173. How To Eat Fried Sandworms
Here are a few highlights from each article we discussed:
- We’re talking about a private industry notification from the FBI on the continued popularity of ransomware actors gaining access via third parties and legit system tools
- As this is a private industry notification, can we talk about this here? Is it like Fight Club?
- No, it is TLP clear so the first two rules don’t apply here :)
- How bad does something need to be to have a release come out like this?
- Real bad!
- But seriously, these are a way to get generic-specific information out into the eyes and ears of people who can do something to prevent something from happening
- If the FBI picks up enough information or sees enough activity, they will let everyone know what they’re seeing and what we should be aware of
- What are they seeing in this instance?
- It’s very short, sweet, and specific
- The FBI continues to track third party vendors as a vector for ransomware attacks targeting casinos
- As of this past summer and beyond, they’re seeing the group known as Luna Moth using callback-phishing – kind of a wrinkle in phishing and data exploitation
- Callback-phishing has been around for a little while – came on the radar a few years ago when the Ryuk ransomware gang used it
- It is where attackers send an email to employees for a receipt and if you want to refund it, call customer service – so the callback goes to the group and they’ll social engineer you to use remote access tools
- It’s not noisy – they’re using tools you might already have in the arsenal – not dropping ransomware or leaving behind traces – they’re living off the land
- What else do we know about Luna Moth?
- They’ve been around for a year or so – they’re also known as the Silent Ransomware Group or SRG
- This technique is not exclusively theirs – there are certainly others that use it
- There are a lot of mitigations they’re recommending
- When we think about the targets, they’re broad and wide
- There are nice specifics on best practices – they’re a good refresher for folks
- At the end of this notification they mention the US Joint Ransomware Task Force (JRTF)
- They were built out in the cyber incident report of 2022 – Congress set this group aside to bring different threads together on the federal side
- Who exactly is Sandworm?
- They’re a group probably made most famous by the Andy Greenberg book of the same name—they’re one of the most well-known (maybe right at the top) APT groups targeting ICS infrastructure
- They are assessed, with high confidence, to be a unit of the Russian GRU, which is their intel agency. You could say that they kind of epitomize all three letters of the APT acronym—they’re one of the most advanced threat groups we’ve seen, they have been extremely persistent over the years, and the threat posed by them is well-manifested and undeniable
- And by the way, though this story today is largely about ICS/OT, Sandworm certainly has compromised IT networks too, with significant effects
- Initial attacks done by Sandworm
- They’re the group that shut down the Ukrainian economy and multiple international corporations like Maersk shipping using the NotPetya malware. Listeners who haven’t read Andy’s book may nonetheless recall that incident, as well as earlier attacks on Ukraine’s power grid and, less well-publicized, they took down some software used by hospitals in the US
- How are the latest attacks different from the initial ones?
- Although this report just came out last week, the events Mandiant is documenting actually took place in 2022
- The intrusion began in approximately June 2022 and ultimately achieved two disruptive events on October 10 and 12, 2022
- Interestingly, Mandiant hasn’t yet been able to determine what the initial access vector was, but the result of that was that Sandworm gained access to the OT environment through a hypervisor that hosted a SCADA management instance for a Ukrainian substation environment
- Mandiant’s investigation did show evidence of lateral movement, and they assess that the attacker potentially had access to the SCADA system for up to three months. So now about the disruptive events: on October 10, they leveraged an ISO image named “a.iso” to execute a native MicroSCADA binary to execute malicious control commands to switch off substations. (MicroSCADA is a control system from Hitachi Energy and it’s used around the world.) Significantly, these power shutdowns coincided with widespread Russian missile strikes
- Was the timing of the multi-event cyber attack planned? Targeting the OT systems happening the same time as a missile strike was the intention and not a coincidence?
- Occam’s Razor would suggest that, yep—the most sensible explanation is probably the right one. Losing power right before the missiles arrived put Ukraine at a substantial disadvantage
- What does the attack Mandiant responded to represent? What’s the outlook like from this attack?
- The thing that leapt out at me right away with this story is that a big part of the narrative around the Russian invasion was the relative lack of Russian offensive cyber operations. And it’s true that we didn’t see a lot of those right at the beginning of the invasion in early 22
- Part of the story here is that sometimes, and often for good reasons, we don’t learn about these kinds of events until quite a bit later. As far as the outlook goes—Sandworm is a major threat
- A lot of APTs seem to specialize in one area, like ransomware or wipers (which, by the way, were also a big part of this incursion that Mandiant wrote about). Sandworm is a Swiss army knife, but where that analogy breaks down is that each tool on a real SAK is a compromise, in the case of Sandworm, each major capability area that they exhibit is very well-developed. You can’t overstate the value of the research Mandiant’s done to inform the community about this group
This Week’s Hoodie/Goodie Scale
The Breach Goes On
[Taylor]: 2.37/10 Hoodies
[Tim]: 4.5/10 Hoodies
The Early Bird Gets the Sandworm
[Taylor]: 7/10 Hoodies
[Tim]: 7/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!