Five Eyes Warns of Russian Hacks on Critical InfrastructureGovernment Hackers and Cybercriminals Are Teaming Up to Launch Attacks on the West
Russian government hackers and cybercrime groups are teaming up to launch cyberattacks against the West in retaliation for its support of Ukraine, intelligence officials warn.
Some cybercrime groups have pledged to support the Russian government and threatened to conduct cyber operations against countries providing material support to Ukraine, authorities in the United States, Australia, Canada, New Zealand and the United Kingdom warn. Meanwhile, other groups have conducted disruptive attacks against Ukrainian websites in support of the Russian military offensive.
"Russia's invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activities," members of the Five Eyes intelligence alliance write in a joint cybersecurity advisory. "This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as material support provided by the United States and U.S. allies and partners."
On the government side, Russian state-sponsored cyber operators have recently launched distributed denial-of-service attacks and previously deployed destructive malware against Ukrainian government and critical infrastructure organizations. They are able to compromise IT networks; maintain long-term, persistent access; exfiltrate sensitive data; and disrupt critical industrial control systems functions (see: US, NATO Discuss Ukrainian Cyber Aid Amid Tensions).
"There is unprecedented information sharing occurring because of the clear and present danger posed not only by Russian intelligence services but also by the cybercrime cartels who are acting in patriotic fashion," VMware Head of Cybersecurity Strategy Tom Kellermann tells Information Security Media Group. "I think there's an imminent threat of destructive attacks."
Russia Goes on Offense
Five Eyes alleges that the following government and military organizations have conducted malicious cyber operations against IT and/or OT networks: the Russian Federal Security Service, or FSB; the Russian Foreign Intelligence Service, or SVR; the Russian General Staff Main Intelligence Directorate, or GRU; and the Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics, or TsNIIKhM.
The FSB has gone after the energy sector and tasks criminal hackers who are separately responsible for ransomware and phishing campaigns with conducting espionage-focused cyber activity. FSB officers were indicted last year for gaining remote access to energy sector networks - including at a U.S. nuclear power plant - deploying malware and collecting and exfiltrating data, according to intelligence officials.
The SVR has targeted multiple critical infrastructure organizations, and in 2020 it was responsible for the SolarWinds Orion supply chain compromise. The GRU primarily targets government organizations, travel and hospitality entities, research institutions and nongovernmental organizations, and it leveraged a Kubernetes cluster to conduct brute force attacks against hundreds of targets worldwide, Five Eyes says.
The GRU's Main Center of Special Technologies has a long history of conducting operations against NATO member states and Western government and military organizations, and it was behind the 2017 NotPetya disruptive malware attack on Ukrainian financial, energy and government organizations. And last year, a TsNIIKhM employee conducted computer intrusions against U.S. energy sector organizations.
Outside of formal government channels, state-sponsored advanced persistent threat group Primitive Bear has targeted Ukrainian government, military and enforcement activities since 2013, while Venomous Bear has hit NATO-aligned government, defense contractors and other organizations of intelligence value. Officials haven't formally attributed these groups to the Russian government.
"Eight different wipers have been deployed against the world since Jan. 13, and the only reason that they were not truly successful in a systemic fashion was because of this unprecedented information sharing that has occurred," VMware's Kellermann says. "I applaud the declassification and the unprecedented information sharing."
Partners in Cybercrime
Meanwhile, Russian-aligned cybercrime groups pose a threat to critical infrastructure organizations by conducting DDoS attacks against websites and deploying ransomware to allow cyber actors to remove victim access to data via encryption. Cybercrime groups have recently carried out DDoS attacks against Ukrainian defense organizations, and one group claimed credit for a DDoS attack against a U.S. airport.
"Although some cybercrime groups may conduct cyber operations in support of the Russian government, U.S., Australian, Canadian, New Zealand, and UK cyber authorities assess that cyber criminals will most likely continue to operate primarily based on financial motivation, which may include targeting government and critical infrastructure organizations," Five Eyes writes.
Intelligence officials say eight Russian-aligned cybercrime groups pose a threat to critical infrastructure: The CoomingProject, Killnet, Mummy Spider, Salty Spider, Scully Spider, Smokey Spider, Wizard Spider, and the XakNet Team. The CoomingProject launched its data leak site in August 2021 and said it would support the Russian government in response to perceived cyberattacks against Russia.
Killnet claimed credit for carrying out a DDoS attack against an American airport in March in response to U.S. material support for Ukraine, and Mummy Spider is behind the Emotet botnet that has targeted industries worldwide. Salty Spider, meanwhile, in February conducted DDoS attacks against Ukrainian web forums used to discuss events relating to Russia's military offensive against the city of Kharkiv.
Scully Spider develops and operates the DanaBot botnet, which was allegedly used in March for DDoS attacks against multiple Ukrainian government organizations. Smokey Spider developed Smoke Loader, which was observed in March distributing DanaBot payloads that were subsequently used in DDoS attacks against Ukrainian targets.
Wizard Spider developed TrickBot malware and Conti ransomware and pledged support to the Russian government, threatening critical infrastructure organizations of countries perceived to carry out cyberattacks or war against the Russian government. And the XakNet Team leaked email contacts of a Ukrainian government official, which was accompanied by a political statement criticizing Ukraine.
"(Russian President Vladimir) Putin is unleashing the hounds essentially," VMware's Kellermann tells ISMG. "He's calling upon the greater cybercrime community that has remained untouchable from Western law enforcement because of the protection racket that they've had with the regime."
Is the West Really in Danger?
Five Eyes urges critical infrastructure organizations to prepare for and mitigate cyberthreats by immediately updating their software, enforcing multifactor authentication, securing and monitoring RDP and other potentially risky services and providing end-user awareness and training. Officials say network segmentation should be implemented to separate segments based on role and functionality.
Kellermann urges organizations to immediately expand their threat hunting and integrate their network detection and response and endpoint detection and response capabilities to have true situational awareness. Businesses should ensure they have immutable backups and pursue better application control to ensure that behavioral anomalies do not manifest in critical applications or environments.
"We need to call to arms all CEOs and all business leaders to immediately challenge their IT organization to do the things that I've specified here," Kellermann says.
Threats of Russia launching a global cyberwar are overblown, says Cyjax CISO Ian Thornton-Trump, who says Russian cyber activity 50 days into the war has been focused on Ukraine. Any efforts to launch destructive attacks against the West have been thwarted either by U.S. government action in the case of WatchGuard or by big tech firms such as Microsoft in the case of Wiper malware, Thornton-Trump says.
"While 'Russian Global Cyber War' reminders may be a good tactic to increase overall awareness of the threat of cyberattacks in general, the risk remains the same as it was prior to the invasion of Ukraine," Thornton-Trump tells ISMG. "There have been no indications over the past 50 days of any 'Russian Global Cyber War.'"
Kellermann pushed back on Thornton-Trump's thesis, saying destructive global cyberattacks have been avoided due only to unprecedented information sharing by intelligence officials as well as the FBI and NSA disrupting active campaigns. Offensive operations by the Ukrainian IT army, Anonymous and Baltic states have forced Russia to play a little defense, but Russia's desire to wreak havoc remains undeterred, he says.
"The mandate for cybercriminals to step up and be patriotic has been received," Kellermann says. "That is very clear now."