web analytics

Nation state actors increasingly hide behind cybercriminal tactics and malware – Source: www.csoonline.com

Rate this post

Source: www.csoonline.com – Author:

lconstantin

News Analysis

01 Nov 20248 mins

Advanced Persistent ThreatsCyberattacksCybercrime

Microsoft’s Digital Defense Report offers new insights into a rising trend that sees lines blurring between cyberespionage and cybercriminal activity.

State-sponsored threat actors are no strangers to false-flag operations, impersonating or relying on cybercriminal groups to hide their real objectives. But the lines between cybercrime and cyberespionage are becoming increasingly blurred, with the number of such occurrences on the rise. 

In its Digital Defense Report 2024, Microsoft recently announced it has “observed nation-state threat actors conduct operations for financial gain, enlist cybercriminals to collect intelligence on the Ukrainian military, and make use of the same infostealers, command and control frameworks, and other tools favored by the cybercriminal community.”

As such, CISOs must be aware that activity on their network and systems that at first appears typical of cybercriminal intentions might belie other motivations from malicious operators equipped with additional tools, tactics, techniques, and procedures.

Following is a look at this rising trend that blends cyberespionage with cybercriminal activities and elements.

Stealing money for sanctioned governments

One country that has a long history of engaging in financially motivated cyber operations alongside espionage and sabotage is North Korea, primarily due to long-running economic sanctions. The country’s state-run hacking teams, such as Lazarus Group, compromised central banks in the past to steal large sums of money and have since transitioned to targeting cryptocurrency organizations and users.

In 2023, a White House official said that up to half of North Korea’s missile program was funded through cryptocurrency theft and other cyberattacks. Meanwhile, the UN estimated in a report that North Korean hackers stole more than $3 billion in cryptocurrency from 2017 to 2023.

This year, a new North Korean threat actor that Microsoft tracks as Moonstone Sleet developed and deployed ransomware against organizations from the aerospace and defense sector. In this way, the hackers managed to achieve two objectives at the same time: intelligence gathering by exfiltrating sensitive information from high-value targets and monetization through ransomware.

Another country under sanctions that started engaging in financially motivated attacks this year is Iran. While this country’s state-associated hacking teams have deployed faux ransomware before, it was done as a false flag to hide a destructive objective and didn’t really offer a chance at decryption.

Earlier this year a group tracked as Cotton Sandstorm that is part of Iran’s Islamic Revolutionary Guard Corps (IRGC) military arm — and that has been noted for 2024 election influence campaigns — used two personas to market data stolen from an Israeli dating website and offered to remove profiles from the data dump for a fee.

Hiring cybercriminals for plausible deniability

Meanwhile Russia has intensified its collaboration with cybercriminal elements following its invasion of Ukraine, outsourcing some of its cyberespionage operations targeting the country. According to Microsoft, a cybercriminal group tracked as Storm-2049 or UAC-0184 used the commodity malware Xworm and Remcos RAT to infect 50 Ukrainian military devices.

“There was no obvious cybercriminal use for this compromise, suggesting the group was operating in support of Russian government objectives,” Microsoft wrote in its report.

An even more obvious case of outsourcing cyberespionage was observed in July 2023 when a known APT group attributed to the Russian Federal Security Service (FSB) handed off access to 34 compromised Ukrainian devices to a cybercriminal group tracked as Storm-0593 or Invisimole.

According to Microsoft, the Aqua Blizzard APT executed a PowerShell script that downloaded malware from a known command-and-control server controlled by Storm-0593 and then deployed Cobalt Strike beacons.

The beacons are backdoor implants from the commercial Cobalt Strike penetration testing framework that many cybercriminals use. In this particular case, the beacon was configured to connect to a domain that Storm-0593 registered and used in phishing campaigns against Ukrainian military organizations.

This indicates that Storm-0593 has supported state cyberespionage objectives multiple times, but it wouldn’t be the first time when Russia’s intelligence agencies have co-opted cybercriminals. In 2017, the US Department of Justice indicted two FSB officers for hiring a known criminal hacker to break into Yahoo’s network.

Last month the US indicted five officers of the Russian military intelligence service, the GRU, together with a civilian co-conspirator for their role in launching destructive data-wiping attacks against Ukrainian government organizations ahead of the country’s invasion. These attacks, known collectively as WhisperGate, used a fake ransomware program that corrupted files and left computers unable to boot.

The FBI noted that unlike other more well-known GRU cyberespionage teams, such as Fancy Bear or Pawnstorm, the unit behind the attack favors open-source and commercial tools and collaborates with cybercriminals on dark web forums.

Using commodity malware and cybercriminal infrastructure

State actors are increasingly co-opting cybercriminal tools and techniques to gain access to their targets, Microsoft reports.

“FSB-affiliated Secret Blizzard and GRU-affiliated Seashell Blizzard gain access to as many devices as possible before pursuing devices of interest,” Microsoft wrote in its report. “Secret Blizzard has done this by commandeering third-party infections, like the multipurpose Amadey bots, to download a custom reconnaissance tool that helps operators decide whether to deploy their first-stage backdoor. Seashell Blizzard offers malicious, pirated versions of Microsoft software on torrents, often promoting them on Ukrainian file sharing websites to gain initial footholds in networks.”

Russia has a long history of false-flag operations in cyberspace with its state-run hacking teams using commodity malware to throw investigators off track. Similar to WhisperGate, another faux-ransomware attack called NotPetya was launched in 2017 by Sandworm to corrupt file systems on Ukrainian computers but ended up impacting multinational companies because it had a self-propagating component.

During the 2018 Olympic Games in South Korea, Russia launched an attack against the IT infrastructure supporting the event with data-wiping malware that has been dubbed Olympic Destroyer. The malware copied code from earlier data wipers used by North Korea to shift blame to the obvious suspect.

Chinese intelligence services also have a history of working with civilian hackers. APT41, also known as Winnti, Axiom, Barium, or Wicked Panda, is one of the oldest Chinese cyberespionage groups with its intrusion activities dating as far back as 2007. For a long time, this group operated from a front company called Chengdu 404 Network Technology Company that security experts believe acted as a contractor for China’s Ministry of State Security and the People’s Liberation Army.

While the group’s targeting often follows China’s geopolitical and intelligence collection interests, it has also been responsible for financially motivated attacks primarily against the online gaming industry. Several Chinese nationals who are suspected members of APT41 were indicted in the US in 2019 and 2020 and are on the FBI’s most-wanted list.

Impersonating hacktivists

Nation state actors are also increasingly hiding their activities, including influence campaigns, behind made-up hacktivist personas and groups. One example is a group called CyberAv3ngers that defaced a water controller in Pennsylvania because the device was made in Israel. According to Microsoft, the CyberAv3ngers persona was actually created by an IRGC unit known as the Shahid Kaveh Group. (Experts consider recent water system attacks by Russian state-linked hacktivists as potential proving grounds efforts for gaining nation state actor attention and favor.)

Meanwhile, after the conflict between Israel and Hamas broke out, Iran’s nation state actors set up two personas called “Tears of War” and “Hamsa1948” to impersonate activists asking for the removal of the Israeli Prime Minister from office due to the handling of the hostage situation or to encourage Arab Israelis to violently oppose Israeli authorities. A third persona named “KarMa” that asked for the removal of Netanyahu was linked to a unit of the Iranian Ministry of Intelligence and Security.

In Russia hacktivist groups with potential ties to the government, like the Cyber Army of Russia, have claimed responsibility for attacks that tried to intimidate countries supporting Ukraine, including attacks against critical infrastructure entities. In July, the US Treasury and State Departments put two members of this group on the sanctions list.

“This past year, nation-state affiliated threat actors once again demonstrated that cyber operations — whether for espionage, destruction, or influence — play a persistent supporting role in broader geopolitical conflicts,” Microsoft said in its report. “In the wars in Europe and the Middle East, Russia and Iran centered their threat activity on their main adversaries in those fights, Ukraine and Israel, respectively. Meanwhile, Beijing’s long-term focus on controlling Taiwan drove a high level of targeting of Taiwan-based enterprises from Chinese threat actors, who also penetrated the countries around the South China Sea to collect insights into military exercises and national policy.”

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3595792/nation-state-actors-increasingly-hide-behind-cybercriminal-tactics-and-malware.html

Category & Tags: Advanced Persistent Threats, Cyberattacks, Cybercrime, Threat and Vulnerability Management – Advanced Persistent Threats, Cyberattacks, Cybercrime, Threat and Vulnerability Management

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post