Full Report
The Belarusian Cyber Partisans have shared documents related to another hack, and explained that Curated Intel member, SttyK, would “understand some of the methods used.”Written by @BushidoToken and edited by @SteveD3On Monday 24 January 2022, a Belarusian hacktivist group going by the name Belarusian Cyber-Partisans claimed responsibility for a limited attack against the national railway company. A primary objective of the attack, they claimed, was aimed at hindering Russian troop movements inside Belarus.In public media reports, it has been stated that the rail service’s website issued a warning to passengers that some e-ticket systems were unavailable (source: rw[.]by), seemingly confirming the Cyber-Partisans’ claims that they targeted network assets in order to disrupt operations. The Belarusian government has not commented on the incident.On Tuesday 24 January, Curated Intelligence member @SttyK obtained documents from Cyber-Partisans, which the group claimed would help SttyK “understand some of the methods used” during the attack. Initially SttyK reached out to the group seeking access to the malware used in the attack, which would have then been studied. However, the group declined to share the code, but noted they would “gladly do that once the authoritarian regime in Belarus is gone.”Known Information:Based on public reporting and previous interviews, the Belarusian Cyber-Partisans are "a group of 15 self taught hacktivists who claim to have assistance and support from disaffected Belarusian security forces" (source: CyberScoop). The group has been closely associated with a series of government website defacement operations. Last August, the group spoke to Patrick Howell O’Neill at Technology Review, in a rather informative interview, should anyone want some additional background. New Information:As mentioned, SttyK reached out to the group in order to obtain malware samples for study. Instead, what the group responded with were a series of documents. These documents represent a report based on an investigation into an attack on 14 March 2021, which concluded on 8 April of the same year.Editor Note: One of the first questions asked internally by Curated Intelligence members was “why?”. Why are they sharing such details, and what do they have to gain by exposing a previously released incident report? There are a number of answers to that question, but the key answer is exposure. As is the case with articles in major publications, blogs such as this one give hacktivists attention to their cause. So then the question becomes, is the information they shared with us of importance to the public (yes, it is). Thus giving them attention is worth the trade-off in our opinions, and serves our goal of informing the public.The Stolen Incident Response Report: The report was first mentioned in a YouTube video on the Cyber-Partisans’ own YouTube Channel in November 2021 (see here)The investigation and report began on 25 March 2021 and was done by VirusBlokAda (the antivirus firm that also first discovered Stuxnet)The incident report costed 2530.00 BYN (worth an estimated $1,000 USD)In the report, the initial date of compromise was discovered to be 14 March 2021According to the report, the victim was the Academy of Public Administration under the President of the Republic of BelarusFig. 1 - Confirmation of who the victim was in the reportFig. 2 - The incident report costed 2530.00 BYN (worth $1,000)Fig. 3 - Initial date of compromise was 14 March 2021Fig. 4 - Screenshot of files containing employee data being deleted Fig. 5 - Screenshot of files in the backup server being deleted Fig. 6 - Screenshot of the report mentioning the use of ImpacketImpacket - https://github.com/SecureAuthCorp/impacket Fig. 7 - Screenshot of the report mentioning the use of ChiselChisel - https://github.com/jpillora/chiselFig. 8 - Screenshot of the report mentioning the use of 3proxy[.]ru3proxy - https://3proxy.org/ Fig. 9 - Screenshot of the report mentioning 3389 (RDP) port forwarding over TCPFig. 10 - Screenshot of the report mentioning the use of Nmap, Mimikatz, CVE-2019-0708 Considering this was a full incident response investigation that cost less than $1,000 it is unsurprising that the findings are unclear. The attack chain was not fully explained, but we have tried to piece it together as best we can with the help of a Curated Intelligence member, @0xDISREL, who can read and write Russian. We still are not confident this is a full accurate representation of the group's TTPs, but should help nonetheless.Summary of Attack:Initial access via BlueKeep RCE (CVE-2019-0708) in RDP in a Windows Server 2008 R2 systemUsed the 3proxy[.]ru service to launch attacks from a VPSUse of Mimikatz to dump LSASS (SYSTEM level privileges are required however, how they obtained these is currently unclear)Nmap to identify systems (used Nmap to identify systems with Port 3389 open)Used RDP to move laterally Eventually landed on the victim's Domain ControllerConfigured TCP port forwarding to open Port 3389 to the internet for persistent accessDeleted data (such as employee records) from live and backup systemsIndicators of Compromise (IOCs):TypeIndicatorContextSHA2563c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71RemoteAdmin.exeSHA256bae88a899f41ddce157ed42a2a5f800cd00fcbc400a98a11a9563976ef4c9655psexec.pyDomain3proxy[.]ruVPS ProxyThreat Hunting Tips:Executed commands:mstcpsvc32 %COMSPEC% /Q /c echo net user aaiadmin /domain ^> \\127.0.0.1\ADMIN$\hibfile.sys 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.batForwarded Ports:3389 (RDP) -> Port 90003389 (RDP) -> Port 90014899 (RAdmin) -> Port 90023389 (RDP) -> Port 9003User Accounts:They used the default user aaiadminCyber Kill Chain:Curated Intelligence member, @TrevorGiffen, roughly mapped the intrusion analysis to Cyber Kill Chain, Diamond Model, and MITRE ATT&CK.Diamond Model with MITRE ATT&CK:
Analysis Summary
This summary is based on the *stolen incident response report* shared by the Belarusian Cyber-Partisans, concerning a past attack on the Academy of Public Administration.
# Incident Report: Academy of Public Administration Compromise (Mar-Apr 2021)
## Executive Summary
In March 2021, the Academy of Public Administration under the President of the Republic of Belarus suffered a compromise initiated via a known Remote Code Execution (RCE) vulnerability (BlueKeep). Attackers utilized tools like Impacket and Mimikatz to escalate privileges, move laterally, and ultimately exfiltrate or delete sensitive employee data from both live and backup systems. The incident was discovered and investigated by VirusBlokAda, whose internal incident report was subsequently stolen and publicized by hacktivists in 2022.
## Incident Details
- **Discovery Date:** March 25, 2021 (Start of investigation by VirusBlokAda)
- **Incident Date:** Initial compromise occurred on March 14, 2021.
- **Affected Organization:** Academy of Public Administration under the President of the Republic of Belarus
- **Sector:** Government / Public Administration / Education
- **Geography:** Belarus
## Timeline of Events
### Initial Access
- **Date/Time:** March 14, 2021
- **Vector:** Remote Code Execution (RCE) via CVE-2019-0708 (BlueKeep) on a Windows Server 2008 R2 system.
- **Details:** Attackers leveraged the BlueKeep vulnerability in RDP. They used the `3proxy.ru` service, likely hosted on a VPS, to mask the origin of the attack.
### Lateral Movement
- **Details:** Attackers performed reconnaissance using **Nmap** targeting systems with open **Port 3389 (RDP)**. They used RDP to move internally, eventually landing on the organization's **Domain Controller (DC)**. They used **Impacket** tools (specifically referenced is `psexec.py`).
### Data Exfiltration/Impact
- **Details:** The actors gained SYSTEM-level privileges. They used **Mimikatz** to dump LSASS credentials. The primary impact involved the **deletion of data**, specifically employee records, from both live production systems and associated backup servers.
### Detection & Response
- **How it was discovered:** The incident was discovered by the antivirus firm **VirusBlokAda**, which subsequently conducted a formal investigation starting March 25, 2021.
- **Response actions taken:** A formal incident response investigation was conducted by VirusBlokAda, concluding on April 8, 2021. (Specific containment/eradication actions taken by the victim organization are not detailed in the shared report summary).
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2019-0708 (BlueKeep RCE)** on RDP.
- **Persistence:** Configuration of **TCP port forwarding over Port 3389** to maintain external access ("open Port 3389 to the internet").
- **Privilege Escalation:** Used **Mimikatz** to dump LSASS; required SYSTEM level privileges, though the method to obtain them pre-Mimikatz is "unclear."
- **Defense Evasion:** Use of proxy services (`3proxy.ru`) to mask source IPs.
- **Credential Access:** **Mimikatz** utilized to dump credentials from LSASS.
- **Discovery:** **Nmap** used to identify active hosts with RDP (Port 3389) open.
- **Lateral Movement:** **RDP** connections utilized after internal discovery.
- **Collection:** Location of target data (employee files) identified.
- **Exfiltration:** The report summary focuses on **data deletion** rather than explicit exfiltration methods beyond initial access/collection tools.
- **Impact:** **Data Destruction** (deletion of employee data from live and backup systems).
## Impact Assessment
- **Financial:** The direct cost of the external IR investigation was documented as 2530.00 BYN (approx. $1,000 USD).
- **Data Breach:** Deletion of sensitive operational data, specifically **employee records**.
- **Operational:** Disruption caused by the destruction of data.
- **Reputational:** The nature of the compromise (attacking a state-affiliated academy) likely caused reputational damage, although not detailed.
## Indicators of Compromise
- **Network indicators:**
- Domain: `3proxy[.]ru` (Used as a proxy/exit node)
- **File indicators:**
- SHA256: `3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71` (Associated with `RemoteAdmin.exe`)
- SHA256: `bae88a899f41ddce157ed42a2a5f800cd00fcbc400a98a11a9563976ef4c9655` (Associated with `psexec.py`)
- **Behavioral indicators:**
- Use of **Impacket** suite (e.g., `psexec.py`).
- Use of **Mimikatz** for credential dumping.
- **Port forwarding** configuration for RDP access (Port 3389).
## Response Actions
- **Containment measures:** Not explicitly detailed regarding internal steps taken by the victim organization immediately after detection.
- **Eradication steps:** Not explicitly detailed.
- **Recovery actions:** The IR report confirmed the deletion of files from both **live systems and backup servers**, suggesting recovery efforts would have been significant.
## Lessons Learned
- **Key takeaways:** Use of known, severe vulnerabilities (BlueKeep) remains a viable initial access vector, even against public administration systems. The use of tunneling tools like Chisel and proxy services indicates effort in maintaining covert access.
- **What could have been done better:** Patching of legacy operating systems (Windows Server 2008 R2) against known critical vulnerabilities like CVE-2019-0708 was clearly insufficient. Backup integrity checks or segmentation were perhaps lacking, as data was deleted from both live and backup environments.
## Recommendations
- **Prevention measures for similar incidents:** Immediately patch all systems against RDP exploits like CVE-2019-0708. Restrict RDP access to internal networks only, preferably through secured, segmented jump boxes, and strictly forbid exposing RDP ports (3389) directly to the internet. Implement robust M/A/D (Monitoring, Auditing, Defense) against credential theft techniques like credential dumping from LSASS.