Arraya Insights | July 5, 2017
Names like “Sandworm” and “Hidden Cobra” may sound as though they were pulled from the pages of an epic sci-fi novel, however, the threats they pose are very real. These fantastical monikers actually refer to a pair of shadowy – and allegedly state-sponsored – global cybercrime initiatives. Upon closer inspection, the tactics and endgames employed by each can serve as a reminder of some important, but often overlooked, cyber security truths.
Getting to know ‘Sandworm’
Sandworm is the Dune-inspired name given to a group of hackers believed to be supported by Russia. In recent years, the group has been busying itself by (allegedly) turning Ukraine into its own “test lab for cyber war,” as documented in a write up by Wired. So far, the group’s accomplishments have been as extensive as they have been painful. Sandworm is thought to have been behind attacks on Ukrainian media, financial institutions, transportation, and more. To date, the group has twice managed to successfully attack Ukraine’s power grid, resulting in widespread outages.
However, as US Secretary of State Rex Tillerson once pondered, “Why should US taxpayers be interested in Ukraine?” The answer, in the case of Sandworm is that the group’s attention hasn’t always been focused on Ukraine. Back in 2014, it’s believed that Sandworm attempted to execute a similar assault on American power and water utilities. Should they seek to apply the lessons they learned in Ukraine during a future attack on American soil, the implications could be severe.
What about individual businesses outside of the energy sector? While companies without ties to critical infrastructure or a global footprint may seem safely below Sandworm’s radar, the group’s tactics are worth analyzing. As complex as the group’s weapons are, the origins are something that should sound familiar to all businesses.
For example, the assault on Ukraine’s power grid began with a phishing email containing a malicious attachment. Once deployed, this attachment gave attackers a backdoor from which they could strike a damaging blow. Also, in an earlier attack on Ukraine’s StarLightMedia, Sandworm leveraged compromised admin credentials and lax access restrictions to break in to the company’s network, where it operated unnoticed for six months. Eventually, the group managed to take over two domain controllers and use them to remotely destroy more than a dozen employee devices. That was well short of its goal of 200 devices or more, but that’s a small consolation.
Coincidentally or not, Ukraine also recently found itself as the launching point for the massive Petya/ExPetr/NotPetya ransomware epidemic. While thousands of machines in businesses across the globe were affected, including American companies such as Merck, Ukraine was among the hardest hit, with Petya (etc.) infecting banks, telecom, and – of course, its energy sector.
This latest ransomware onslaught took advantage of the same Windows exploit WannaCry used last month, reaffirming the importance of dedicated patching. Unlike in traditional ransomware attacks, which are financially-motivated, the objectives of those behind Petya (etc.) (As of press time, there’s no official connection between this campaign and Sandworm’s activities) remain unclear. The email address used to collect payments is offline and some have theorized the objective of the attack was to destroy data, not encrypt it and hold it hostage.
One-on-one with ‘Hidden Cobra’
Hidden Cobra is the US government’s designation for the cyber maneuvers of another notorious state – North Korea. Hidden Cobra, or as it has been referred to in the media Lazarus Group or Guardians of Peace, was the subject of a recent Technical Alert (TA) released by the US Computer Emergency Readiness Team (US-CERT). This release details what North Korea has been up to, what to watch for, the repercussions of falling victim to Hidden Cobra, and more.
Hidden Cobra’s arsenal includes DDoS botnets, keyloggers, various types of malware, and others. Threat actors have utilized these tools against a range of targets, either to steal data or disrupt the target’s operations. As with any criminal organization, Hidden Cobra actors aren’t looking to work any harder than they have to for a win. Among their favorite targets to exploit are unsupported versions of Microsoft operating systems and unpatched Adobe Flash player vulnerabilities – attack vectors common among cyber crooks, state-sponsored or not.
Hidden Cobra manages its DDoS botnet using a malware variant called DeltaCharlie. This malware agent is capable of downloading executable files and altering its configuration, as well as launching and concluding denial-of-service attacks. In order to help organizations avoid becoming ensnared in North Korea’s botnet, included in the TA are IP addresses associated with DeltaCharlie. While some of the traffic using these IPs may prove to be legitimate, organizations should take immediate action to verify its authenticity. After further review, if the traffic is still suspected of malicious intent, it should be flagged, addressed, and reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or to FBI’s Cyber Watch (CyWatch) group using the guidelines included in the TA.
Defending against threats (great and small)
All businesses, regardless of size or industry, need to devote themselves to routine patching, access controls, end user threat recognition training, and other forms of basic security hygiene. Unfortunately, these activities are the ones that often slip through the cracks or are purposefully pushed to the side in favor of fighting the daily fires that pop up. Shortcomings in these areas can attract cyber criminals who – regardless of support structure or county of origin – can inflict extensive damage.
Arraya Solutions’ Cyber Security Practice helps keep threats at bay by connecting organizations with the people, processes, and tools they need to forge an intelligent, reliable IT environment. Our team can provide bandwidth-strapped tech teams with the additional hands they need to address frequently overlooked routine tasks, such as patching or sun setting aging no longer used applications. In addition, they can analyze an organization’s existing environment, spot gaps, and provide valuable, actionable advice on how to remediate issues.
Start a conversation with Arraya’s Cyber Security team today by visiting: www.arrayasolutions.com/contact-us/. You can leave us a comment on this or any of our posts by visiting us on social media: LinkedIn, Twitter, and Facebook. Be sure to follow us to stay up-to-date on our industry insights, exclusive learning opportunities, and company news.