By Gregory Hale
A cyber attack is a cyber attack, but sometimes it is different than what was originally thought, which means investigators need to keep an open mind when looking at the details.
That is exactly what happened when Cylance got involved in what it thought was an Advanced Persistent Threat (APT) attack against Russian critical infrastructure organizations like the world’s largest oil and gas company, Rosneft.
“This was an attack that at first blush looked like it was going to lead to some interesting APT research about a state or state-sponsored group that was targeting Russian state-owned critical infrastructure companies,” said Kevin Livelli, director of threat intelligence at Cylance. “But after some malware archelogy we discerned it is in fact a criminal attempt to steal money from these organizations.”
The culprit in this attack was business email compromise and it had been around for at least three years. Globally, business email compromise attacks have cost people $12 billion, according to the FBI.
“Email compromise is a big problem. It is a problem everywhere,” Livelli said. “A threat actor was harvesting credentials from malware as well from a redirection from a series of websites that were made to copy legitimate web sites owned by these Russian companies to take more credentials and the attack would end up stealing money when the attacker would use the credentials to log into the email accounts they compromised and insert themselves into the business processes of the organization and redirect funds.”
HOW A COMPANY CAN PROTECT AGAINST BUSINESS EMAIL ATTACKS:
• Be aware attacks like this are out there
• Keep attuned to attachments you open, links you click on
• When you go to websites make sure the site is owned by the company
• Be leery of emails sent to you, even from people you already know
• Pay attention to subtle differences in emails
“It was interesting to us because when we saw Rosneft involved in the targeting and was the subject to so much geo-political intrigue last year when a deal was announced to take a huge percentage the company public, we thought we were looking at a state-sponsored espionage campaign. But in fact, it wasn’t. That was important to us because it tells you organizations cannot just rely on its first blush impressions and rule out who the attacker might be.”
In terms of the attack, Cylance researchers identified several phishing documents which used Microsoft Office macros to deliver malicious implants to their targets. It’s not entirely clear whether these were specifically targeted at isolated groups or utilized the old spray-and-pray method to cast a much wider net, they said.
Livelli was not sure what types of credentials the attackers stole, but he added they were helped along some research from the Russian edition of Forbes, published in April 2017 entitled “Attack of the Clones: How Schemes Work with Fake Sites of Rosneft and Other Large Companies.” The author was Ilya Sachov, the founder and chief executive of infosec company Group-IB and a member of expert committees belonging to the Russian State Duma and Ministry of Foreign Affairs.
The article described what appeared to be unpublished Group-IB research findings into an elaborate criminal scheme wherein a threat actor was creating near-clones of legitimate Russian critical infrastructure companies — Rosneft most prominent among them — in order to harvest credentials and perpetuate fraud.
In the article, Sachov provided screen shots of many of the mimicked sites to establish just how painstakingly close to the original these fake sites were designed to look.
The article referenced several of the companies and websites by name, which Group-IB said were part of the fraud campaign. At least one of the affected companies was described in the article as being a client of Group-IB.
Multiple Companies Involved
That company’s domain, as well as nearly all of the other domains cited by Group-IB were also uncovered in the Cylance investigation. In addition to Rosneft, other companies included: Mendeleevkazot, HCSDS, and EuroChem. Mendeleevkazot is a fertilizer manufacturer and part of a larger Russian critical infrastructure holding company. HCSDS is an acronym for a Siberian Business Union, a holding company comprised of several Russian critical infrastructure companies. EuroChem is a Swiss-based fertilizer company with its primary mining activity in Russia.
In essence the attackers would direct a victim to pages where they would be tendering bids for Rosneft, Livelli said. Things like oil and gas bidding process, places where money would be exchanging hands anyway. Sites where employees would be going if they were involved in the financial affairs of the company in some way.
“A lot of those domain names are very similar to the real domain names,” Livelli said.
Found Malware Samples
Essentially, the Cylane threat team was looking for new malware and attack methods and fell upon this attack.
“We found these malware samples in a common malware repository and we noticed what kind of infrastructure they were using to deliver the malware,” Livelli said. “We saw the names of all of these fertilizer, chemical, oil and gas and agriculture companies and we then started to investigate those further we found they are mostly all Russian and mostly all state-owned. We thought we were on the trail of an APT actor. Critical infrastructure is often a common target, so we thought we were going down that road and we were wrong.
“When we started to investigate the malware used here, which allowed for lateral movement within the target’s environment, it was essentially a key logger. We noticed in tracing the development, it was used by the same threat actor originally to target users of the video game Steam. To steal in-game money and user accounts and the malware had been repurposed to target critical infrastructure, which was quite a shift,” he said.
In terms of who conducted the attack, Livelli said, “I think a small group, or an individual was behind it. It was a small group based mainly in Russia or Eastern Europe.”
Blurring Attack Lines
While this attack was meant to steal money, it also proved to be a shift for the usual criminal behavior.
“There has been a blurring of lines between the criminal groups and the nation state groups,” Livelli said. “In these attacks we are often talking about the people, but here we are talking about the attack style. We are talking about the attack style criminal groups are doing, which is usually like casting a wide net just to see what you can get. Not really caring about how you get it, just that you get in. State sponsored groups, on the other hand, are much more surgical, targeted and precise. This was criminal group taking a page from the APT playbook simply because it works. It has the knock out affect by throwing off those that are coming out to investigate.”
While this was a criminal attack, it was “specifically targeted for critical infrastructure,” Livelli said. “The vector of attack was good old phishing. It was not anything new in that regard.”