On 15th March at 18:00 we invite you to the next Cyber Fortress League games, during which there will be no shortage of emotions.
Recently, we have been observing an increase in the activity of APT groups that are associated with Russia and Belarus. Their activity focuses primarily on the fuel and energy sector and other elements of our country’s critical infrastructure. Refineries, pipelines, power plants and distribution networks may be at risk.
The activity of APT Groups is directed against countries that actively support Ukraine in its conflict with Russia. One of the attackers’ main goals is to cause social and political unrest. In addition, possible campaigns may be a prelude to a military incident by weakening the defense potential resulting from the disruption of the supply chain.
Experts from the CyberGrzmot company have detected a giant botnet based on devices from European countries. It consists of approximately 25.7 million devices, including computers, IP cameras, TVs, Android devices and IoT devices.
CyberGrzmot warns that this botnet can be used as a platform to launch many campaigns against large organizations from the critical infrastructure, fuel and energy, banking and financial sectors, as indicated by information found on Darknet cybercrime forums.
These campaigns can be of different nature. In the past, various botnets were used in phishing campaigns, DDoS attacks, Brute-Force password cracking attempts, and malware distribution. They were also often used to distract attention from the actual targeted attack.
Typically, attacks in this campaign were preceded by scanning systems accessible from the Internet and other activities carried out from botnets controlled by the attackers.
The identified attacks that are part of the described campaign usually started with the discrediting of news portals or other websites related to the publication of news, which have a high rate of daily page views.
The attacker accessed them through unknown methods as part of the preparation phase for the intended attack. Then he would post articles related to the latest events, supported by videos or animations, allegedly requiring a codec update on the viewer’s computer. The script contained in the content of the page identified the country of origin and the operating system of the potential victim’s computer. So far, devices operating on the basis of Windows systems used in Poland and other countries involved in helping Ukraine have been attacked. When the script identified the computer as a potential victim, the user was prompted to download codecs that actually contained malware.
Typically, after initial access, the malware used the command line to decode the cryptographic keys necessary to set up the encrypted C2 channel with the attacker’s servers. Then the attacker downloaded another payload, which, when launched with the use of trusted system binaries, allowed him to modify file and directory permissions.
The next step of the attacker was to perform a reconnaissance among the files, in which he searched for saved access passwords or cookies containing confirmation of the web session setup. In the observed attacks, the attacker paid particular attention to the authentication data for OT devices or systems managing OT devices.
Reconnaissance in the observed attacks did not end with files – the attacker also carried out network reconnaissance to identify OT devices.
After the attacker identified critical OT elements, the attacker most often covered his tracks by interfering with security logs and logs, and then interfered with the settings related to reporting irregularities related to the functioning of OT elements. These interventions included changing the levels beyond which the monitoring signaled an alarm situation and disrupting the operation of signaling systems, monitoring and individual sensors.
At the last stage of the attack, the APT group interfered with the settings of OT devices (e.g. SCADA drivers) causing failures that could lead to kinetic consequences – stopping production processes, destroying devices, endangering the life and health of employees or even civilians, through chemical factors or even causing fires, or an explosion.
According to the information obtained from Darkweb, cyberattacks may take a kinetic nature aimed at causing permanent damage to the OT infrastructure related to the process of producing and transporting fuels and energy. The APT group responsible for the creation of the botnet has not yet been identified, although CERT UA attributes it to groups associated with or sympathizing with Russia and Belarus.
The entire schedule of games and the current table can be found in the Cyber Fortress League tab.