Mandiant has used a trail of destructive Russian-backed operations against Ukraine since February 2022 to invade neighboring Ukraine, with multiple different Russian threat clusters to pursue Russia’s intelligence-conflict objectives. observed the persistent use of the same repeatable strategy throughout the war.
The cybersecurity company, now part of Google Cloud, announced its findings in a blog post published on July 12, 2023.
Created by the Russian Military Intelligence Service (GRU), the strategy includes five operational phases:
- live barely: Leverage hard-to-detect compromised edge infrastructure such as routers, VPNs, firewalls, and email servers to gain and regain initial access to targets.
- live off land: Uses built-in tools such as operating system components and pre-installed software to conduct reconnaissance, lateral movement, and information theft on target networks, possibly with the goal of limiting the malware footprint and evading detection. increase.
- Aim for GPO: Uses a proven PowerShell script to create permanent privileged access that can deploy Wiper via a Group Policy Object (GPO).
- obstruction and denial: Deploying “pure” wipers and other low-capital destructive tools such as ransomware for different situations and scenarios
- telegraph “success”: Expanding the narrative of successful destruction via a series of hacktivist personas on Telegram, regardless of the actual impact of the operation
Russian cyber operations since the start of the Ukraine war typically begin compromising systems at the “limit breaking” stage after initial reconnaissance. The adversary will then establish a foothold within the system, maintain its existence, and elevate its privileges in a way that it “makes a living off the land.” These methods are then combined with Group Policy Objects to move laterally for further reconnaissance within internal systems. Finally, deploy malware (wipers, ransomware, etc.) and launch Telegram campaigns to scale the success of your operations at the same time.
Deliberate commitment to quick and dirty deeds by the GRU
Mandiant observed this same playbook being used by a variety of threat actors throughout the six phases of the war identified by Mandiant researchers. Five of them are outlined in his February analysis from the Google Threat Analysis Group (TAG). Information security.
As such, Mandiant has identified the GRU as playing a “central role in standardizing operations across multiple subteams for more reproducible and consistent effectiveness,” the report said. .
Since most phases are aimed at quickly deploying and executing destructive malware while evading detection, Mandiant said the handbook is “especially suited for fast-paced and competitive operational environments. “It is clear that Russia’s wartime objectives likely guided the GRU’s chosen tactical course of action.”
The company also said, “This standard operating concept represents a deliberate effort to increase the speed, scale and intensity with which the GRU can conduct offensive cyber operations while minimizing the likelihood of detection. I have a certain degree of confidence that the possibility is high,” he said.
Migrating from previous GRU methods
The report’s authors Dan Black and Gaby Ronkorn also said the GRU’s general intent is to “irreversibly destroy data and interfere with the ability of targeted systems to function as intended.” , consistent with previous Russian-coordinated cyberattacks, but noted that its design was “irreversible.” The destructive malware that the GRU has chosen to use during the war is substantially different from what has been observed before.
Read more about Mandiant’s 2023 M-Trends report
First, since the beginning of the Ukraine war, Russian threat actors have moved from the introduction of pure, possibly packaged moved to a tool with a higher
Second, the GRU has expanded its use of “notable political actors and hacktivist identities” in its disruptive strategy. Between 2014 and 2018, Mandiant witnessed the emergence of several “personas” (CyberBerkut, CyberCaliphate, Guccifer 2.0…), which the GRU “misattributed to secondary operations from cyber operations.” It made it possible to create a strong psychological effect.
Since the start of the Ukraine war, several new self-proclaimed hacktivist groups have started to emerge (CyberArmyofRussia_Reborn, XakNet team, Infoccentr…). These played a more active role than the previous categories of personas. In addition to aiding the Russian regime, they have been observed actively amplifying and exaggerating the impact of cyberattacks by Russian hackers, some exfiltrating data from similarly affected victims. with a wiper attack. All of this happened largely on Telegram, which “has emerged as an important source of war-related intelligence work, sense-making, and an important recruiting platform for cyber ‘armies’ of volunteers in conflict situations.” ‘, wrote the Mandiant researchers.
Links to UNC3810 and CyberArmyofRussia_Reborn GRUs
One notable example covered by Mandiant is the October 2022 introduction of CaddyWiper by the threat group tracked by the cybersecurity firm as UNC3810.
Researchers write: “During the final stages of the scenario, data from the victims of the UNC3810 wiper attack was staged by the ‘CyberArmyofRussia_Reborn’ and advertised on Telegram. […] He claimed responsibility for the wiper attack. However, technical artifacts from the UNC3810 intrusion show that the “CyberArmyofRussia_Reborn” persona greatly exaggerated the success of the wiper attack. A series of operator mistakes prevented UNC3810 from completing its wiper attack before the Telegram post boasted of network interruptions. Rather, the Telegram post came a full 35 minutes before Caddywiper’s execution, undermining the CyberArmyofRussia_Reborn’s repeated claims for independence from the GRU. ”
According to Dan Black on Twitterthe failure of this operation demonstrates the two groups’ “integrated future plans and high credibility link to the GRU of the Telegram channel.”
In its conclusion, Mandiant concludes, “Future crisis and conflict scenarios where there are requirements to support massively disruptive cyber operations may reflect similar operational approaches, or ‘strategies’.” I anticipate it,” he said.
