Weathering Russian Winter: The Current State of Russian APTs
This blog was originally published by LogicHub on April 8, 2022.
Written by Tessa Mishoe, Senior Threat Analyst, LogicHub.
Russian Advanced Persistent Threats (APTs)
It’s no secret that Russian Advanced Persistent Threats (APTs) are a significant burden on cybersecurity teams. For years, organizations have been bombarding their systems with patches and configuration changes to dodge targeted attacks, and the focus on APTs specifically from Russia has never been higher. However, the Russian invasion of Ukraine has put the risk and incredible rate of advancement in Russian cyberattacks front and center – with much of the internet (and the world) caught in the crossfire.
This article aims to create an understanding of the history of Russian APTs, some of their most common attack types, as well as ways in which the industry may change, and what enterprises can do to protect themselves from this ongoing bombardment.
A Brief History of APTs
Espionage via digital medium started around the time that the computer began creeping into more regular use, but the idea of the advanced persistent threat is relatively new.
According to Richard Bejtlich’s paper on the topic, ‘the United States Air Force coined the phrase ‘advanced persistent threat’ in 2006 because teams working within the service needed a way to communicate with counterparts in the unclassified public world.’ Though APTs were regularly seen from then on inside the industry, the term didn’t gain public consciousness until an attack on Google servers in 2010, the fault of which was assigned to Chinese APTs.
From then on, APT became a heavily used, marketable term. Antivirus companies like McAfee jumped on the opportunity to provide anti-APT products.
What Is An APT?
The idea of the ‘advanced persistent threat’ is a bit of an abstract concept to most. Especially with the term being tossed around in regular media, it can be hard to understand which attacks are caused by APTs and which are not.
The Computer Security Resource Center at NIST defines an APT as follows:
“An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.”
Demystifying that large definition, APTs can be broken down with a few simple traits:
- Motive: APTs function towards a singular, targeted goal: the path upon which their target is placed. This focus may be ideological or militant but will always center upon an ideal. Actions performed by APTs may align with other types of threats, but their primary aim will remain the same.
- Skill: APTs are near the top when ranking skill and ability. They tend to have excellent resources, which then feed into techniques far above a normal threat actor. They may have high monetary funding, or they may have a strong ideological bond. Either way, they produce a high-quality attack that branches across multiple phases in the cyber kill chain model. Their planning is unmatched when compared to other types of threat actors.
- Focus: APTs do not break from attacks - hence their persistence. If one tactic does not work, they may switch to another. They may not show activity in monitoring for a while, but that does not mean they have given up. APTs like to remain dormant until a planned activation time to maximize effectiveness.
APTs are truly the ultimate adversary, which is why keeping track of their movements and abilities is imperative to a proper defense.
Known Russian APT Groups
There are many Russian APTs with varying attack targets. Most of the more notable Russian APTs are detailed in the MITRE ATT&CK framework’s ‘Groups’ classification. Groups change names often, so most are filed under a single primary label to keep track of their actions. Some important and notable entries include:
- APT28 AKA FancyBear: This APT is a highly concerning one associated with Russia’s General Staff Main Intelligence Directorate (GRU) Unit 26165. Operating since about 2004, they regularly target insider information on large governments and international operations. Making attempts against the Georgian and Eastern European Ministries of Internal Affairs, European airshows and defense demonstrations, U.S. Defense contractors, multiple U.S. Presidential elections, and the U.S. energy sector, their toolset evolves rapidly, suggesting an incredible coalition of skilled developers and researchers.
- APT29 AKA CozyBear: This APT is associated with Russia’s Foreign Intelligence Service. Famously attributed to the SolarWinds and StellarParticle attack campaigns, this group has been operating since about 2008 and has targets ranging across most of the planet, including both the Democratic and Republican National Committees in the US. The organization has even been accused of targeting COVID-19 vaccine organizations. They focus heavily on data exfiltration, choosing more subdued and quiet attacks than APT28.
- Indrik Spider AKA Evil Corp: Indrik Spider, a Russia-based APT, is famous for being the group behind the Dridex banking trojan and the BitPaymer ransomware, which managed to hit the U.K.’s NHS and has received an average of about $200,000 USD per victim. Their attacks are becoming better catered towards each victim as they go, and their success appears to indicate further high-value target hunting on large enterprises in the future.
- Sandworm Team: Active since at least 2009, this APT is another group associated with Russia’s GRU, and has even collaborated directly with APT28. Attributed under the GRU’s Main Center for Special Technologies (GTsST) military unit 74455, this group was responsible for the NotPetya ransomware campaign and the Olympic Destroyer attack against the 2018 Winter Olympics, held in Pyeongchang, South Korea. They are a highly organized team that appears to choose noisy operations much like APT28.
Something important to remember about APTs is that they are most commonly aligned with a government or military, but they may also be comprised of engaged citizens with more advanced resources than other threat actors.
Common APT Attack Tactics & Techniques
APTs typically have a development team that creates targeted tools or malware to advance their operations. Though the malware is usually specialized towards targets, it is common for them to share traits when made by a single APT group. According to the MITRE ATT&CK framework entries and a series of independent tool analyses on the APTs listed above, their attack signatures and most used tools are as follows:
APT28: APT28 likes to attack hard and fast, starting with noisy attacks to gain access like bruteforcing and DDoS. They don’t bother with waiting around like many other APTs do. Instead, they strike directly for critical vulnerabilities like remote code execution zero-days or walk through the front door of their target network by spearphishing for admin credentials, then proceed with attacks on large and valuable targets. Software that they’ve created include Zebrocy, which was used to target NATO members and exfiltrate screenshots of activity, and the CHOPSTICK and CORESHELL, backdoor programs.
APT29: APT29 prefers intricate, quiet data exfiltration techniques. During the peak of the COVID-19 vaccine development, for example, APT29 used their WellMess malware to execute shell commands and perform file transfers to and from targeted vaccine research endpoints. Currently, the Duke malware strains are APT29’s weapons of choice, their collective use being known as Operation Ghost. Lateral movement is the specialization of this malware, taking over machine after machine using the credentials of a single successfully compromised account. It then offers a powerful backdoor suite for ease of access to the victim machine.
IndrikSpider: Though by no means as large and menacing as some of the other APTs featured in this breakdown, IndrikSpider is equally threatening, especially to larger organizations. With a complex banking trojan like Dridex and ransomware like BitPaymer, IndrikSpider has potential against most high-value industries. Dridex uses a large set of backdoor tools including browser session hijacking, proxying through the victim computer, and avoidance of malware analysis programs. BitPaymer, first seen in 2017 targeting UK hospitals, is somewhat unique in that it uses a unique encryption key, ransom note, and contact information for each operation. It also has a series of persistence tools to help root onto the victim computer through wipes and resets.
Sandworm Team: This APT directly targets industrial control systems and other similar critical infrastructure using the BlackEnergy tool, which caused a 2015 Ukraine power grid outage and was one of the first attacks of its kind. They appear to be very specifically targeting Ukraine. BlackEnergy uses macros in Word documents to drop files for persistence, then connects into a command-and-control server. It contains functionality for backdooring into servers (with remote desktop viewer and spying features), network scanning, fast spread, and even destruction.
Defending Against APTs
Now that we have laid the groundwork on each APT, we can begin to talk about the best defensive postures and strategies to adopt to protect against them. Thankfully, in the world of network security, there are a few simple things that can be implemented that will improve your security posture. Among them are:
- Removal from network access
- Regular patching
- Social engineering training
- Two-factor authorization (2FA)
- Offline backups
- Dedicated detection and response
Removal from Network Access
In the case of some systems, it’s difficult to do anything else besides removing them from the network entirely. Industrial control systems are a great example: many of these systems are very outdated and may be impossible to patch to a sufficient degree. Most still function without network access and may be safer to keep away from other devices, as they may be an entry point or a direct target.
Social Engineering Training and Two-Factor Authentication
Two-factor authentication and social engineering training are both are highly effective countermeasures to put in place. Two-factor authentication (2FA) can drop attackers in their tracks and keep them from attempting attacks through that medium entirely and is relatively easy to implement. Social engineering training helps employees recognize security breach attempts and report them so they don’t even gain a foothold within the network.
Ransomware is a highly profitable industry, and most APTs have realized this. When a group takes over a machine, it can threaten their target organization so much that the ransom is paid with little fuss. Though offline backups in this situation are always recommended to avoid complete shutdown of operations, once ransomware enters and successfully holds within the network, significant dissemination of valuable data is likely to occur.
Dedicated Detection and Response
An effective monitoring system that sorts out noise and pulls valuable cases to the top allows a team to pick up on attempts by APTs and focus attention on them. Those who don’t desire to put together a dedicated monitoring and security team can also hire a managed detection and response team that will monitor 24/7. They can also monitor for critical security updates that make patching easy.
What Lies Ahead
With the current situation in Ukraine and how outside countries have reacted, the likelihood of attacks from Russian APTs spreading across the world has increased now more than ever.
The Sandworm team’s industrial control attacks should be a particular concern as they offer a significant advantage if successfully executed during wartime, and focused countries may change according to changes in military posture. APT28 is likely to attack varying countries as they have been, probably in direct line with military goals. APT29 should be watched closely due to their stealth efforts.
Ransomware continues to rise in popularity, though it’s less common to see it used by APTs. This is one form of malware that should most certainly be defended against as it can shut down operations and provide an inadvertent military advantage. Financial industries should keep a close eye on the activity of IndrikSpider due to the effectiveness of their banking trojan Dridex.
Larger organizations should – if they have not already done so – lock down their networks well. Today is the second-best time to secure, with yesterday being the best.
About the Author
Tessa Mishoe is a Senior Threat Analyst at LogicHub. Tessa is involved in high-level security analytics and deep hunting exercises to protect computer systems, networks, and data across LogicHub’s client base. She specializes in active monitoring, Cisco products, threat response, and computer forensics.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.