State-sponsored Threat Groups Ramp Up Ransomware-Like Attacks
Sandworm Targets Ukraine and its Supporters
In the last months of 2022, Russian Advanced Persistent Threat (APT) group Sandworm continued its data wiping attacks against Ukrainian organizations, but expanded its efforts to organizations from countries that are strong supporters of Ukraine, such as Poland, according to a new report by cybersecurity firm ESET. Sandworm is believed to operate as a unit inside Russia’s military intelligence agency, the GRU.
Sandworm has launched destructive attacks against Ukrainian organizations for years. It is credited with the attacks against the Ukrainian energy infrastructure that caused blackouts in the country in 2015 as well as the destructive ransomware-like attack NotPetya in 2017 that started as a software supply chain attack against a Ukrainian software company but ended up impacting international organizations as well.
In October, ESET saw new variants of both CaddyWiper and HermeticWiper, but also a new data wiper attributed to Sandworm called NikoWiper. This last wiper is based on SDelete, a Microsoft utility for securely deleting files and was used against a Ukrainian company from the energy sector.
“This attack happened around the same period that the Russian armed forces targeted Ukrainian energy infrastructure with missile strikes,” the ESET researchers said. “Even if we were unable to demonstrate any coordination between those events, it suggests that both Sandworm and the Russian armed forces have the same objectives.”
Aside from data wiping malware, Sandworm seems to continue its tactics of repurposing ransomware. The difference between data wipers and ransomware programs is that the latter encrypts files instead of deleting them, but both have the effect of making data inaccessible.
APT Groups Use Ransomware in False Flag Operations
State-sponsored threat groups are increasingly using ransomware-like attacks as cover to hide more insidious activities. Russian APT group Sandworm used ransomware programs to destroy data multiple times over the past six months while North Korea’s Lazarus group used infrastructure previously associated with a ransomware group for intelligence gathering campaigns.
At the same time, some Chinese APTs that were traditionally targeting entities in Asia shifted their focus to European companies, while Iran-based groups that traditionally targeted Israeli companies started going after their foreign subsidiaries. At least one North Korean group that was focused on South Korea and Russia has started using English in its operations. All these operational changes suggest organizations and companies from Western countries are at increased risk from APT activity.
Other APT groups might not use ransomware programs directly, but could use tactics, techniques, and procedures (TTPs) associated with known ransomware groups to hide their activities. These are known in the security industry as false flag operations. Most ransomware groups now exfiltrate data to ransom it before encrypting it locally. This data theft can be a good cover for cyber espionage.
Security firm WithSecure recently investigated an attack campaign that initially was suspected to be caused by the BianLian ransomware group. Closer investigation revealed that it was actually an intelligence gathering operation by North Korean state-sponsored Lazarus group that targeted public and private research organizations from the medical research and energy sectors, as well as their supply chain.
North Korea has multiple APT groups that sometimes share tooling, but which are believed to be controlled by different government agencies or departments. Lazarus, APT38, and Andariel (also known as Silent Chollima) are groups attributed to the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea’s foreign intelligence agency. Another group called Kimsuky is attributed to the 5th Bureau — Inter-Korean Affairs and deals with operations targeting mainly South Korea. Another group, tracked as APT37 that also targets mainly South Korea, is attributed to the North Korean Ministry of State Security.
The researchers found malware similar to one called GREASE that was previously attributed to Kimsuky, as well as a custom version of Dtrack, a remote access Trojan (RAT), with a configuration very similar to one used by Lazarus in an attack against the Indian Kudankulam Nuclear Power Plant in 2019. The researchers also found usage of Putty Plink and 3Proxy, two tools previously observed in other Lazarus campaigns.
The overlap with BianLian ransomware was the use of a command-and-control server hosted at an IP address previously used by BianLian attackers. Lazarus and North Korean APTs have a history of using ransomware in their attacks, both as cover and to profit. This include the major WannaCry ransomware worm of 2017 that impacted organizations from around the world. In July, CISA issued an alert that North Korean state-sponsored actors were using the Maui ransomware to target the healthcare and public health sectors. Due to the strict economic sanctions that the North Korean government is facing, its hacking arms frequently engage in activity that is more akin to cybercrime than cyberespionage.
“In various parts of the world, North Korea-aligned groups used old exploits to compromise cryptocurrency firms and exchanges. Interestingly, Konni has expanded the repertoire of languages it uses in its decoy documents to include English, which means it might not be aiming at its usual Russian and Korean targets,” the ESET researchers said in their new report on APT activity.
Conclusion
State-sponsored threat groups are increasingly using ransomware-like attacks as cover to hide more insidious activities. Russian APT group Sandworm used ransomware programs to destroy data multiple times over the past six months while North Korea’s Lazarus group used infrastructure previously associated with a ransomware group for intelligence gathering campaigns.
At the same time, some Chinese APTs that were traditionally targeting entities in Asia shifted their focus to European companies, while Iran-based groups that traditionally targeted Israeli companies started going after their foreign subsidiaries. All these operational changes suggest organizations and companies from Western countries are at increased risk from APT activity.