5 December 2022 | by Xavier Bellekens
Before the war in Ukraine broke out many security experts across the world predicted it would be the first conflict where cyberattacks would play an equal role to physical assaults.
Ten months on, and it looks like these predictions were correct.
Since the invasion, Russian cyberattacks have skyrocketed and any country or business that has allied with Ukraine, or opposed the war, has become a target.
From Medibank to the Los Angeles Unified School District, to GSE Energy, over the last year adversaries from Russia have upped the cyber-ante launching a tsunami of devastating attacks across the world.
Our colleagues within the cybersecurity community have been actively analysing Russian threat actors. These investigations have been aimed at learning more about how Russian gangs are affiliated with the Putin government, and also at understanding how threat operators are linked and their modus operandi.
So, we at Lupovis, wanted to get in on the action and showcase how our cyber deception platform can help governments and cybersecurity defenders learn more about Russian adversaries.
Our intelligence focused on deploying decoys on the internet, which were used to lure Russian threat actors so we could analyse their tactics, techniques and procedures (TTPs).
The findings from our study were shocking. The most concerning revealed that Russian criminals have hijacked the networks UK, US, French, Brazilian and South African businesses, including a Fortune 500 outfit, and over 15 healthcare organisations to launch attacks on Ukraine.
So, here is our tell all… and don’t miss the ending, as that’s where we reveal our findings…
Decoys are cybersecurity solutions that engage attackers through a sequence of collaborative lures.
The information generated by the decoys is then used in two ways, the first being to lure adversaries on the deceptive assets, rather than real, critical infrastructure, and in turn protecting crown jewels and ensuring business continuity.
The second one, is to collect threat intelligence on the adversaries, including TTPs, the CVEs attempted, to help generate context.
Hooking in the hackers
In order to obtain data on Russian threat actors, we built five decoys and made them look attractive to Russian adversaries by giving them enticing names related to Ukrainian government officials and Ukrainian Critical National Infrastructure (CNI). The main goal of the operation was to gain usable threat intelligence on adversaries targeting Ukraine.
The decoys included:
Leaking the bait:
Initially, our honey files service was used to create documents containing key pieces of information that could be used by adversaries to progress onto the decoys. This information allowed for correlation between opening a document and adversaries interacting with a decoy. Our team then leaked information and documents on telegram channels, hacking forums and then on ‘pastebin’. Using similar but different information, allowed us to determine where the attackers gained their information and how effective each of these locations were for luring Russian adversaries.
The decoys attracted three different types of adversaries, each who were motivated differently:
Of these three different adversaries, we instantly dismissed the opportunistic adversaries as they are mainly composed of bots and scanners and present little to no value for threat intelligence.
However, third-party and bait adversaries were mainly composed of human attackers. When an adversary was identified as using one of the breadcrumbs leaked, we automatically tagged them with an ‘Indicator of Intelligence’.
Our Indicator of Intelligence allows us to differentiate between bots (noise) and humans. This also allows us to differentiate ‘script kiddies’ and the more interesting, motivated adversaries.
So, what did we discover?
Our study highlights the inner workings on Russian cybercriminals and just how embedded they are within organisations’ networks across the world.
Security defenders, organisations and governments can use this intelligence to understand Russian threat actors and the techniques they are deploying to target victims, and to compromise organisations to carry out their dirty work.
Decoys are an effective way to detect and protect against cyber adversaries.
Through deceptive-based cyber tools and decoys, we can lure threat actors towards enticing targets and trick them into thinking they are reaching something of value. Through this reconnaissance, we can also understand how threat actors operate and how they share information across their peers.
All, while ultimately turning the hunters into the hunted.