www.intsights.com

Russia’s Most Dangerous Cyber Threat Groups

Russia’s Most Dangerous Cyber Threat Groups

Introduction

The Russian cybercriminal underground operates at a higher level than within any other country. Russians were the first to create criminal hacking forums and cultivate communities where threat actors sell and share information, emerging malware, and newfound vulnerabilities to exploit. As the cybercrime landscape in Russia continues to grow and evolve, the government continues to turn a blind eye to attacks levied by cybercriminals within its borders as long as the exploits target foreign enemies.

Last month, IntSights published a comprehensive research report, The Dark Side of Russia: How Internet Laws and Nationalism Fuel Russian Cybercrime, featuring an exclusive look into the state of the Russian cybercrime ecosystem, analysis of the geopolitical factors and implications at play, and speculation on how legislation restricting the free flow of information on the internet in Russia will impact business operations for multinationals with a presence in Russia. The report includes screenshots of actual threat actor activity taking place on Russian dark web forums and black markets, demonstrating the reality and severity of threats posed by the Russian cybercrime machine.

But who, exactly, are the most dangerous Russian cyber threat groups carrying out cyberattacks and developing cutting-edge malware? There are several groups operating within Russia that carry out attacks with various motivations including financial gain, information and data theft, hacktivism, and espionage. Some use different names and deploy operatives in multiple countries, which makes them more challenging to track and identify. Let’s break down the attributes of some of the top cybercrime outfits in Russia:

2

Russia’s Most Dangerous Cyber Threat Groups

Russian APT Groups APT29 APT29 has many aliases: Office Monkeys, CozyCar, The Dukes, and CozyDuke. The group is believed to work for the Russian government, and, in particular, civilian intelligence agencies including the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR). APT29 has been targeting Western European governments and diplomatic organizations since at least 2010. However, the group also targets military, energy, and telecom organizations around the world. It is considered one of the most advanced and experienced APT groups. The group rapidly develops and deploys its malware in a way that resembles another well-known APT group, APT28. However, APT29’s ability to rapidly alter its tools makes it harder to detect.

APT29 is associated with various malware strains, such as HAMMERTOSS, TDISCOVER, UPLOADER, CozyDuke, OnionDuke, and MiniDuke. The group’s targets have included government and commercial entities in the United States, Germany, South Korea, and beyond. Its most famous attacks include:

• 2014: An infiltration attack against the U.S. Democratic National Committee (DNC), the U.S. State Department, the White House, and a private research institute in Washington D.C.

• 2015: A spear phishing cyberattack against the Pentagon’s email system• 2016: An attack against the DNC’s servers, which coincided with a similar attack levied by APT28. Both APT groups

were apparently unaware they were attacking at the same time. An analysis showed APT29 had been on the DNC’s network for more than a year, while APT28 had only been on it for a few weeks.

• 2016-2017: A series of spear phishing attacks against U.S. think tanks and non-governmental organizations following the 2016 U.S. General Election

• 2017: Attempts to spear phish email accounts of nine individuals in the Norwegian Ministry of Foreign Affairs, Ministry of Defense, and the Labor Party. Other Norwegian targets included the Norwegian Radiation Protection Authority, the Norwegian Police Security Service (PST), and an unidentified college. Both APT28 and APT29 attempted to attack the Dutch Ministry of General Affairs and other Dutch ministries.

APT29’s attacks typically come in the form of spear phishing and different malware strains. The group has been known to use social media platforms and cloud storage services to relay commands and extract data.

3

Russia’s Most Dangerous Cyber Threat Groups

APT28 APT28 goes by pseudonyms Tsar Team, Sofacy Group, Pawn Storm, Sednit, and STRONTIUM. It is suspected to be working with the Russian Government and the GRU (the foreign military intelligence agency of Russia), in particular.

APT28’s primary initiative is collecting intelligence on geopolitical and defense issues that are relevant to Russian interests. It has been targeting government, military, and security organizations in the Caucasus (Georgia, in particular); Eastern European countries; the North Atlantic Treaty Organization (NATO); and other European security organizations and defense companies.

APT28, active since the mid-2000s, is experienced and advanced. It is associated with the CHOPSTICK malware, the SOURFACE downloader, and the EVILTOSS backdoor. Other software they have used includes ADVSTORESHELL, JHUHUGIT, and XTunnel, as well as Sofacy, XAgent, Foozer, WinIDS, and DownRange droppers. The group has been constantly updating the SOURFACE downloader since 2007, demonstrating the efforts it dedicates to development and innovation.

APT28’s most common attack vectors are spear phishing emails, malware drop websites disguised as news sources, and zero-day exploits of the Microsoft Windows operating system and Adobe Flash. The group has been observed using six different zero-day exploits, indicative of a technical prowess that is likely backed by a government with extensive resources.

The group is responsible for the following cyberattacks:

• 2014: A six-month attack on the German Bundestag (the German federal parliament)• 2014: A six-month attack on the German Bundestag (the German federal parliament)• 2015: An attack on the French TV Station TV5Monde• 2015: Attacks on the White House and NATO• 2016: A spear phishing attack on the Democratic National Committee, conducted in an effort to influence the 2016

General Election• 2016: An attack on the French presidential campaign of candidate Emmanuel Macron• 2016: An attack on the Organization for Security and Cooperation• 2016: Another attack on a member of the German Bundestag• 2019: An attack on think tank groups such as Aspen Institute Germany, the German Marshall Fund, and the German

Council on Foreign Relations

The APT28 group has sent phishing emails to 104 email addresses across Europe in an attempt to obtain employer credentials and infect sites with malware.

In October 2018, the U.S. indicted seven Russian GRU officers on conspiracy charges. The indictment stated that from December 2014 to May 2018, the GRU officers conducted “persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.” According to the indictment, the officers were from GRU’s Unit 26165 and Unit 74455.

4

Russia’s Most Dangerous Cyber Threat Groups

Sandworm TeamSandworm Team is a Russian cyber espionage group that started in 2009. It is also known as Voodoo Bear, Black Energy, Quedagh, TeleBots, and Electrum. The group consists of pro-Russia hackers who are likely either state-sponsored or state-motivated, as their targets and motives are aligned with the interests of the Russian government. They have targeted Ukrainian entities associated with the government, energy, media and telecom companies, academic institutions, industrial control systems, and supervisory control and data acquisition (SCADA). In addition, they have attacked defense industries and government institutions in the U.S., Poland, and other member states of NATO.

Sandworm’s objective is to gather intelligence for the purpose of carrying out espionage attacks. They harvest SSL keys and code-signing certificates from their targets, and steal sensitive documents and information.

The group was exposed in October 2014 and went underground for a few months before becoming active again in 2015.

The group is responsible for the following devastating cyberattacks:

• 2010: The BlackEnergy2 malware strain, leveraged against industrial control system networks in Ukraine.• 2014: Further use of the BlackEnergy2 malware, infecting U.S. critical infrastructure sites. According to media

coverage, these attacks began in 2011 and affected the energy, water, real estate, and telecommunications sectors.• 2015-2016: Two cyberattacks resulting in power blackouts in Ukraine. The group has utilized BlackEnergy3 malware,

which attacked the system of the Ukrainian power company Prykarpattyaoblenergo.• 2015: Attacks on new companies during the Ukrainian 2015 elections.• 2015-16: Attacks on Ukrainian governmental organizations and companies including railway firms, media outlets,

and more.• 2017: A malware disguised as a ransomware named NotPetya was identified attacking a vast number of

Windows-based PCs in Ukraine and Russia. A few Western corporations were affected as well. The infrastructure and attack patterns in these attacks resembled those that were conducted earlier by Sandworm.

Sandworm’s activities are often aligned with those of APT28. However, while APT28 has been using its custom-made malware and zero-day exploits, the Sandworm Team has been primarily using hacking tools that are available for purchase.

5

Russia’s Most Dangerous Cyber Threat Groups

Turla Turla is a Russian threat group, believed to be a subset of APT28, that has infected victims in more than 45 countries since 2004. It is also known as Snake, Uroburos, Venomous Bear, and Waterbug. Its victims include the government, military, education, research, and pharmaceutical sectors. Turla is one of Russia’s oldest state-sponsored cyber espionage groups. Its most intense activity took place in mid-2015.

Turla is known for utilizing watering holes and spear phishing campaigns. The group uses internally developed malware and tools to carry out its attacks. It most frequently attacks Windows-based machines but has also occasionally targeted Linux and MacOS machines. Turla’s most advanced malware strains are deployed only on machines that are of the highest value and interest to the group. Its tools are considered complex and advanced. The group is unique in terms of its use of the satellite-based Command and Control (C2) mechanism.

Turla’s victims include the U.S. Department of Defense, which it attacked in 2008, two European foreign offices, defense contractors, Germany’s Federal Foreign Office, Germany’s Federal College of Public Administration, and more.

CyberBerkut This pro-Russian Ukrainian hacktivist group was formed after the dissolution of the Ukrainian Berkut special police force in February 2014. The group supported the Russian separatists and aimed to expose the cooperation of the Ukrainian government with Western powers against Russia. The group has targeted various Western and Ukrainian organizations with DDOS attacks, email hacking, and PII leakages. The group was mainly active between 2014 to 2017 and hasn’t been seen active since. The UK announced that CyberBerkut was most likely operated by the Russian GRU.

6

Russia’s Most Dangerous Cyber Threat Groups

Russian Hacktivist GroupsHacktivism is common in Russia. Numerous groups and individuals use their technical proficiency to levy attacks against governments, businesses, and other organizations they deem to be enemies based on their own political beliefs or the Russian government’s political positioning. The following are examples of notable Russian hacktivist groups that have launched large-scale attacks or hacking campaigns in recent years.

Anonymous InternationalAnonymous International, also known as Shaltai B0ltai (Russian for Humpty-Dumpty), is a Russian hacktivist group that targets domestic political parties, big companies, and mass media corporations. It is believed to have been active since 2013.

The group’s activity peaked in 2014 and 2015 when it successfully hacked and published communications of numerous targets. These included politically engaged corporations; the official Twitter account of former Russian Prime Minister Dmitry Medvedev; the communications of the head of Federal Service for Supervision of Communications, Information Technology, and Mass Media (abbreviated RosKomNadzor in Russian); and other political figures.

In 2016, the alleged organizer of the group, journalist Vladimir Anikeev, was apprehended and since then, the group has been largely inactive.

0v1ru$This previously unknown hacktivist group is given credit for conducting one of the largest data hacks on a Russian government agency in history. In July of 2019, BBC Russia broke news about a hacking group that had stolen over 7.5 TB of data from a Russian intelligence agency. The group called “0v1ru$”, posted screenshots of the intelligence agency server access, then handed the data over to another hacking group called Digital Revolution for dissemination and public exploitation.

Screenshot from Digital Revolution showing the leaked data from the Russian intelligence agency hack.

7

Russia’s Most Dangerous Cyber Threat Groups

Russia-Attributed Cybercrime Groups The following notable cybercrime groups exhibit patterns and behavior that are common among confirmed Russian cybercrime outfits but to date have not been proven to be based in Russia. While they may not have as high of a profile as some of the aforementioned APT groups – in particular, APT28 and APT29 – these groups have a number of cutting-edge techniques they deploy to target businesses and governments alike.

Carbanak and FIN7Carbanak and FIN7 are referred to as two separate threat groups that share many targets, tactics, and tools in common. Both groups target banks and financial organizations and have been observed using the “Carbanak” malware, named after the group. The Carbanak group has targeted financial institutions in Russia, Ukraine, the U.S., Germany, China, and other countries over the past several years. It was first discovered in 2014 and is rumored to have stolen nearly $1 billion to date.

FIN7 is a financially motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. The group typically uses malware to attack point-of-sale systems.

Cobalt GroupCobalt Group is a financially motivated threat group that has primarily targeted financial institutions in Eastern Europe, Central Asia, and Southeast Asia. The group was first identified in 2016 and is known for its highly sophisticated attack methods. Over the years, the group has targeted supply chain companies, investment banks, and more. Some estimates indicate Cobalt Group has stolen as much as $1.2 billion from banks across 40 countries. The alleged leader of the group was arrested in early 2018; however, the group is still active. There is some indication that there may be a connection between Cobalt Group and Carbanak Group as the tools they use overlap which makes it hard to attribute their attacks. Some malware samples had indications that there are more than one threat actor using the same tools.

Gamaredon GroupGamaredon Group is a Russia-linked threat group that has been active since mid-2013. However, its activities went unnoticed until 2015 when Operation Armageddon, a cyber espionage campaign targeting Ukrainian government, military, and law enforcement officials, was published. There is evidence that the malware used by the group in this campaign was built on a Russian operating system, suggesting it is based in Russia or, minimally, has a presence there.

The Gamaredon group is still active and keeps targeting mostly Ukrainian targets. Recently they have been seen spreading a new Linux malware named Evil Gnome. Their TTP’s mostly stayed the same throughout their years of operation. Some researchers believe they are political activities instead of Russain government but they are not enough details to positively support that claim.

TEMP.VelesTEMP.Veles is an APT group that has been targeting critical infrastructure. The group has been utilizing TRITON, a malware framework designed to manipulate industrial safety systems. Many believe it was a Russian government-owned lab that most likely custom-built the TRITON framework.

8

Russia’s Most Dangerous Cyber Threat Groups

Conclusion and Business Implications Cyber threat groups in Russia are constantly growing more sophisticated and more powerful. They develop cutting-edge malware and launch increasingly complex attacks on political enemies, organizations with immense financial assets, government departments in charge of sensitive data, and a whole host of other targets. While there are similar cyber threat groups worldwide, Russia is certainly the largest hub of cybercriminal activity in the world.

The Russian government appears content to turn a blind eye to the attacks levied by Russian threat actors – as long as they do not target Russian organizations or government departments. In many cases, the APT groups are actually working for or part of Russia’s intelligence agencies. They work together to gather information and plan strategic espionage attacks against enemy nations around the world. At the same time, the Russian government’s continual attempts to restrict the free flow of information on Russia’s internet infrastructure are seeding the market for more dark web usership, more cybercriminal activity, and more large-scale attacks worldwide.

Businesses must be vigilant in their cybersecurity efforts and must gather threat intelligence to identify potential attacks at the source. Russian hackers are skilled and relentless, and they use great ingenuity to bypass even the most advanced security protocols to infiltrate corporate and government networks and steal financial assets and sensitive data.

To understand the full scope of the cybercriminal threat facing businesses operating in Russia, download our research report, The Dark Side of Russia: How New Internet Laws and Nationalism Fuel Russian Cybercrime. The report contains a detailed look at how Russian hackers initially formed communities at the advent of the internet, some of the advanced methods and tactics they use to carry out their attacks, the cyber-political landscape shaping the cybercriminal underground, and an unprecedented level of detail on the targets of Russian threat actors.

Download our report on the The Dark Side of Russia

Dark Side of Russia

DOWNLOAD YOUR COPY

9