Full Report
This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical infrastructure, and technology sectors. If you need to catch up, please read Part 1, Part 2, and Part 3. In this final installment, we shine a spotlight on Russian state-backed actors and their operations. In September 2024, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) assessed that the infamous UNC2589 group (also known as Cadet Blizzard, Ember Bear, and UAC-0056) is affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).
Analysis Summary
# Threat Actor: UNC2589 (APT44 / Sandworm Family)
## Attribution & Identity
- **Primary Attribution:** Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).
- **Known Aliases:** Cadet Blizzard, Ember Bear, UAC-0056, APT44 (Mandiant designation), Sandworm (historical/family name), Seashell Blizzard.
- **Associated Groups:** Mentioned in the context of a network of interconnected cyber units operating under Russian state sponsorship (the Sandworm Family). Publicly takes credit for actions via hacktivist-branded Telegram channels: XakNet, CyberArmyofRussia\_Reborn, and Solntsepek.
## Activity Summary
- Responsible for conducting computer network operations against global targets for espionage, sabotage, and reputational harm since at least 2020.
- Gained notoriety for conducting destructive WhisperGate malware attacks against several Ukrainian organizations starting in January 2022.
- As of April 2024, Mandiant elevated the group to APT status (APT44), noting a growing emphasis on espionage to provide Russia's conventional forces with a strategic advantage during the war.
- Publicly claims responsibility for data leaks and disruptive actions to create second-order psychological effects, coordinating efforts with hacktivist channels like XakNet and CyberArmyofRussia\_Reborn.
## Tactics, Techniques & Procedures
- Exploits **zero-day vulnerabilities** for initial access.
- Employs **social engineering** and **spear-phishing** campaigns.
- Utilizes **Living Off the Land (LotL)** techniques.
- Uses common offensive tools such as **Metasploit** and **Cobalt Strike**.
- Leverages open-source reconnaissance tools such as **Masscan** and **PingCastle**.
- **Tactics involving data destruction/wiping** (e.g., WhisperGate activity).
## Targeting
- **Sectors:** Government entities, defense organizations, telecommunications, critical infrastructure, and technology sectors, particularly in the context of the Russia-Ukraine conflict.
- **Geography:** Global targets, with specific mention of operations against Ukrainian organizations and allied countries.
- **Victims:** Several Ukrainian organizations (WhisperGate attacks).
## Tools & Infrastructure
- **Malware families used:** WhisperGate.
- **Infrastructure:** Claimed responsibility via Telegram channels: XakNet, CyberArmyofRussia\_Reborn, and Solntsepek.
- **Tools Mentioned:** Metasploit, Cobalt Strike, Masscan, PingCastle.
## Implications
APT44 (Sandworm) is assessed as a high-severity threat, primarily focused on providing strategic support to Russian military operations via espionage, while simultaneously conducting destructive and disruptive actions against Ukraine and allied nations. Their use of publicly claimed hacks alongside sophisticated intrusion methods indicates a hybrid approach combining military objectives with psychological operations.
## Mitigations
- Implement robust detection mechanisms capable of identifying chains of attack rather than relying solely on known signatures.
- Harden defenses against sophisticated initial access vectors, given the threat actor's history of exploiting vulnerabilities.
- Be prepared for LotL techniques, social engineering, and the use of common penetration testing frameworks.
***
# Threat Actor: UNC4057 (Star Blizzard / Callisto Group)
## Attribution & Identity
- **Primary Attribution:** Likely subordinate to the Russian Federal Security Service (FSB) Centre 18.
- **Known Aliases:** Star Blizzard, COLDRIVER, Callisto Group.
- **Associated Groups:** Mentioned in conjunction with espionage operations resulting in the indictment of two associated individuals (Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets).
## Activity Summary
- Activity observed since at least 2019.
- Conducted espionage campaigns targeting government and military organizations.
- Operations reportedly included attempts to influence the UK’s 2019 elections.
- Indictments against members signify capability in high-level nation-state espionage.
## Tactics, Techniques & Procedures
- Espionage campaigns designed for intelligence gathering and political interference.
- Techniques are not deeply detailed but the actor performs sophisticated network infiltration leading to espionage.
- **Note:** Specific TTPs beyond espionage are not explicitly detailed in the provided text for this actor, though they operate in a similar threat landscape as other Russian APTs.
## Targeting
- **Sectors:** Government, defense, academic sectors, NGOs, and think tanks.
- **Geography:** Primarily the UK and the US, with activity observed against other NATO countries.
- **Victims:** Government and military organizations; individual politicians.
## Tools & Infrastructure
- Information on specific tools or infrastructure (C2, IPs) was not detailed in the article excerpt for UNC4057.
## Implications
UNC4057 represents an FSB-aligned entity specializing in long-term, high-value espionage operations targeting Western political, academic, and governmental institutions, including attempts at foreign election interference.
## Mitigations
- Focus on securing systems within governmental, defense, and academic sectors against persistent espionage methods.
- Enhance vetting and monitoring processes associated with politically sensitive user accounts.
***
# Threat Actor: APT29 (Midnight Blizzard / Cozy Bear / The Dukes)
## Attribution & Identity
- **Primary Attribution:** Believed to be part of the Russian Foreign Intelligence Service (SVR).
- **Known Aliases:** Midnight Blizzard, Cozy Bear, The Dukes.
## Activity Summary
- Operations intensified against Ukraine in the first half of 2023, aligning with Ukraine's counteroffensive, suggesting a focus on intelligence gathering during critical phases of the war.
- Continues routine global espionage operations while ramping up phishing activities.
- Operations primarily target European ministries of foreign affairs and embassies, maintaining global operational scope.
## Tactics, Techniques & Procedures
- **Initial Access (Cloud Adaptation):**
- Leveraging **tokens** to access victim cloud accounts.
- Bypassing password authentication using **password spraying**.
- Bypassing MFA via **MFA bombing** or **MFA fatigue** (flooding devices with requests until acceptance).
- Registering actor-controlled devices on the victim's cloud tenant if device validation rules are absent.
## Targeting
- **Sectors:** Global diplomatic entities, European ministries of foreign affairs, and embassies.
- **Geography:** Global, with an intensified focus on Ukraine and Europe.
- **Victims:** Diplomatic organizations.
## Tools & Infrastructure
- Information on specific malware or infrastructure was not detailed, though the actor is known for sophisticated phishing/malware delivery operations.
## Implications
APT29 remains focused on geopolitical intelligence collection for the SVR. Their successful adaptation to modern cloud security controls (token usage, MFA fatigue) makes them a difficult adversary for organizations that have recently migrated infrastructure to the cloud.
## Mitigations
- Implement strict device validation and registration rules within cloud tenants.
- Employ security measures designed to detect and alert on mass MFA request floods (MFA bombing/fatigue).
- Harden credential access methods, particularly against password spraying attacks.