Russian APT and Ransomware Groups: Vulnerabilities and Threat Actors Who Exploit Them

A history of cyberattacks

Far before Russia launched its full-scale invasion of Ukraine, cybersecurity officials from the Ukrainian government already believed their nation had experienced multiple cyberattacks led by Russian Advanced Persistent Threat (APT) groups. As Russian troops gathered on their borders, numerous Ukrainian government websites as well as several banks were DDoS’d, with the media also reporting that hundreds of machines were infected with HermeticWiper, a new form of malware. To make matters worse, Microsoft announced this Monday that they had discovered and mitigated malicious software lingering on Ukrainian machines that was designed to target their agricultural, commercial, finance, and energy sectors.

Even though Russia has not officially claimed to be responsible for these attacks, Britain’s cybersecurity agency, the NCSC has stated that they believe Russia’s GRU military intelligence was involved. Given Russia’s involvement in previous cyberattacks against Ukraine like “NotPetya” in 2017, it is difficult to think otherwise. In response, many high-profile hacking groups around the world have made public statements declaring their support for Ukraine.

Russia’s history with threat actor groups

Historically, many hacking groups have been attributed to Russia in different capacities. Names like “Fancy Bear” and “Cozy Bear” are more well-known, while some of their alternative names or designations (e.g. APT28, APT29) may be used more by intelligence analysts. What is clear is that Russia has maintained, and currently maintains, highly skilled groups that perform offensive operations. Depending on the attribution, some groups are associated with the General Staff of the Armed Forces (GRU’s 6th Directorate/Military Intelligence), the Foreign Intelligence Service (SVR), and the Federal Security Service (FSB).

Recommended: Russia Is Cracking Down on Cybercrime. Here Are the Law Enforcement Bodies Leading the Way.

Below our threat and vulnerability intelligence analysts outline five of the most prolific APT groups, along with two additional high-profile malware groups, with strong ties to Russia.

Vulnerabilities and Russian government-sponsored groups

1) APT28

• Active since: 2004
• Also called: GRU, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, Tsar Team, STRONTIUM
• At least 27 vulnerabilities associated with the group
  1. Five affected vendors including Microsoft (16), Adobe (7), and Oracle (2)
  2. Average CVSSv2 Score is 8.68
• One vulnerability does not have a CVE (a Microsoft Windows Local Privilege Escalation issue)
  

2) APT29

• Active since: 2015
• Also called: VR, Cozy Bear, CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, YTTRIUM
• At least 14 vulnerabilities associated with the group
  • 11 affected vendors, including Microsoft (2), VMware(2), and Oracle (2)
  • Average CVSSv2 Score: 8.26
• One vulnerability does not have a CVE (affects SolarWinds)

3) Berserk

• Active since: 2015
• Also called: FSB, Crouching Yeti, Dragonfly, Dragonfly 2.0, DYMALLOY, Energetic Bear, Havex, IRON LIBERTY, Koala, TeamSpy
• At least six vulnerabilities associated with the group
  • Four affected vendors, including Microsoft (3)
  • Average CVSSv2 Score: 8.34
    

4) Venomous Bear

• Active since: 2015
• Also called: FSB, Turla, KRYPTON, Uroboros, Snake, Waterbug, IRON HUNTER
• At least two vulnerabilities associated with the group (both Microsoft)
  • Average CVSSv2 Score: 8.25

5) Sandworm Team

• Active since: Unspecified
• Also called: GRU, Unit 74455
• At least one vulnerability associated with the group (Exim RCE)
  • CVSS score of that vulnerability: 10.0

Vulnerabilities and cybercriminal groups with strong ties to Russia

1) Fin7

• First observed: 2015
• Common targets: retail, restaurant, and hospitality.
• Also called: GOLD NIAGARA, ITG14, Carbon Spider
• Four vulnerabilities associated with the group, all affecting Microsoft Office
  • Average CVSSv2 Score: 8.64

2) Conti Ransomware

• First observed: December 2019
• At least 17 vulnerabilities associated with the group
  • Nine vendors affected, including Microsoft (7) and Apache (2)
  • Average CVSSv2 Score: 8.25

Identifying patterns

Looking at both the Russian state-sponsored actors, as well as the two criminal groups operating for profit, there is a clear pattern in the vulnerabilities they target. While it may be safe to assume these groups would concentrate on remote code execution (RCE) vulnerabilities, previous attacks more commonly relied on user-assisted attacks, disguised as arbitrary code execution (ACE). These vulnerabilities can be exploited in phishing mails and watering hole attacks. Considering APT28 above, out of the 27 known vulnerabilities they have used, only one is full remote code execution (ETERNALBLUE) while 17 are CVSSv2 9.3 and require user interaction to achieve code execution. On the other hand, APT29 is not associated with any ACE vulnerabilities.

It is also important to note that some of these groups are using different local privilege escalation (LPE) vulnerabilities, most in Microsoft Windows. That is a good indication that a fair amount of concern should be reserved for attackers gaining a foothold in the network, using lateral movement, and ultimately administrative access to systems. In the browser world, both Google Chrome and Mozilla Firefox do not appear in any of the vulnerabilities used by these groups while APT28 has been observed exploiting four different Microsoft IE browser issues.

The Conti Ransomware group has also come under fire for being a Russian based group in the form of targeted leaks about the group’s tactics, techniques, and procedures (TTP), as well as more damaging information. Perhaps one of the most critical details leaked is their primary Bitcoin (BTC) wallet address showing a balance in excess of 65 thousand BTC or close to 2.7B dollars. This will undoubtedly make it more difficult for the group to launder the money and cash out. The leaks go on to include chat logs, high-profile targets, and more details on exploitation targets. The group has responded to the leaks by apparently wiping their server infrastructure as well as bickering over if members would receive their paychecks, which has prompted the LockBit ransomware gang (which has expressed neutrality in the war) to offer association to Conti operators ready to jump ship.

Enable efficient vulnerability management with better data

As Russia’s war on Ukraine continues, various world governments, including the United States Government are preparing themselves for potential cyberattacks and are advising organizations within the private sector to prepare themselves. But what are the best steps in doing so?

Enterprises should focus on securing their digital assets, especially if any of them are essential for day-to-day operations. An effective Vulnerability Management Program will be key since hacker groups will need to exploit an issue to gain a foothold into an organization’s systems. At minimum, enterprises should be using CISA’s Binding Operational Directive 22-01 as a guide since its purpose is to identify vulnerabilities that are being exploited in the wild.

But for those looking to go beyond that, Flashpoint and Risk Based Security have joined forces to enable organizations proactively identify and address risk. With Flashpoint’s comprehensive vulnerability intelligence, security teams can detect and remediate vulnerabilities faster than those relying on the public source. Sign up for a free trial today to see how Flashpoint enables efficient vulnerability management with better data.