Russian hackers and APT groups have been ramping up their cyberattacks, utilizing easily accessible malware and expanding their targets beyond just governments. Insightful findings from Flashpoint researchers shed light on these evolving tactics and offer guidance on safeguarding organizations from these malicious activities.
Recent reports have brought to light the collaboration of state-sponsored groups in Iran for large-scale attacks, mirroring similar activities in Russia. As the conflict between Ukraine and Russia persists, Russian Advanced Persistent Threat (APT) groups are adjusting their Tactics, Techniques, and Procedures (TTPs) and malware. Many of these groups are now sharing delivery techniques and opting for paid tools over custom payloads, as unveiled in the latest report by Flashpoint.
The researchers have observed a heightened sophistication in the TTPs of these groups in recent spear-phishing campaigns, with a noticeable preference for readily available malware sourced from illicit online marketplaces. This shift towards using off-the-shelf malicious tools makes it more challenging to detect and mitigate their attacks effectively.
While historically targeting governmental and political entities, these APT groups are broadening their scope to include a wider array of victims. The motivations driving these attacks range from espionage and intelligence gathering to financial incentives. Flashpoint analysts delved into the activities of various Russian APT groups in 2024, including APT28, APT29, Gamaredon, Gossamer Bear, UAC-0050, and UAC-0149, showcasing the diverse tactics employed by each group.
APT28, for instance, impersonates government organizations across different countries, leveraging free hosting providers to host backdoors targeting Windows systems. On the other hand, APT29 utilizes droppers and downloaders like BURNTBATTER, DONUT, and Wineloader. Gamaredon, heavily active in the Russia-Ukraine conflict, utilizes malicious documents and malware, while Gossamer Bear focuses on targeting Ukraine and NATO countries. UAC-0050 and UAC-0149 have their specific targets within the governmental and political landscapes of Ukraine and Poland, respectively.
The researchers also dissected the killchain employed by Russian APT groups, highlighting their reliance on HTML-based droppers such as ROOTSAW and WINELOADER to execute malicious code. Additionally, these groups deploy infostealers, commodity malware, and compromised websites for command and control purposes. The theft of NTLM hashes is a prevalent technique utilized by these threat actors.
In their report, Flashpoint underscored the evolving TTPs of Russian APTs through accounts of notorious campaigns. For instance, APT29 utilized a striking six unique loaders in spear-phishing attempts in 2023, with malware families like Agent Tesla, Remcos, Smokeloader, Snake Keylogger, and Guloader being commonly employed in these campaigns.
To enhance organizational defenses against such threats, it is recommended to inspect abnormal child processes of HTML and.HTA files, monitor downloads at web proxies, implement DLL side-loading detections, and scrutinize network logs for mock API services.
The dynamic landscape of cyber threats posed by Russian hackers and APT groups underscores the critical importance of proactive cybersecurity measures and continual vigilance. Organizations must stay abreast of the evolving tactics and tools used by these threat actors and fortify their defenses accordingly to mitigate the risks associated with cyberattacks.