Russia’s latest global cyberthreats fuel tensions over Ukraine, Reveals Zero Day Live from Stealthcare
December 2018 by Jeremy Samide, CEO of Stealthcare
Despite Russian government denials, Zero Day Live (ZDL) the threat intelligence platform from Stealthcare, has detected Russia launching numerous cyberattacks last week that threaten not only Ukraine, but governments and private organizations worldwide.
“The cyberattacks are in keeping with Russia’s effort to extend Soviet-style hegemony worldwide—far beyond regional sea skirmishes with Ukraine,” according to Jeremy Samide CEO of Stealthcare.
“These Russian cyberthreat actors often have the surname ‘bear’ with two of the most infamous ‘bears’ being the Russian government-linked Fancy Bear and Cozy Bear—the same threat actors responsible for numerous high-profile espionage attacks including the 2016 breach of the Democratic National Committee,” noted Samide.
In addition to Fancy Bear and Cozy Bear, the Russia-linked threat actor Gamaredon stepped up its global attacks last week according to the Stealthcare Zero Day Live Threat Intelligence platform, and its team of threat intelligence experts uncovered the Russian breaches.
Samide explained how these attacks work: One of the threats remotely loads a series of weaponized document templates containing a malicious macro. The weaponized documents, attributed to Fancy Bear, targeted government entities in North America, Europe, and a former Soviet state. The first stage of the malware is a packed Zebrocy variant that gathers system information and shares it with the C2 server. The C2 subsequently responds with a secondary payload that appears to be functionally similar to Zebrocy but proves to be a malicious tool named Cannon. Once inside the gates, the trojan functions primarily as a downloader that relies on emails to communicate between the trojan and the C2 server. Attackers use C2 or command and control servers to communicate with the compromised system.
Phishing emails from a bogus US State Department address
Cobalt Strike Beacon, a new backdoor campaign by Cozy Bear also emerged recently and was seen running a phishing campaign targeting multiple sectors—among them think tanks, law enforcement, media, US military, the transportation industry, pharmaceutical companies, national governments, and defense contractors. “The phishing emails purport to be from the US State Department but contain malicious Windows shortcuts,” Samide said.
Several elements from this campaign—including the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted, are linked directly to the Cozy Bear phishing campaign of November 2016.
“Closer to home, a new backdoor attacker has been targeting Ukrainian government agencies. The backdoor, dubbed Pterodo, is associated with the Gamaredon threat group that relies largely on off-the-shelf software and primarily focuses on Ukrainian military and government targets.
Pterodo is a custom backdoor that inserts other malware and collects sensitive information. Along with Gamaredon group, it has been tied to Russia’s Federal Security Service (FSB), alongside the Cozy Bear group,” noted Samide.
The global and regional cyberattacks are in addition to open conflict that started when four Russian FSB vessels confronted three boats from Ukraine that were sailing from Odessa to Mariupol, a major Ukrainian port on the Azov sea. Tensions escalated when, on November 28, Russian FSB border guards opened fire on two Ukrainian gunboats and a tug before seizing their Ukrainian crews, according to BBC.