The use of those groups during the recent military action against Ukraine it´s more than a possibility.
With the military operations in Ukraine, cyberspace represents just another playground.
Are the Ransomware groups and APTs at war in Ukraine?
With the ongoing Russian attack on Ukrainian soil, the cyberspace is taking relevance at several levels and layers, as expected in a modern war, from the Intelligence perspective, could be interesting to pay attention to the recent cease of activity on a few of the most relevant Ransomware groups linked to Russia, from pure cybercriminals to APTs infamous names.
In military operations, especially in the old days of radio communications, a usual indicator of attack was the increased chat and a sudden silence in radio communications. And finally, when the attack hit the target and the noise, and explosions and the bang bam bum started, the frenetic activity on the air returned.
And here we have a few notorious cyber gangs who apparently ceased their activities in the last months.
On the morning of the 24th of February 2022, a wave of cyber-attacks impacted Ukraine, with massive DDoS attacks and other actions, keeping banks and other services inaccessible according to the Minister of Digital Transformation Mykhailo Fedorov.
A new “wiper” attack, which destroys data on infected machines, was discovered being used against several Ukrainian organisations, the cyberattack required existing access to function, meaning those computer networks were already compromised, translated to cyber security language, Persistence was obtained.
To add some pepper to this recipe, NetBlocks reported outages following the mentioned above DDoS attack.
This group of incidents represents the third wave of attacks against Ukraine this year, and the most sophisticated and tactical to date. Attacks need time, preparation, resources, and human operators.
Incidents were announced not only in Ukraine, additionally, but Estonia, Lithuania, and Latvia also reported unusual activity in their networks with impact at different levels in both companies and governments.
The players
Now let’s pay attention to the bad actors, more specifically about the Ransomware Russian-speaker organisations.
During the last months , the cybersecurity community assisted to a contagious “voluntary retirement” of a few top Russian-speaking cybercriminal networks.
For those not familiar with the field, let me explain something, in some cases, those groups are directly supported and managed by states (Russia, North Korea, China, Vietnam, Venezuela recently…), other gangs are only “promoted” from those states, finally, in the best-case scenario, the authorities are watching the other side as far as the gangs are not hitting targets in their own territory.
The news about the recent Russia’s roundup of REvil members, are missing some pieces of information, it’s not well known what happen to the infrastructure used by the gang and remains unreported how many were really arrested and the ultimate destination of those criminals; speaking about Russia, Criminality and Intelligence, the line is blur.
At the same time, a new group emerged, known by the names ALPHV, ALPHV-ng, BlackCat and Noberus, and this group is actively recruiting members from former REvil, BlackMatter, and DakrSide gangs, with increased activity from November 202. However, the effects of this raise of resources and operators were minimally detected, so who is behind, what are their tactical goals and why their activity remains unclear?.
The habitual suspects
The list of Russian groups considered as APT (Advanced Persistent Threat) is shorter than the Chinese, but extremely solid, with a reputation of well-designed code for malicious activities, a good network of collaborators inside and outside Russia, and the complicity when not the management of the GRU, the Russian intelligence from the Soviets time (were the KGB changed the name for FSB, the military didn’t bother about) and the SVR, the Foreign Intelligence Service or Sluzhba Vneshney Razvedki by the local language.
GRU is the shortened version of: Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, at the difference of the other intelligence units, respond to the Military Chief of Staff and not to President Putin. They manage 25.000 special forces soldiers, the famous Spetsnaz, and conduct as many as double operations as all the other Russian intelligence agencies together. The FSB, SVR, and FSO, are equivalent to the FBI, CIA, and Secret Service in the USA.
APT28
The APT28 group is attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.
APT28 it’s also known as Tsar Team, Fancy Bear, and several other names, with experience attacking the NATO, European Union Security organisations including the OSCE, Eastern Europe countries, and Defence Firms. This group is working on Russian “office time” and is very implanted in Moscow and St. Petersburg as we can see when it’s possible to follow back the proofs, including some IP addresses sat in warehouses in those cities.
APT29
Another group is the APT29, known as Cozy Bear, The Dukes, or NOBELIUM, which is attributed to Russia’s Foreign Intelligence Service (SVR). They have targeted government networks in Europe and NATO member countries, as well many companies and private organisations.
But there are more
To don’t be extensive, other groups with high capacity are:
- Sandworm, directly attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Centre for Special Technologies (GTsST) military unit 74455.
- Turla, with an espionage platform mainly used against Windows machines, but has also been seen used against macOS and Linux machines.
- Wizard Spider, apparently a pure mercenary-financially motivated group originally known for the creation and deployment of TrickBot.
Conclusion
A military operation and strategic decisions are not taken without careful analysis, consultation and test, neither an intelligence operation is conducted without following the Cycle of Intelligence (Direction, Gathering, Processing and Distributing in the simple model), both requires time, Putin was not taking this critical decision without a meticulous analysis, as a former KGB Coronel was training to do it and he probed is diligent on it.
Surely the cyberspace was considered as a tool in many ways, the question that makes feel uncomfortable is how deep will be used this cyber-war, for how-long, and the repercussions for business and public services.
Russia was building underground capacities because they are aware of the importance of cyber-space in modern war, working and planning for years, now we are going to assist to the ultimate result of their efforts.
The unexpected “radio-silence” or massive retirement of cyber criminals during the last months was a purely colossal retirement of villains, or as I presume, a top-level order following a cyber-war strategy? “Gentlemen, we need you back for the attack, the time is here”.
Very soon we will assist to the solution for this question and a few others, in the meantime read the logs of your SIEM with attention, don’t trust in Matryoshkas, and remember, the enemy could be everywhere already waiting to deploy the final attack.
David Rivas