Campaign Targets Critical Russian Infrastructure

In a campaign that has lasted at least three years, financially motivated attackers have been targeting Rosneft, a state-owned Russian oil company, according to new threat intelligence published by Cylance.

In its Threat Intelligence Bulletin, researchers discovered that ordinary criminals – not state-sponsored actors – were behind the attacks on the predominantly Moscow-owned company. Anticipating that researchers would assume that the campaign was a nation-state attack on the critical infrastructure of a company that holds enormous political influence in Russia, these cyber-criminals were well camouflaged, making attribution all the more challenging.

Upon investigating the command-and-control (C&C) domains used by the malware authors, researchers learned that “the threat actor had created similar sites to mimic more than two dozen mostly state-owned oil, gas, chemical, agricultural, and other critical infrastructure organizations, in addition to major Russian financial exchanges,” according to the research.

The attackers used Microsoft Office macros to deliver malicious implants to their targets throughout their extensive phishing campaign. Through analyzing several samples of the malware, researchers discovered a backdoor, programmed in Delphi, that shared IP address and hostname information in its communication over HTTP with two C&C servers.

“The backdoor had the ability to upload and download files, manipulate files and folders, compress and decompress files using ZLIB, enumerate drive information and host information, elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes on the infected system,” the bulletin said.

“Business email compromises like the one seen in this attack are, according to the FBI, big business – costing victims $12 bn globally in 2018 alone,” said Kevin Livelli, director of threat intelligence at Cylance.

“Organizations outside the specific target set of this attack should be alert to the fact that the techniques and targeting we normally associate with state or state-sponsored espionage efforts are also being used by ordinary criminals (even lone actors) motivated by financial gain. Targeted attacks come in all flavors – including crime – and defenders should be vigilant to this fact and resist jumping to conclusions when they see activity that might otherwise scream 'APT.'”

What’s Hot on Infosecurity Magazine?