Using Deception to Learn About Russian Threat Actors
It has been almost a year since Russia first invaded Ukraine, and the war has resulted in a massive rise in both physical and digital attacks. Since the invasion, Russian cyberattacks have skyrocketed and any country or business that has allied with Ukraine, or opposed the war, has become a target.
As these attacks have continued to unfold, they have attracted the attention of the world’s cybersecurity research community, which has been analyzing Russian threat actors to understand more about their TTPs and how they are affiliated with the Putin government.
A recent piece of this research came from cyber deception specialists Lupovis who revealed that Russian threat actors had compromised the networks of many international businesses and are using this access to launch attacks against Ukraine.
The research attracted global attention as it highlighted just how embedded Russian threat actors are within the internet and the need for organizations to do more to defend their networks.
The Research and its Findings
The research was conducted using Lupovis Prowl after it built decoys and set them up on the internet in a bid to attract Russian adversaries. Decoys are often confused with honeypots, but they are very different. A honeypot is a system that is deliberately designed to lure in potential attackers. By contrast, decoys use false information, systems and services to mislead or trap an attacker.
In this research, Lupovis’s decoys attracted Russian adversaries by giving them enticing names related to Ukrainian government officials and Ukrainian critical national infrastructure (CNI). The main goal of the operation was to gain usable threat intelligence about adversaries targeting Ukraine.
To lure hackers, Lupovis set up decoys that compromised of the following:
- Honeyfiles decoy: This decoy is used to generate beacon documents (Word, Excel, etc.). The documents contained falsified ‘critical’ information to lure adversaries and send a beacon when opened. This information can include usernames, passwords or addresses of other critical network elements such as web servers and databases. The aim was to leak these fake documents in key forums and among key groups.
- Web portals: The next two decoys were web portals designed to mimic Ukrainian political and governmental sites. They were also configured to insecurely attempt to authenticate into an API. The way in which the authentication was purposely created could allow for credentials to the next decoy type to be found.
- SSH: The final two decoys were SSH services, these were configured to accept the faux credentials from the web portals and report a critical attack if the full chain was followed.
Within a few minutes of the decoys going live, Lupovis witnessed between 50–60 cybercriminals targeting them. These human adversaries carried out a variety of attacks on the decoys ranging from reconnaissance on the ‘lure information’ to recruiting them into bots to perform DDoS attacks. They also started to open documents, extract key information and then proceed to carry out attacks on the decoys, such as SQL injections and tests against well-known CVEs.
However, after monitoring the decoys and carrying out reconnaissance on the attackers, Lupovis also discovered that some of the threat actors had already compromised the networks of multiple global organizations, including a Fortune 500 business, over 15 health care organizations and a dam monitoring system. These organizations were based in the UK, France, the U.S., Brazil and South Africa and Russian criminals were rerouting through their networks to launch cyberattacks on Ukrainian targets.
In Conclusion
The study highlighted the inner workings of Russian cybercriminals, not only showing how quickly threat actors operate when information of value comes within their reach but also demonstrating how ingrained they are within the internet.
Security defenders, organizations and governments can use this intelligence to understand Russian threat actor techniques and then use this information to improve their network defenses against them. Key defenses include testing systems, carrying out risk assessments, applying regular patch updates and monitoring networks for threats and intruders.
Otherwise, when organizations don’t take these proactive security measures, they risk leaving their networks exposed and may soon find themselves unwittingly carrying out the dirty work of Russian threat actors.