Russia-linked cyber groups used commercial security tools to target Ukraine, report states
A poster showing six wanted Russian military intelligence officers is displayed as federal officials announce indictments against six Russia intelligence officers in a hacking case in October, 2020. Andrew Harnik/Getty Images
By
Chris Riotta
Infamous cybercriminal organizations like Cozy Bear have been involved in a string of cyberattacks targeting Ukrainian government agencies, according to new research.
Russian-linked threat actors harnessed a commercial security tool to launch cyberattacks on Ukrainian government organizations and a series of phishing attacks designed to infiltrate key systems amid Russia’s invasion of Ukraine, according to new research published today by Trustwave.
The research reveals how cybercriminals, ransomware operators and other threat actors can manipulate legitimate penetration tools to conduct espionage and other destructive attacks on connected systems.
Cybercriminal groups reportedly associated with Russia's Foreign Intelligence Service and Federal Security Service used a commercial penetration tool called Cobalt Strike in at least six cyber and phishing attacks against the Ukrainian government between March and July.
Some of the attacks were designed to make systems inoperable while others were designed “to establish a foothold and exfiltrate data from targeted systems." Researchers noted that Sandworm – a Russian-linked cybercriminal group – targeted a Ukrainian energy company shortly after the invasion was launched.
The groups behind several of the attacks in Ukraine include prominent cybercriminal organizations like Cozy Bear, otherwise known as APT28, and Fancy Bear, or APT29. Both have links to the Russian Foreign Intelligence Service and the main directorate of the general staff for the armed forces of the Russian Federation, respectively. A majority of the attacks featured in the report which used Cobalt Strike were phishing attacks, including one as recently as last month.
“Spear-phishing with malicious attachments or links used to deliver CobaltStrike and GraphSteel backdoors or exploitation of public-facing applications, such as the VPN appliance compromised in the Viasat cyberattack, are some of the most common intrusion methods used," Ziv Mador, vice president of Trustwave SpiderLabs research, said in a statement. "That is unlikely to change in the future.”
The penetration tool used in attacks against Ukrainian government agencies is just one of many legitimate security products designed for cybersecurity researchers and professionals to assess and improve security controls. Once inside, attackers can use the tool to insert a backdoor feature which gives them access to any other connected systems.
The report found that critical infrastructure and private sector organizations remained "highly lucrative targets" for cybercriminals, and recommended a proactive approach to address the challenge of vulnerabilities in penetration tools and beyond.