Russian Threat Actors Targeting Infrastructure
In January 2022, BlackBerry’s researchers published findings about the Prometheus traffic direction system (TDS) efforts to target U.S. infrastructure through their crimeware-as-a-service (CaaS) offering. The Prometheus effort was originally identified by the Russian entity Group-IB in August 2021.
The BlackBerry report goes on to note that “Prometheus can be considered a full-bodied service/platform that allows threat groups to purvey their malware or phishing operations with ease. Think of Prometheus like a freight transport infrastructure; except instead of carrying food or petrochemicals, it carries a range of cyber offensive capabilities and malware to its targets. The irony of this analogy is that services like Prometheus enable bad actors to target companies that provide actual infrastructure—such as freight transport and other critical services—in the physical world.”
The service/platform “sells access to the TDS via underground forums on a subscription basis, with its prices ranging from $30 for two days to $250 for a month.”
As BlackBerry’s report was released, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to the infrastructure and utility industry, “Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats.” In their guidance, CISA highlighted the cyberattacks against Ukrainian public and private entities. The guidance highlighted the need for organizations that could be targeted to:
- Reduce the likelihood of a damaging cybersecurity intrusion
- Take steps to quickly detect a potential intrusion
- Ensure that the organization is prepared to respond if an intrusion occurs
- Maximize the organization’s resilience to a destructive cybersecurity incident
The guidance then urged all organizations to review Alert AA22-011A – “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure,” which contains a joint CISA/FBI/NSA warning about potential cybersecurity threats, most especially those directed at critical infrastructure entities.
One does not have to find a smoking gun if one smells cordite. Serhiy Demedyuk, deputy secretary of Ukraine’s Defence Council, attributed the attack to “a cyberespionage group affiliated with the special services of the Republic of Belarus.” On the surface, the cyberattacks were inconsequential website defacements; yet, when the Ukrainians dug deeper, they discovered malware designed to encrypt files. Unlike ransomware, however, there was no request for payment—the intent was solely destruction.
Like cyberspace itself, the cybercrime landscape is dynamic. It is when the virtual collides with the physical that consequences are seen. Therefore, no one should be surprised the Russian criminal machine did not appreciate being identified by Group-IB. This placed the Sept. 28 arrest of Ilya Sachkov, the CEO of Group-IB by the Russian internal security service (FSB) in a different light.
Is Sachkov’s arrest a coincidence? A form of payback? Or some as-yet-unidentified rationale, such as to prevent the revelation of a capability which was/is being used vis-à-vis Ukraine? Sachkov has been charged with treason; more specifically, transferring information to foreign intelligence entities. Sachkov currently sits in Moscow’s Lefortovo prison, his pre-trial detention extended in mid-December 2021 to Feb. 28, 2022.
