Full Report
Google's Threat Analysis Group shares first quarter cyber updates on the threat landscape from the war in Ukraine.
Analysis Summary
# Threat Actor: FROZENBARENTS (aka Sandworm)
## Attribution & Identity
Attributed to Russian Armed Forces’ Main Directorate of the General Staff (GRU) Unit 74455. Considered the most versatile GRU cyber actor with extensive offensive capabilities.
## Activity Summary
FROZENBARENTS continues to heavily focus on the war in Ukraine, engaging in intelligence collection, information operations ($\text{IO}$), and leaking hacked data via Telegram. Campaigns observed in Q1 2023 included:
* Targeting $\text{CPC}$ employees (Moscow office) with SMS phishing links spoofing the Caspian Pipeline Consortium ($\text{CPC}$).
* Conducting campaigns against **energy sector organizations in Eastern Europe** using fake Windows update packages to deploy the Rhadamanthys stealer.
* Launching waves of credential phishing targeting **Ukrainian defense industry, military, and Ukr.net webmail users** by spoofing security notifications.
* Maintaining persistent access on compromised webservers using webshells, then deploying **Adminer** to exfiltrate data, which is subsequently leaked on the 'CyberArmyofRussia\_Reborn' Telegram channel.
* Targeting users associated with popular Telegram channels (pro- and anti-Russia) via email and $\text{SMS}$ phishing to steal credentials.
## Tactics, Techniques & Procedures
- Credential phishing (via $\text{SMS}$ and email)
- Deploying Rhadamanthys stealer for credential and cookie exfiltration.
- External exploitation of services, observed maintaining a trend of exploiting **EXIM mail servers** globally (dating back to August 2019).
- Utilizing compromised hosts for operational network activities, accessing victim networks, sending malicious emails, and conducting $\text{IO}$.
- Information Operations ($\text{IO}$) using online personas to disseminate narratives (pro-Russia, anti-Ukraine/NATO/West).
- Compromising webservers and deploying webshells for persistence.
- Deploying **Adminer** (PHP database management script) for data exfiltration.
- Mobile activity noted as a capability.
## Targeting
- Sectors: Government, defense, **energy sector** (including $\text{CPC}$ associated organizations), transportation/logistics, education, and humanitarian organizations.
- Geography: Primarily **Ukraine** (accounting for over 60% of Russian targeting observed by $\text{TAG}$ in Q1 2023), Eastern Europe.
- Victims: CPC employees (Moscow office), Ukrainian defense industry, military, Ukr.net webmail users, and organizations associated with the Caspian Pipeline Consortium ($\text{CPC}$).
## Tools & Infrastructure
- Malware families used: **Rhadamanthys stealer** (variant), **Webshells**, **Adminer** (PHP script).
- Infrastructure ($\text{C2}$/Domains/IPs):
- Domains: `cpcpipe[.]com`, `cpcpipe[.]org`, `telegram[.]org.security.ohsxy[.]com`, `telegram[.]org.4234e8234ad0f.24o1[.]com`, `ukroboronprom[.]com[.]ukr[.]pm`.
- IPs: `104.156.149[.]126`, `181.119.30[.]71`, `45.76.31[.]101`, `45.56.93[.]83`, `45.124.86[.]84`.
- $\text{IO}$ Personas: 'CyberArmyofRussia' or 'CyberArmyofRussia\_Reborn' (active on Telegram, Instagram, YouTube).
## Implications
FROZENBARENTS remains a highly capable and versatile threat actor directly supporting Russian intelligence objectives, particularly in the context of the Ukraine conflict. Their focus on critical infrastructure (energy) and defense sectors, combined with persistent data exfiltration (`Adminer`) and information warfare capabilities, presents a significant and ongoing risk for actors in NATO and allied nations.
## Mitigations
- Implement robust email and SMS filtering for credential harvesting attempts, especially those spoofing large organizations ($\text{CPC}$) or security alerts.
- Ensure $\text{EXIM}$ mail servers are patched and monitored for signs of exploitation or use as command/control infrastructure.
- Employ $\text{MFA}$ universally, especially for email access.
- Users should be highly suspicious of links related to software updates delivered outside of trusted channels.
- For $\text{Ukr.net}$ users, enable $\text{Google}$ Account Level Enhanced Safe Browsing if applicable to their services.