Attackers Allegedly Target Russian Federal NetworksRostelecom-Solar: Russian Federal Executive Authorities Hit by Cyberattacks
An nation-state hacking group targeted several Russian federal agencies as part of a cyberespionage campaign that compromised the country’s federal networks to steal sensitive data, according to a report from Russian security firm Rostelecom-Solar.
The report was compiled with Russia’s National Coordination Center for Computer Incidents, the agency responsible for Russian Federation governmental networks. It says that the attackers deployed two previously unknown malware variants that used Russian cloud hosting services for the campaign. The hackers then sought to steal confidential information, including documents and email correspondence of key federal executive authorities, the report notes.
Vladimir Drukov, the head of Solar JSOC Security Operations Center, Rostelecom-Solar, told ISMG, “The first hackers’ attempts to penetrate the infrastructure began in 2017, they have been unnoticed for 3.5 years. In 2020 theу tried to extend an attack to one of the federal executive bodies (a Solar JSOC client). This incident investigation became the starting point for identifying the whole chain of attacks.”
All trace of the hackers has been removed from the Federal authorities’ systems says Drukov, who adds that attack attribution has been conducted, but the results are not being publicly disclosed.
The report hasn't identified the threat group, but notes it is a state-sponsored entity. "The level of attackers (the technologies and mechanisms used, the speed and quality of the work they have done) makes it possible to qualify them as cyber mercenaries pursuing the interests of a foreign state," the report says. "Such attackers could stay inside the infrastructure for a long time and not give themselves away."
The attacks used three main attack vectors to spread the malware, the report says. These include:
- Phishing: The attackers used details regarding the internal activities of the federal agencies as well as news related to COVID-19 as the theme of their phishing message. These emails contained malicious attachments, which when opened downloaded the malware to the devices.
- Exploiting web applications: The attackers also exploited vulnerabilities on web applications that are available on the internet.
- Targeting contractors: In addition to phishing and vulnerability exploitation, the attackers compromised infrastructure of federal contractors to gain access to government infrastructure. This could potentially have been achieved by collecting publicly available information from Tender sites and published press releases.
The attackers would then be able to compromise the third-party infrastructure to gain access to the federal networks, because employees of the contractors often have high privileges and direct access to their customers, the report adds.
"After a complete compromise of the infrastructure, the attackers began to collect confidential information from all sources of interest: from mail servers, electronic document management servers, file servers and workstations of managers of various levels," the report states.
"At the stage of preparation for attacks on federal executive authorities, the cybercriminals learned well the features of the functioning and aspects of administrative work with the antivirus manufactured by Kaspersky Lab," the report says. "As part of the development of the attacks, they discreetly disabled antivirus software, and also used its legitimate components to collect additional information about the attacked infrastructure."
A Kaspersky spokesperson told Information Security Media Group “Kaspersky is aware of the report. We don’t have any information about the exploitation of any vulnerabilities in our products during this attack.
"It’s important to note that the attack mentioned in the report appears to be a human-operated one. If attackers somehow managed to gain high privileged access and control over the network, they might have been able to manipulate any installed software just like the real domain administrators.
"Kaspersky products and Kaspersky management console (Kaspersky Security Center) include protection measures against unauthorized usage, such as password protection and two-factor authentication. Kaspersky provides instructions on how to securely configure our solutions.”
Solar JSOC notes the hackers used previously unknown malware in the campaign. This malware, dubbed Mail-O and Webdav-O, used cloud storage services provided by Russian internet product-related companies Yandex and Mail.ru Group, according to the report.
"Mail-O is a downloader program that accesses the Mail.ru Cloud associated with the account embedded in the sample. All communication takes place using the Mail.ru Cloud API," the report states. "Webdav-O is another malware that has never been described before. Like Mail-O, it communicates with the management server via the Yandex.Disk cloud.
"The malware then performs pre-defined commands including uploading and downloading files to Yandex.Disk, communicating with the command and control servers at intermittently, setting 'sleep' time for the malware and shutting down its operation," the report adds.