Full Report
For the latest discoveries in cyber research for the week of 9th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Romania’s Constitutional Court annulled the first round of its presidential election after declassified intelligence revealed Russian interference favoring right wing candidate Călin Georgescu. The interference involved a sophisticated social media campaign on […] The post 9th December – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Week of December 9th Cyber Attacks & Vulnerabilities Summary
## Executive Summary
This summary covers several significant security incidents reported during the week of December 9th, dominated by ransomware activity affecting organizations like RECOPE and ENGlobal, and international cyber interference in the Romanian election. Concurrently, critical zero-day and known vulnerabilities were disclosed for Windows, Progress WhatsUp Gold, and Veeam products, demanding immediate patching by system administrators.
## Incident Details
- Discovery Date: November (RECOPE, ENGlobal); Ongoing (Various Espionage/Interference campaigns)
- Incident Date: Various (August, November, ongoing election interference)
- Affected Organization: Constitutional Court of Romania, Deloitte UK (disputed), RECOPE, ENGlobal Corporation, BT Group Conferencing, Gazprombank, Stoli Group USA
- Sector: Government/Electoral, Professional Services, Energy/Fuel Supply, Telecommunications, Finance, Spirits/Beverages
- Geography: Romania, UK, Costa Rica, USA, Russia, Ukraine
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing (Romanian election interference); August (Stoli Group USA); November (RECOPE, ENGlobal)
- **Vector:** Social Media manipulation (Romania), Ransomware (RECOPE, ENGlobal, BT Group), Cyberattack (Gazprombank)
- **Details:** Russian interference used TikTok campaigns to favor a political candidate in Romania. RECOPE and ENGlobal were hit by ransomware attacks traced to unknown actors. Stoli Group USA suffered a ransomware attack forcing IT disruption since August.
### Lateral Movement
- **[N/A for most reported incidents, assumed within defined impact scope]**
- Details are generally not disclosed for these initial reports, focusing on impact.
### Data Exfiltration/Impact
- **Date/Time:** During associated activity.
- **Details:** Brain Cipher claimed 1TB of compressed data theft from Deloitte (denied); Black Basta claimed 500GB theft from BT Group (financials, NDAs); Attackers exfiltrated metadata and intercepted call audio/text from US systems targeted by Salt Typhoon (China-affiliated threat group).
### Detection & Response
- **Date/Time:** November (RECOPE, ENGlobal); August (Stoli Group USA).
- **Response actions taken:** Romania's Constitutional Court annulled the election. RECOPE switched to manual operations. Stoli Group USA filed for Chapter 11 bankruptcy due to the attack severity. HUR executed a DDoS against Gazprombank as a countermeasure/disruption. Affected systems in ENGlobal and RECOPE required manual workarounds.
## Attack Methodology
- **Initial Access:** Ransomware deployment (RECOPE, ENGlobal, BT Group, Stoli Group), Social media manipulation, DDoS (HUR against Gazprombank as defense action).
- **Persistence:** Implied by ongoing espionage campaigns (Salt Typhoon, Secret Blizzard/Turla).
- **Privilege Escalation:** Not specified in initial reports, standard for ransomware deployment.
- **Defense Evasion:** Akira ransomware (Rust variant) uses complex compilation strategies; Turla utilizes compromised infrastructure of other threat actors.
- **Credential Access:** Zero-day in Windows allows NTLM hash capture upon viewing a malicious file. Veeam vulnerability allows NTLM hash theft.
- **Discovery:** Salt Typhoon exfiltrating metadata; Espionage groups likely performing internal network reconnaissance.
- **Lateral Movement:** Implicated in the comprehensive compromises reported by the espionage groups.
- **Collection:** Exfiltration of data (1TB/500GB), metadata harvesting, call audio interception (Salt Typhoon).
- **Exfiltration:** File transfer methods used by the groups targeting US systems; Data allegedly stolen by Brain Cipher and Black Basta.
- **Impact:** Data encryption (RECOPE, ENGlobal), service disruption (Gazprombank, RECOPE digital payments), financial/operational collapse (Stoli Group USA).
## Impact Assessment
- **Financial:** Stoli Group USA faces ~$84 million in debt post-attack; $381,000 spent on undeclared political advertising (Romania).
- **Data Breach:** Claims of 1TB data theft (Deloitte disputed), 500GB financial/NDA data theft (BT Group). Extensive metadata and communication interception (Salt Typhoon).
- **Operational:** RECOPE forced manual operations, disrupting fuel payments/distribution. Stoli Group IT infrastructure severely disrupted. Gazprombank access difficulties.
- **Reputational:** Annulment of a presidential election round (Romania). Public confirmation of serious breaches at major entities.
## Indicators of Compromise
*(Note: Indicators are defanged/generalized based on threat intelligence, not specific victim data)*
- **Network indicators:** Communication channels utilized by threat groups like Salt Typhoon or Secret Blizzard (refer to external CISA/FBI guidance).
- **File indicators:** Payloads related to LockBit 3.0, Black Basta, Akira (Rust variant).
- **Behavioral indicators:** Rapid data encryption; Use of legitimate tools like Impacket and PowerShell for data staging/exfiltration.
## Response Actions
- **Containment:** Unknown specific actions, but system shutdowns/manual workarounds initiated (RECOPE, Stoli Group).
- **Eradication:** Not specified, but usually involves re-imaging and patching post-ransomware.
- **Recovery:** Stoli Group expects recovery no earlier than Q1 2025. RECOPE relied on existing fuel reserves.
## Lessons Learned
- Political interference remains a significant vector, leveraging social media and cyber operations concurrently.
- The supply chain risk remains high, evidenced by potential compromise claims against major service providers (Deloitte).
- Modern CISA/FBI guidance is crucial for defending against sophisticated, state-sponsored threats like Salt Typhoon and Turla, which utilize supply chain leveraging.
## Recommendations
- **Prompt Patching:** Immediately apply the unofficial micropatch for the Windows NTLM disclosure vulnerability, and officially patch Progress WhatsUp Gold (to v24.0.1) and Veeam VSPC products against RCE and credential theft flaws.
- **System Hardening:** Review and enhance endpoint detection capabilities against known ransomware families (LockBit, Black Basta, Akira).
- **Espionage Defense:** Implement enhanced monitoring for abnormal metadata collection and interception activities targeting sensitive personnel or communication channels, particularly against actors leveraging compromised infrastructure.