CyberWire Daily - The breakdown of Shuckworm's continued cyber attacks against Ukraine. [Research Saturday]
Episode Date: March 26, 2022Guest Dick O'Brien from Symantec joins Dave Bittner on this episode to discuss how "Shuckworm Continues Cyber-Espionage Attacks Against Ukraine." The Russia-linked Shuckworm group (aka Gamaredon, Arma...geddon) has been active since 2013 and is known to use phishing emails to distribute either freely available remote access tools. In July 2021, Symantec observed Shuckworm activity on an organization in Ukraine and this continued until August 2021. According to a November 2021 report from the Security Service of Ukraine (SSU), since 2014 the Shuckworm group has been responsible for over 5,000 attacks against more than 1,500 Ukrainian government systems. Dick walks us through Symantec's investigation. The research can be found here: Shuckworm Continues Cyber-Espionage Attacks Against Ukraine Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
The group we're discussing today or that prompted this conversation that we call Shookworm.
Other vendors know them as Gamereddin or Armageddon. And that is what is widely believed to be a Russia-sponsored group
that has been conducting an ongoing espionage campaign
against Ukrainian organizations since at least 2013.
That's Dick O'Brien.
He's a principal editor with Symantec's threat intelligence research team.
The research we're discussing today is titled
Shuckworm Continues Cyber Espionage Attacks Against Ukraine.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying
security management with AI-powered automation, and detecting threats using AI to analyze
over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
It seems to be heavily focused on government or publicly owned organizations.
Its main motivation appears to be primarily intelligence gathering or information gathering.
But Ukraine has also faced a lot of other cyber threats.
There have been some quite notable examples of, I guess, cyber attacks that were designed to be very disruptive
and indeed could maybe be classed as sabotage.
So, for example, in the winter of 2015, I think it was,
there was a number of attacks that were directed against the Ukrainian power grid.
This occurred right in the middle of winter.
So you can obviously imagine what the impact of that could have been, given the climate over there,
they have very cold winters. And these attacks were believed to be carried out by another Russian
sponsored group known as Sandworm. You know, they've carried out a variety of actions worldwide,
but they seem to be kind of more of a high level organization, more of a specialist group than Shook Worm.
There was also the Peche, or also known as Not Peche, worm attack in 2017.
This was a wiper worm that spread. It was initially targeted at Ukraine because it was a worm,
managed to escape the borders of Ukraine very quickly, and an awful lot of international
organizations were disrupted by it. It was masquerading as ransomware, but it was really
just a wiper. And I think the end goal of that attack appeared to be to kind of cause havoc
within Ukraine. More recently, as we all know,
if anyone who's been watching the news knows,
there's been, I think, unprecedented levels of tension
between Ukraine and Russia,
mainly caused by a Russian troop buildup on the Ukrainian border.
And we've seen some incidents, I guess,
that are kind of outside of the normal
run of activity that we'd see against Ukraine so there was some website defacements that occurred
a couple of weeks ago and then there was a a wiper attack not too dissimilar from from the
the not Petya incident in that it was disguised as ransomware at the time but it was a much more
targeted kind of wiper attack so it kind of only affected organizations in Ukraine and I think
you know the goal of these more recent public attacks is I guess there's a propaganda value
to them you know the websites were defaced with actually Ukrainian political messages
and also a disruptive element
to them too just to kind of add to the level of tension that we're experiencing at the moment
well let's dig into some of the specific uh things that you all have highlighted in this research
you have some case studies of some things that you all have been tracking with shockworm can
you walk us through what they're up to yeah um, I can. All right. I think, I mean, I guess the starting point for this investigation was
a report published by the Ukrainian government, specifically that the Secret Service of Ukraine
back in November. It makes for a very interesting reading. It's if you want to kind of get a primer
on Shuckworm, this is a good place to start because it gives you the kind of background right from day zero,
but also gives an update on what the group has been up to more recently.
You know, this prompted our own investigation.
We wanted to see if the activity described by the Ukrainian government was continuing and if we could find out anything more ourselves.
and if we could find out anything more ourselves.
So what we have found is, I guess, a trove of indicators of compromise,
signs of attack, and we published this blog, I guess,
as we wanted to share this information publicly. We believe it may be of assistance to anyone who is hunting
for signs
of shockworm attacks on their network. We found a lot of things, but I guess the main thing we
have uncovered is a kind of a recent attack, James, where we've been able to highlight how
an attack has run from end to end against a particular organization gives gives the reader you know i
guess a bit of an insight into into what these attackers are after so i guess i'll describe the
attack again an attack against one organization as maybe a way of illustrating uh what we've seen
happening so this attack occurred in over about two months in July and August of this year. We have seen more recent
attacks, but this is the one where we have the most complete information. So I think this is
why we chose to use it. Shockworm has historically relied on phishing or spear phishing emails
to compromise its victims. And this appears to be the case in this organization,
its victims and this appears to be the case in this organization because the first evidence of malicious activity occurred shortly after a suspicious word doc was opened on a computer
in the organization because shortly after it was opened uh we saw a malicious vbs file being uh
run to launch a backdoor this has been been used by Shookworm recently called,
this is going to be very difficult to pronounce,
Pterido.
I hope I'm pronouncing that correctly.
We didn't choose this name ourselves.
They then used this backdoor
to download another executable
and a couple of DBS scripts.
And then they created a scheduled task
on the computer.
And this appeared to be designed to maintain persistence um because essentially what it did was um it made sure that
one of those scripts was executed every 10 minutes and the upshot of that is that the compromise
remains live even if the user reboots their computer later on um we saw them once again installing new versions of the backdoor and the associated scripts.
And this occurred over and over, over the course of the same day, and then they were testing it against their command and control server.
And it's a little bit unclear as to why they were kind of repeating this process.
repeating this process. It may be that something didn't quite go right, or it may be that they were tweaking the backdoor because a new version was used every time to suit the victim's environment.
Then a couple of days later, they came back. They seemed to be happy eventually with their setup,
and a couple of days later, they came back and ran a couple of commands, including one
called flush DNS. That suggests that they might have updated their DNS records for their command and control servers
because the flush DNS command was executed shortly before they attempted to install more backdoors
that leveraged the same command and control.
So then not a lot happened.
They had their access.
They didn't do much with it until maybe two weeks later.
Yeah, two weeks later, they came back and they launched another version of this backdoor.
There's a lot of versions of the backdoor being used in the campaign.
And I think after the initial trial and error process, they may be kind of constantly rolling out new versions,
less to get picked up by security software.
They kind of constantly want to keep refreshing it.
But anyway, they executed the backdoor.
It was used to download a new file called deerskin.exe.
And this actually was a dropper for a VNC client.
When it was executed, it tested its connectivity
and then dropped the VNC client
and established a connection to the command and control server.
And this was a legit tool,
but it was being used in a malicious fashion, obviously.
And we believe that this was the ultimate payload of the attack
because for two reasons, really.
I think, number one, nothing else of note
was kind of installed on the computer after that appeared.
And number two, there seemed to be a lot of suspicious opening of documents occurring on the computer after it was installed.
So it looks like that they were using this to just snoop around the computer and see if there was anything worth stealing from it.
It sounds to me like they were fairly bold.
Is it fair to say noisy in their operations? I guess I'm curious, to what degree was any of this triggering any detection or was the system they infected particularly vulnerable to this kind of thing um i think you know i mean i i think this the system they infected wasn't in what
you would probably expect to be a super highly secured environment now this this group they have
i guess they have a history of being quite noisy but there is uh you know they have become much
more sophisticated in recent years and the fact that they kept on rolling out new versions of the
malware means that they could be attempting to fly under the radar,
lest an older version be discovered and they try and run it again.
They introduce a new one and use that for the next task they want to perform.
I see. So in terms of detection, response, protection against this particular group, what are you recommending?
protection against this particular group. What are you recommending? Okay, in terms of what we recommend, obviously, anything malicious being used, any malware being used, should be blocked
by security software. But I think people need to be aware that this group is also making extensive
use of legitimate tools, such as remote administration tools, and they are often kind of the payload
being used in attacks. So there is, you know, you should be aware, you should monitor installations
of software on your network. And if you see something that you don't expect to be there
or shouldn't be there, that should raise red flags. Yeah, I mean, it seems to me like this is one of those cases where
keeping tabs on background behavior would be in your best interest.
Yeah, absolutely. And obviously, there should be awareness too that spear phishing emails
tend to be their way into organizations. And the emails are usually pretty well crafted.
They're designed to resemble legit communications
that somebody working for one of these organizations might receive.
So they show good awareness of topical issues
and the business of that organization.
So obviously educating your end users with regard to spear phishing is key too.
I suppose it's noteworthy as well, as you all point out in the research, So obviously educating your end users with regard to spearfishing is key too.
I suppose it's noteworthy as well, as you all point out in the research,
this group has been active since at least 2013.
So not only have they been around, you know, coming up on a decade here, but they've increased the level of sophistication of their operations as well.
Yes?
Yeah.
Yeah.
of sophistication of their operations as well, yes?
Yeah, yeah.
I mean, I think there has been a notable step change in their capabilities over the past couple of years
based on what they used to do before.
In terms of ABT groups, they were quite unsophisticated.
They just kind of tended to favor quantity quantity over quality they seem to kind of
attempt to infect as many computers as possible and see what they could get from there but as
noted by the ukraine government and as seen by ourselves they're now kind of doing what you would
expect a modern apt group to do that is moving laterally across the network trying to steal
credentials all of that kind of thing so you know whether more resources have been put into modern APT group to do that is moving laterally across the network, trying to steal credentials,
all of that kind of thing. So, you know, whether more resources have been put into the group or,
you know, whether there's been a change of management or whatever, but that they definitely seem to be much more capable than they were a few years ago. And is that a trend that tracks,
you know, across the organizations that you all have your eye on? I mean, are we seeing overall
a general increase in sophistication of these groups? Overall, yes. I think all of these groups
tend to, you know, they tend to watch what's going on in the general threat landscape,
and they're quick to copy successful trends. But by and large, yeah, there has been a marked increase in sophistication.
And I would say particularly with regard to actors from regional powers, maybe, as opposed to global powers, their capabilities have come on an awful lot in the past five to seven years.
And yeah, there has been a shift away from custom malware to, I guess, publicly available tools and even legitimate tools all being used in a malicious way.
These have several advantages, really. Number one, it makes it harder to attribute attacks to a particular espionage actor, you know, if the tool is publicly available.
particular espionage actor, you know, if the tool is publicly available. And secondly, they're less likely in the case of legitimate tools or junior students to maybe raise red flags on a network
as opposed to something that is just out and out malware.
Our thanks to Dick O'Brien from Symantec for joining us.
The research is titled Shuckworm Continues Cyber Espionage Attacks Against Ukraine.
We'll have a link in the show notes.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brendan Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick
Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.