Russian threat actors have been prolific for some time now and while we cannot pinpoint significant technical changes, their operational goals and modus operandi seem to have shifted dramatically, from industrial espionage and intelligence gathering, to potentially building the infrastructure for a destructive critical infrastructure attack.
We are not the only ones to note the Russian threat actors’ change in behavior, and there have been examples of such behavior before, such as with Industroyer (Ukraine) and Nuclear 17 (USA). However, we now feel comfortable to share that the observed shift in behavior is indicative of a refocus in targeting critical infrastructure, potentially as an option for a devastating critical infrastructure attack in the future.
While it is safe to say that any matured nation state is developing such capabilities, the differentiator now is that we can observe more groups becoming comfortable using them, and that there is an increase in these types of operations, specifically from Russia right now.
While other Russian threat actors may be involved, at Cymmetria, we have observed APT28 (Fancy Bear), and APT29 (Cozy Bear) thus far, specifically in Europe.
We regularly spend time researching threat actor’s methodologies, and their evolution over time. For our previous work on the subject, please take a look at Gadi Evron and Inbar Raz’s talk APT Reports and OPSEC Evolution, or: These are not the APT reports you are looking for. Note that some of what is discussed in the talk is outdated—for example: Sofacy’s (APT28’s) goals.
More targets, diminished proficiency
The threat actors appear to be spending less effort on their attacks. Here are some of our findings and interpretations:
- We observed increased activity (launching attack operations against more targets).
- The overall proficiency of their attacks has decreased, perhaps as a result of the increased activity.
- They may be having issues with economies of scale, using different threat actors in collaboration, to meet the demands of these large operations.
The third-party approach – A response to current anti-APT solutions?
Once the threat actors gain access to a third party’s network environment, their lateral movement techniques vary. In several instances, we have seen them using the following two techniques to gain access to their target environment via a third party:
- Misusing a VPN connection
This may indicate that the threat actors are looking for new ways to initially breach an organization, now that anti-APT solutions such as EDR and sandboxing are widely used. Once they gain access to the organization’s environment, they proceed normally with lateral movement, gaining access to more systems.
Cymmetria’s MazeRunner usually catches threat actors this way at customer sites, by using cyber deception to discover them as they attempt lateral movement.
While it is possible—and likely—that these threat actors are targeting a variety of industries, at Cymmetria, we’ve observed the following industries being attacked in Europe:
- Energy (Power)
- Hospitals (Health)
In conclusion: Building a strategic option?
These threat actors are shifting their focus, and perhaps their primary aim, from espionage to building a destructive weapon. While this has not been conclusively proven, our reasoning is as follows:
- The world’s nation states use cyber for military applications, and it makes sense for Russia to position their cyber capabilities to be able to leverage them when needed for critical infrastructure attacks.
- There has been an increase in attack frequency (to the point of lower proficiency) combined with a shift in the focus of these attacks to primarily critical infrastructure targets.
- When these threat actors breach an organizational network, they often do not steal data, but rather dig in and wait for orders.
Others may reach different conclusions. So far, nothing has been proven. But, taking into consideration what we have seen over the last few of years—specifically with the energy sector attacks in the Ukraine, and the geopolitical landscape—we cannot afford to not take heed of this shift in aims and technical priorities. We should consider this a warning and a call to action for defenders.