Russian hacker groups are changing tactics: here’s what to watch out for

Russian ransomware gangs launch recruitment drive

Russian hacker groups are changing tactics: here’s what to watch out for

Spear phishing appears to be the new weapon of choice for state-backed Russian threat groups, along with a proliferation of malware tools.

Security researchers have noted a number of Russian hackers changing their tactics over the past year, modifying their tactics, techniques and procedures as they expanded their networks in their search for targets.

Threat intelligence platform Flashpoint has observed that Russian groups are moving away from deploying wipe malware, designed to corrupt or even completely delete data on a target system. Wipers were popular among Russian hacking groups at the start of the war in Ukraine in 2022, but the Ukrainian Computer Emergency Response Team (CERT) saw things starting to change in late 2023.

Since then, Ukraine’s CERT has responded to more than 1,700 phishing attacks, mostly designed to spread malware and steal credentials to cause further damage.

Even extortion is now in play for Russian cyber warriors.

However, despite using different types of malware in their attacks, the Russian threat actors’ attack chains were similar across many of the groups tracked.

“The most common method of infecting victims is to deliver HTML-based droppers that are often packaged in compressed archives or disk image files,” Flashpoint said in a blog post.

“State-sponsored groups, like APT29, persistently leverage HTML attachments in phishing emails that run the ROOTSAW JavaScript-based dropper. When the HTML file is executed, the victim is presented with a honeypot while the malicious code is executed. The purpose of this is to recover and execute a second stage payload.”

Other actors use HTML attachments, APT29 aka Cozy Bear uses the WINELOADER backdoor delivered via a .HTA file. Several other Russian threat actors appear to be doing the same.

However, while APT29 continues to prefer a range of custom payloads, others are turning to off-the-shelf solutions purchased from “illicit markets.”

“These tools are used by other cybercrime actors. Throughout 2023, the most popular malware exploited by Russian threat actors became freely available for purchase,” Flashpoint said.

“Even advanced espionage actors like APT44 have run campaigns leveraging Sandworm malware since early 2023.”

Beyond custom or turnkey malware solutions, Russian hackers have also been using compromised websites to hide their attack infrastructure, particularly WordPress sites. Earlier this year, the US Department of Justice took down an entire botnet of machines used by APT28, also known as Fancy Bear.

APT28 has also been seen using NTLMv2 hash relay attacks to deliver a PowerShell or VBS script to its targets.

At the same time, Russian threat actors have expanded their horizons in terms of targeting. Attacks now target victims far from Ukraine’s borders, and even outside the European Union: North American entities are targets and are now a particular specialty of Storm-097. Poland and other NATO countries are also popular.

“As the war between Ukraine and Russia continues, Russian APT groups are continually adapting their TTPs and malware,” Flashpoint said.

“Many groups share delivery techniques, indicating possible collaboration between members. Furthermore, the use of paid tools instead of custom payloads suggests that many of these illegal campaigns have proven to be successful.”

Leave a Reply

Your email address will not be published. Required fields are marked *