Security researchers see updated tactics and tools—and a tempo change—in the cyberattacks Russia’s GRU military intelligence agency is inflicting on Ukraine.

Since Russia launched its catastrophic full-scale invasion of Ukraine in February, the cyberwar that it has long waged against its neighbor has entered a new era too—one in which Russia has at times seemed to be trying to determine the role of its hacking operations in the midst of a brutal, physical ground war. Now, according to the findings of a team of cybersecurity analysts and first responders, at least one Russian intelligence agency seems to have settled into a new set of cyberwarfare tactics: ones that allow for quicker intrusions, often breaching the same target multiple times within just months, and sometimes even maintaining stealthy access to Ukrainian networks while destroying as many as possible of the computers within them.

At the CyberwarCon security conference in Arlington, Virginia, today, analysts from the security firm Mandiant laid out a new set of tools and techniques that they say Russia’s GRU military intelligence agency is using against targets in Ukraine, where the GRU’s hackers have for years carried out many of the most aggressive and destructive cyberattacks in history. According to Mandiant analysts Gabby Roncone and John Wolfram, who say their findings are based on months of Mandiant’s Ukrainian incident response cases, the GRU has shifted in particular to what they call “living on the edge.” Instead of the phishing attacks that GRU hackers typically used in the past to steal victims’ credentials or plant backdoors on unwitting users’ computers inside target organizations, they're now targeting “edge” devices like firewalls, routers, and email servers, often exploiting vulnerabilities in those machines that give them more immediate access.

That shift, according to Roncone and Wolfram, has offered multiple advantages to the GRU. It's allowed the Russian military hackers to have far faster, more immediate effects, sometimes penetrating a target network, spreading their access to other machines on the network, and deploying data-destroying wiper malware just weeks later, compared to months in earlier operations. In some cases, it's enabled the hackers to penetrate the same small group of Ukrainian targets multiple times in quick succession for both wiper attacks and cyberespionage. And because the edge devices that give the GRU their footholds inside these networks aren't necessarily wiped in the agency's cyberattacks, hacking them has sometimes allowed the GRU to keep their access to a victim network even after carrying out a data-destroying operation.

"Strategically, the GRU needs to balance disruptive events and espionage," Roncone told WIRED ahead of her and Wolfram's CyberwarCon talk. "They want to continue imposing pain in every single domain, but they are also a military intelligence apparatus and have to keep collecting more real-time intelligence. So they've started 'living on the edge' of target networks to have this constant ready-made access and enable these fast-paced operations, both for disruption and spying."

In a timeline included in their presentation, Roncone and Wolfram point to no fewer than 19 destructive cyberattacks Russia has carried out in Ukraine since the beginning of this year, with targets across the country's energy, media, telecom, and finance industries, as well as government agencies. But within that sustained cyberwarfare barrage, the Mandiant analysts point to four distinct examples of intrusions where they say the GRU's focus on hacking edge devices enabled its new tempo and tactics.

In one instance, they say, GRU hackers exploited the vulnerability in Microsoft Exchange servers known as ProxyShell to get a foothold on a target network in January, then hit that organization with a wiper just the next month, at the start of the war. In another case, the GRU intruders gained access by compromising an organization's firewall in April of 2021. When the war began in February, the hackers used that access to launch a wiper attack on the victim network's machines—and then maintained access through the firewall that allowed them to launch _another_ wiper attack on the organization just a month later. In June 2021, Mandiant observed the GRU return to an organization it had already hit with a wiper attack in February, exploiting stolen credentials to log into its Zimbra mail server and regain access, apparently for espionage. And in a fourth case, last spring, the hackers targeted an organization's routers through a technique known as GRE tunneling that allowed them to create a stealthy backdoor into its network—just months after hitting that network with wiper malware at the start of the war.

Separately, Microsoft’s Threat Intelligence Center, known as MSTIC, revealed today yet another example of the GRU launching repeated cyberattacks on the same Ukrainian targets. According to MSTIC, the hacker group it calls Iridium, more widely known as the GRU hacking unit Sandworm, was responsible for Prestige ransomware attacks that hit transportation and logistics targets in Ukraine and Poland from March to October of this year. MSTIC notes that many of the victims of that ransomware had earlier been hit with the wiper tool HermeticWiper just before Russia’s February invasion—another piece of data-destroying malware linked to the GRU.

The GRU, Roncone and Wolfram point out, have certainly targeted "edge" devices before this new phase of the agency cyberwar in Ukraine. In 2018, the agency's hackers infected more than half a million routers worldwide with malware known as VPNFilter, and they similarly attempted to create a botnet of hacked firewall devices that was discovered just ahead of Russia's Ukraine invasion in February.

But the Mandiant analysts argue that only now are they seeing that hacking of edge devices used to accelerate the agency's pace of operations and to achieve persistence inside networks that lets the GRU pull off repeated intrusions against the same victims. That's meant that instead of having to choose between stealthy cyberespionage and disruptive cyberattacks that destroy the very systems they're spying on, the agency has been able to "have their cake and eat it too," as Roncone puts it.

Ukraine's own cybersecurity agency, known as the State Services for Special Communications and Information Protection, or SSSCIP, agrees with Mandiant's conclusion that Russia has quickened its pace of cyber-operations since the start of the war in February, according to Viktor Zhora, a senior SSSCIP official. He confirms that the GRU, in particular, has come to favor targeting edge devices while other Russian intelligence agencies, such as the FSB, continue to use phishing emails as a common tactic. But he argues that the examples of repeated wiping of the same organization in quick succession, or a wiping attack followed by an espionage operation against the same target, remain relatively rare.

Instead, Zhora contends that the GRU's switch to a faster operating rhythm shows how the agency's hackers are racing—struggling, even—to keep up with the speed of physical war.

“Operating in a covert mode over the last eight years, having unlimited financial resources, widely available human resources, gave them a lot of opportunities. They used that time to test, to probe and develop new technologies. Now, they’ve needed to increase the density of their attacks, and they require much more resources," says Zhora. "They still try to carry out their expected role, to be Russia's most active and destructive agency. But with sanctions, with the intellectual flow out of Russia, with difficulties in human resources and infrastructure, their operational limits are significantly greater. But we can see in the tactics they use that they're still seeking new opportunities for intelligence and wiping options."

At times, Roncone and Wolfram say, GRU hackers do seem to be struggling to keep up with the new pace they've set. In one case, they saw the hackers backdoor an email server but set up their command-and-control server incorrectly, so that they failed to control it. In another case, they sent the wrong commands to a wiper tool, so that it failed to wipe the systems it had infected. "It's just the tempo and probably a bit of human error and burnout that leads to these sort of 'oopsies,'" says Roncone.

Another shift in the GRU's hacking to "quick and dirty" methods can be seen in the specific wiper malware that it uses, according to Roncone and Wolfram. Since May, Mandiant has observed GRU hackers deploying the relatively simple, targeted wiper malware known as CaddyWiper in nine different operations targeting Ukrainian organizations—five attacks in May and June, then another four last month.

The decision to make that small, straightforward wiper code its sabotage payload of choice represents a stark contrast with years past. In 2017 and 2018, the GRU group Sandworm unleashed complex destructive worms inside of target networks that took months to hone and deploy: automated, self-replicating, multi-featured code such as the Olympic Destroyer malware designed to cripple the Pyeongchang Winter Olympics and the NotPetya malware that hit Ukrainian networks and spread worldwide, causing an unprecedented $10 billion in damage.

In the early days of Russia's invasion, for reasons that aren't quite clear, Kremlin hackers targeting Ukraine appear to have used a grab bag of at least half a dozen wiping tools of varying quality inside of victim networks, such as HermeticWiper, WhisperGate, and AcidRain. But in more recent months, the GRU appears to have deployed mainly CaddyWiper, again and again, Mandiant found, though in modified forms, changed just enough to evade detection. (Ukraine's SSSCIP, for its part, declined to confirm whether it has seen the same nine CaddyWiper attacks Mandiant had tracked.

"It's like they've said, ‘We're not gonna build out a fancy multifaceted wiper like NotPetya that can worm on its own. What we need is just something that's really lightweight and easily modifiable and easily deployable,'" says Roncone. "So they're using this not-that-great, does-the-job wiper, which seems like part of shifting their entire tactical strategy to accommodate these fast-paced operations." And while those quick-and-dirty methods may not be as flashy or as innovative as the GRU cyberattacks of the past, they can nonetheless inflict serious digital chaos in a country that needs every resource it has to fend off Russia's invaders.

_Update 12:10 pm EST 11-10-22: Added MSTIC's attribution of the Prestige ransomware attacks on Ukraine and Poland to the GRU's Sandworm group._

Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless

Technology consolidates Windows and Linux software risk together in one UI, helping teams manage vulnerabilities and comply with new regulatory standards.

**BE’ER SHEVA, Israel, (November 9, 2022) —** Rezilion, an automated software security platform, announced today the expansion of its Dynamic Software Bill of Materials (SBOM) capability to support Windows environments. Through this expansion, Rezilion will provide organizations with a first-of-its-kind toolset to efficiently manage software vulnerabilities and meet new regulatory standards, for the 56% of software today that’s built for Windows OS.

“We are seeing a widespread interest in adopting SBOMs as many organizations realize that their future security, risk, and compliance posture relies heavily on the need to see into their software supply chain,” said Liran Tancman, CEO, Rezilion. “A Dynamic SBOM that supports Windows environments widens the scope of possibility and gives the ability to a massive number of new customers to meet regulatory standards and detect and manage their software vulnerabilities strategically.”

While many tools exist for organizations to manage vulnerabilities in their software, the vast majority of these were initially built for use with Linux OS, resulting in gaps in functionality when they’re used for Windows. A dearth of “Windows-first” tooling also affects organizations’ preparedness to comply with new regulations such as the President’s Executive Order (EO) 14028, which will require teams to provide regulators with a thorough inventory of their software environments and related vulnerabilities.The market has been alarmingly slow to respond to this increasingly urgent need for better solutions. As evidence of this, Microsoft itself released its first, basic, open source “Windows-first” SBOM generation tool as recently as July of this year.

As a result of these gaps, for organizations with large, legacy Windows environments (including critical infrastructures), a new threat on the scale of the “Y2K” scare of the late 1990’s is emerging. Be it attackers or regulators, these organizations must modernize their security standards, or suffer consequences of looming risks ahead.

First released in May, Rezilion’s Dynamic SBOM can be deployed in all software environments – both Windows and Linux simultaneously – and provides a real-time versus static inventory of all software components in a single graphical UI. Rezilion’s solution also integrates dynamic runtime analysis to not only detect software vulnerabilities, but validate their actual exploitability, helping teams to clear away “false-positive” scan results and avoid wasteful patching work that shifts resources away from build activity.

Other key features and capabilities include:

*   **Dynamic Identification** – Instantly search and pinpoint vulnerable components such as Log4J across millions of files and on thousands of hosts, containers, and applications.
*   **Holistic Insight & Control** – View Windows and Linux risk side by side in one UI, to get a complete picture of your attack surface, manage risk efficiently and comply with auditors
*   **Tackle Legacy Vulnerability Backlogs Efficiently** – Aggregate detected vulnerabilities, filter out false-positives and prioritize what matters to address risks quickly and meet modern remediation SLAs as defined by CISA with a fraction of the effort

Learn more about Rezilion’s Dynamic SBOM at https://www.rezilion.com/platform/dynamic-sbom/.

Book a demo today to learn more about Rezilion’s Windows software security solutions a https://www.rezilion.com/lp/windows-security-demo/.

**About Rezilion**

Rezilion’s platform automatically secures the software you deliver to customers. Rezilion’s continuous runtime analysis detects vulnerable software components on any layer of the software stack and determines their exploitability, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable vulnerabilities across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours while giving DevOps teams time to build.

Rezilion Expands Dynamic SBOM Capability to Support Windows Environments

Cyberattackers like IPFS because it is resilient to content blocking and takedown efforts.

As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks.

Researchers from Cisco Talos this week reported observing multiple malicious campaigns leveraging the IPFS to host phishing kits and malware payloads. For many attackers, the IPFS has become the equivalent of a bulletproof hosting provider that is mostly impervious to takedown efforts, Talos said. Complicating matters for defenders is the fact that the IPFS is often used for legitimate purposes. So, differentiating between benign and malicious IPFS activity is another challenge, the security vendor said.

"Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them," Talos said in a report summarizing the threat.

**Growing Threat**

This marks at least the second time in recent months that researchers have sounded the alarm on IPFS becoming a hotbed of cybercrime activity.

In July, Trustwave's SpiderLabs noted how its researchers had identified more than 3,000 emails with phishing URLs hosted in the IPFS in a three-month period. Phishing pages that it observed on the IPFS included those that spoofed Microsoft Outlook login pages, Google domains and cloud storage services such as Filebase.io and nftstorage.link. "Phishing techniques have taken a leap by utilizing the concept of decentralized cloud services using IPFS," Trustwave said. The growing use of IPFS by many file storage, Web hosting, and cloud service companies means that attackers have a lot more flexibility in creating new phishing URLs that cannot be easily blocked, the security vendor said.

IPFS is a peer-to-peer file sharing system that Protocol Labs launched in 2015. The network is designed to allow decentralized storage of content. Content stored in the IPFS is mirrored across multiple nodes, or systems that participate in the network. Individuals and others can use IPFS to store different types of data including webpages, files, NFTs, and documents.

Resources stored on the IPFS are assigned unique identifiers. Users can employ the identifier to access the content via IPFS clients or gateways, which are like gateways for accessing content on the Tor network. Because content is mirrored on IPFS, it is always available even if one node goes down.

This has made the IPFS an attractive option for hosting phishing kits and malware for cybercriminals. Because content on the IPFS does not have a static IP address, it cannot be blocked using standard IP blocking and blacklisting mechanisms. Similarly, taking down a node containing phishing pages and malware does little to neutralize a threat because the content is mirrored across multiple nodes. There is also no central authority on the IPFS that law enforcement or security vendors can contact to take down a phishing or malware distributing site.

In an example of how attackers are abusing IPFS, Talos pointed to a phishing campaign in which victims receive an email with an attached PDF that purports to be associated with the DocuSign document signing service. When a user clicks on the "Review Document" link, they are directed to a webpage that appears to be a legitimate Microsoft authentication page but is really a credential-harvesting page hosted on the IPFS network.

In situations where an IPFS gateway might recognize the resource being requested as malicious and block access, attacker simply change the IPFS gateway that is used to retrieve the content, Talos said.

**Phishing Not the Only Threat**

Phishing pages are not the only threat. A growing number of attackers are also leveraging the peer-to-peer network to distribute malicious payloads.

In one campaign that Talos researchers observed, the attacker sent victims a phishing email with a ZIP attachment containing a malware dropper in the form of a PE32 executable. When run, the downloader would reach out to an IPFS gateway and retrieve a second-stage malware payload hosted on the peer-to-peer network. The attack chain ended with the Agent Tesla remote-access Trojan getting dropped on the victim's system.

Talos researchers also found a destructive, disk-wiping malware tool and a full-featured information-stealer called Hannabi Grabber hosted in IPFS nodes.

"Many new Web3 technologies have emerged recently, attempting to provide valuable functionality to users," Talos said in the report. "As these technologies have continued to see increased adoption for legitimate purposes, they have begun to be leveraged by adversaries as well."

The researchers expect the trend to gain momentum as more threat actors realize the IPFS is resilient to content moderation and takedown efforts.

"Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments," the vendor said.

InterPlanetary File System Increasingly Weaponized for Phishing, Malware Delivery

Microsoft SharePoint Server Spoofing Vulnerability

CVE-2022-41122

Microsoft SharePoint Server Spoofing Vulnerability.

Microsoft Excel Security Feature Bypass Vulnerability

CVE-2022-41104

Microsoft Excel Security Feature Bypass Vulnerability.

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2022-41123

CVE-2022-41080

Microsoft Exchange Server Spoofing Vulnerability. This CVE ID is unique from CVE-2022-41079.

Tag

#microsoft