyberespionage campaign that compromised the country’s federal networks to steal sensitive data, according to a report released by Russian security firm Solar JSOC.

See Also: The Anatomy of the Solarwinds Attack

The report was compiled with Russia’s National Coordination Center for Computer Incidents, the agency responsible for Russian Federation governmental networks; it notes that the hackers deployed two previously unknown malware variants that used Russian cloud hosting services for the campaign.

The hackers then sought to steal confidential information, including documents and email correspondence of key federal executive authorities, the report notes.

The report hasn’t identified the threat group, but notes it is a state-sponsored entity. “The level of attackers (the technologies and mechanisms used, the speed and quality of the work they have done) makes it possible to qualify them as cyber mercenaries pursuing the interests of a foreign state,” the report notes. “Such attackers could stay inside the infrastructure for a long time and not give themselves away.”

Russia’s National Coordination Center for Computer Incidents and Solar JSOC did not respond to requests for comments from Information Security Media Group seeking more information on the attackers, and ISMG has been unable to independently verify the contents of the report.

Attack Vectors

The attacks, which were identified in 2020, used three main attack vectors to spread the malware, the report adds. These include:

  • Phishing: The attackers used details regarding the internal activities of the federal agencies as well as news-related to COVID-19 as the theme of their phishing message. These emails contained malicious attachments, which when opened downloaded the malware to the devices.
  • Exploiting web applications: The report notes the attackers also exploited vulnerabilities on web applications that are available on the Internet.
  • Targeting contractors: In addition to phishing and vulnerability exploitation, the attackers compromised infrastructure of federal contractors to gain access to government infrastructure. This could potentially have been achieved by collecting publicly available information from Tender sites and published press releases, the report adds.

The attackers would then be able to compromise the third-party infrastructure to gain access to the federal networks, as employees of the contractors often have high privileges and direct access to their customers, the report adds.

“After a complete compromise of the infrastructure, the attackers began to collect confidential information from all sources of interest: from mail servers, electronic document management servers, file servers and workstations of managers of various levels,” the report notes.

“At the stage of preparation for attacks on federal executive authorities, the cybercriminals learned well the features of the functioning and aspects of administrative work with the antivirus manufactured by Kaspersky Lab,” the report notes. “As part of the development of the attacks, they discreetly disabled antivirus software, and also used its legitimate components to collect additional information about the attacked infrastructure.”

The report echoes the criticism of Russian spying made by Western governments, right down to exploitation of Kaspersky product capabilities for state spying reported in 2015 that led to signing in 2017 of a ban on use of Kaspersky services in the US government. (see Report: NSA Secrets Stolen From Computer Using Kaspersky Software ).

Kaspersky did not immediately respond to a request for comment from Information Security Media Group seeking more information on the activities of the threat actors.

Malware Analysis

Solar JSOC notes the hackers used previously unknown malware in the campaign. This malware dubbed Mail-O and Webdav-O used cloud storage services provided by Russian internet product-related companies Yandex and Mail.ru Group, according to the report.

“Mail-O is a downloader program that accesses the Mail.ru Cloud associated with the account embedded in the sample. All communication takes place using the Mail.ru Cloud API,” the report notes. “Webdav-O is another malware that has never been described before. Like Mail-O, it communicates with the management server via the Yandex.Disk cloud.”

The malware then performs pre-defined commands including uploading and downloading files to Yandex.Disk, communicating with the command and control servers at intermittently, setting “sleep” time for the malware and shutting down its operation,” the report adds.