Russian hackers and APT groups are escalating cyberattacks, leveraging readily available malware and broadening their targets beyond governments. Flashpoint researchers reveal these evolving tactics and how to protect your organization.
Earlier this week, reports surfaced indicating that state-sponsored groups in Iran are collaborating for large-scale attacks, and similar activities are occurring in Russia. As the Ukraine-Russian War continues, Russian Advanced Persistent Threat (APT) groups are adapting their TTPs and malware, with many sharing delivery techniques and using paid tools instead of custom payloads, revealed researchers at Flashpoint in their latest report.
The researchers have discovered a dangerously fast-paced sophistication in their Tactics, Techniques, and Procedures (TTPs) in recent spear-phishing campaigns and a preference for malware readily available on illegal online marketplaces, making them harder to detect.
While traditionally targeting government and political entities, these groups are now setting their sights on a wider range of victims. The motivations behind these attacks can vary, from espionage and intelligence gathering to financial gain.
Flashpoint analysts reviewed campaigns by several Russian APT groups in 2024, including APT28, APT29, Gamaredon, Gossamer Bear, UAC-0050, and UAC-0149. Here’s a brief overview of their activities.
APT28 impersonates government organizations in many countries, including Belarus, Poland, and the USA, using free hosting providers to host backdoors targeting Windows systems. APT29 uses droppers and downloaders, including BURNTBATTER, DONUT, and Wineloader whereas APT44-associated hackers mostly target investigative journalists.
Gamaredon, the most active group in the Russia-Ukraine war, uses malicious documents and malware. Gossamer Bear targets Ukraine and NATO countries, while UAC-0050 targets Ukrainian and Polish government organizations. UAC-0149 made headlines in February 2024 after it launched phishing attempts via Signal Messenger.
Researchers also explored Russian APTs killchain, discovering that they mainly rely on HTML-based droppers, such as ROOTSAW and WINELOADER, to execute malicious code. In addition, they use infostealers, commodity malware, or use compromised websites for command and control. NTLM hash stealing is another method frequently used by Russian APT groups.
In its report, Flashpoint pointed out many notorious campaigns from Russian APTs highlighting their evolving TTPs. For instance, in a 2023 campaign, APT29 used a staggering six unique loaders in spear-phishing attempts. Agent Tesla, Remcos, Smokeloader, Snake Keylogger, and Guloader were the most common malware families used in spear-phishing campaigns.
Organizations can protect themselves by reviewing abnormal child processes of HTML and.HTA files, detecting downloads at web proxy, implementing DLL side-loading detections, and reviewing network logs for mock API services.
RELATED TOPICS
- Microsoft Executives’ Emails Breached by Russia Hackers
- Russian Midnight Blizzard Breached Microsoft Source Code
- Russian APT28 Abuse Windows Vulnerability with GooseEgg Tool
- Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
- Russian Hackers Hit Mail Servers in Europe for Political, Military Intel