Criminals act like nation-state attackers in Russian campaign

A cyber campaign against Russian critical national infrastructure firms, including state-owned oil company Rosneft, is not state-sponsored, but appears to be a criminal operation, say researchers.

Nation-state conflict has come to dominate many of the policy discussions and much of the strategic thinking about cyber security, which criminals appear to be exploiting, according to Cylance threat researcher Jon Gross.

Cyber criminals are “keenly aware” of the bias some researchers bring to the table, he wrote in the latest Cylance threat intelligence bulletin. “Exploiting that bias can provide additional camouflage, another layer of seeming invisibility, making threat actors harder to detect,” wrote Gross.

Rosneft is a major pillar of critical infrastructure for Russia, making it a highly likely target of foreign state-sponsored espionage efforts, which is what Cylance researchers believed they had found when the company name emerged in their research.

In July 2017, Cylance stumbled across malicious macros embedded in Word documents in a malware repository that seemed to be aimed at Russian-speaking users and designed to capture the IP address, hostname and attached drives of infected machines as well as keystroke and clipboard data.

“Upon closer inspection, we noticed that the malware author meticulously used command and control (C&C) domains which very closely mimicked their real counterparts in the Russian oil and gas industries, in particular Rosneft and subsidiaries of Rosneft,” wrote Gross.

The researchers discovered that the threat actor had been operating for more than three years and had created similar sites to mimic more than 20 state-owned oil, gas, chemical, agricultural and other critical infrastructure organisations.

“What appears to be a clear indicator of nation-state malfeasance may, in fact, simply allow a criminal to hack your way of thinking shortly before hacking your organisation”

The associated malware, dubbed RedControle, was also designed to create a backdoor into infected machines to upload and download files, manipulate files and folders, compress and decompress files, enumerate drive information and host information, elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes and manipulate processes on the infected system.

The effort to set up more than 20 websites to mimic real Russian critical infrastructure companies seemed disproportionate to the perceived benefit of using them simply as command-and-control infrastructure.

But when the researchers saw an article by Ilya Sachov, the founder and CEO of infosec company Group-IB, about an elaborate criminal scheme in which a threat actor was creating near-clones of legitimate Russian critical infrastructure companies to harvest credentials and perpetuate fraud, they realised they were looking at a criminal operation motivated by financial gain.

“The line between well-organised criminal efforts and nation-state activity can often be blurry, but practitioners and consumers of threat intelligence should beware of inherent biases,” wrote Gross.

“What appears at first blush to be a clear indicator of nation-state malfeasance may, in fact, simply allow a criminal to hack your way of thinking shortly before hacking your organisation.”