Research Saturday 3.26.22
Ep 225 | 3.26.22

The breakdown of Shuckworm's continued cyber attacks against Ukraine.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dick O'Brien: The group we're discussing today that prompted this conversation that we call the Shuckworm, other vendors know them as Gamaredon or Armageddon, and that is what is widely believed to be a Russia-sponsored group that has been conducting an ongoing espionage campaign against Ukrainian organizations since at least 2013.

Dave Bittner: That's Dick O'Brien. He's a principal editor with Symantec's Threat Intelligence Research Team. The research we're discussing today is titled, "Shuckworm Continues Cyber-Espionage Attacks Against Ukraine."

Dick O'Brien: It seems to be heavily focused on government or publicly owned organizations. Its main motivation appears to be primarily intelligence gathering or information gathering. But Ukraine has also faced a lot of other cyber threats. There have been some quite notable examples of, I guess, cyberattacks that were designed to be very disruptive and indeed could maybe be classed as sabotage. So for example, in the winter of 2015, I think it was, there was a number of attacks that were directed against the Ukrainian power grid. This occurred right in the middle of winter, so you can obviously imagine what the impact of that could have been, given the climate over there. They have very cold winters. And these attacks were believed to be carried out by a another Russian sponsored group known as Sandworm. You know, they've carried out a variety of actions worldwide, but they seem to be kind of more of a high-level organization, more of a specialist group than Shuckworm.

Dick O'Brien: There was also the Petya, also known as NotPetya, worm attack in 2017. This was a wiper worm that spread – it was initially targeted at Ukraine, because it was a worm it managed to escape the borders of Ukraine very quickly and an awful lot of international organizations were disrupted by it. It was masquerading as ransomware, but it was it was really just a wiper. And I think the the end goal of that attack appeared to be to kind of cause havoc within Ukraine.

Dick O'Brien: More recently, as we all know, if anyone who was watching the news knows that there's been, I think, unprecedented levels of tension between Ukraine and Russia, mainly caused by a troop buildup on the – a Russian troop buildup on the Ukrainian border. And we've seen some incidents, I guess, that are kind of outside of the normal run of activity that we'd seen against Ukraine. So there were some website defacements that occurred a couple of weeks ago, and then there was a wiper attack not too dissimilar from the NotPetya incident, in that it was disguised as ransomware at the time, but it was a much more targeted kind of wiper attack, and so it kind of only affected organizations in Ukraine.

Dick O'Brien: And I think, you know, the goal of these more recent public attacks is I guess there's a propaganda value to them. You know, the websites were defaced with anti-Ukrainian political messages. And also a disruptive element to them to just to kind of add to the level of tension that we're experiencing at the moment.

Dave Bittner: Well, let's dig into some of the specific things that you all have highlighted in this research. You have some case studies of some things that you all have been tracking with Shuckworm. Can you walk us through what they're up to?

Dick O'Brien: Yeah, I can. I think, I mean, I guess the starting point for this investigation was a report published by the Ukrainian government, specifically the Secret Service of Ukraine, back in November. It makes for very interesting reading. If you want to kind of get a primer on Shuckworm, this is a good place to start, because it gives you the kind of background right from day zero, but also gives an update on what the group has been up to more recently. You know, this prompted our own investigation. We wanted to see if the activity described by the Ukrainian government was continuing, and if we could find out anything more ourselves.

Dick O'Brien: So, what we have found is, I guess, a trove of indicators of compromise, evidence, signs of attack. And we published this blog, I guess, as we wanted to share this information publicly. We believe it may be of assistance to anyone who is hunting for signs of Shuckworm attacks on their network. We found a lot of things, but I guess the main thing we have uncovered is kind of recent attack chains where we've been able to highlight how an attack has run from end-to-end against a particular organization. Gives the reader, I guess, a bit of an insight into into what these attackers are after.

Dick O'Brien: So I guess I'll described an attack against one organization as maybe a way of illustrating what we've seen happening. So, this attack occurred over about two months, in July and August of this year. We have seen more recent attacks, but this is the one where we have the most complete information, so I think this is why we chose to use it.

Dick O'Brien: Shuckworm has historically relied on phishing or spearphishing emails to compromise its victims, and this appears to be the case in this organization, because the first evidence of malicious activity occurred shortly after a suspicious Word doc was opened on a computer in the organization. Because shortly after it was opened, we saw a malicious VBS file being run to launch a backdoor. This has been used by Shuckworm, recently called – this is going to be very difficult to pronounce – "Pterodo." I hope I'm pronouncing that correctly. We didn't choose this name ourselves.

Dick O'Brien: They then used this backdoor to download another executable and a couple of VBS scripts, and then they created a scheduled task on the computer. And this appeared to be designed to maintain persistence, because essentially what it did was it made sure that one of those scripts was executed every ten minutes. And the upshot of that is that the compromise remains live even if the user reboots their computer.

Dick O'Brien: Later on, we saw them once again installing new versions of the backdoor and the associated scripts. And this occurs over and over, over the course of the same day. And then they were testing it against their command-and-control server. And it's a little bit unclear as to why they were kind of repeating this process. It may be that something didn't quite go right. Or it may be that they were tweaking the backdoor, because a new version was used every time to suit the victim's environment.

Dick O'Brien: Then a couple of days later, they came back. They seemed to be happy eventually with their setup, and a couple of days later, they came back, they ran a couple of commands, including one called "flushdns." That suggests that they they might have updated their DNS records for their command-and-control servers because the flushdns command was executed shortly before they attempted to install more backdoors that leveraged the same command-and-control server.

Dick O'Brien: So then, not a lot happened. You know, they had their access. They didn't do much with it until maybe two weeks later. Yeah, two weeks later they came back and they launched another version of this backdoor. There's a lot of versions of the backdoor being used in the campaign, and I think after the initial trial-and-error process, they may be kind of constantly rolling out new versions, less to get picked up by security software, they kind of constantly want to keep refreshing it.

Dick O'Brien: But anyway, they executed the backdoor. It was used to download a new file called "deerskin.exe," and this actually was a dropper for a VNC client. When it was executed, it tested its connectivity and then dropped the VNC client and established a connection to the command-and-control server. And this was a legit tool, but it was being used in a malicious fashion, obviously. And we believe that this was was the ultimate payload of the attack, because – for two reasons, really. I think, number one, nothing else of note was kind of installed on the computer after that appeared. And number two, there seemed to be a lot of suspicious opening of documents occurring on the computer after it was installed. So it looks like they were using this to snoop around the computer and see if there was anything worth stealing from it.

Dave Bittner: It sounds to me like they were fairly bold, is it fair to say, noisy in their operations? I guess I'm curious, to what degree was any of this triggering any detection, or was the system they infected particularly vulnerable to this kind of thing?

Dick O'Brien: I think, you know, I mean, I think the system they infected wasn't in what you would probably expect to be a super highly secured environment. Now, this group, I guess they have a history of being quite noisy. But there is, you know, they have become much more sophisticated in recent years. And the fact that they kept on rolling out new versions of the malware means that they could be attempting to fly under the radar, lest an older version be discovered, and they try and run it again, they introduce a new one and use that for the next task they want to perform.

Dave Bittner: I see. So in terms of detection, response, protection against this particular group, what are you recommending?

Dick O'Brien: Okay, in terms of what we recommend, obviously, anything malicious being used, any malware being used should be blocked by security software. But I think people need to be aware that this group is also making extensive use of legitimate tools such as remote administration tools. They are often kind of the payload being used in attacks. So there is, you know, you should be aware, you should monitor installations of software on your network. And if you see something that you don't expect to be there or shouldn't be there, that should should raise red flags.

Dave Bittner: Yeah. I mean, it seems to me like this is one of those cases where keeping tabs on background behavior would be in your best interest.

Dick O'Brien: Yeah, absolutely. You know, and obviously there should be awareness to that. Spearphishing emails tend to be their way into organizations. The emails are usually pretty well crafted. They're designed to resemble legit communications that somebody working for one of these organizations might receive. So they show a good awareness of topical issues and the business of that organization. So, obviously educating your end users with regard to spearphishing is key, too.

Dave Bittner: I suppose it's noteworthy as well, as you all point out in the research, this group has been active since at least 2013. So, not only have they been around coming up on a decade here, but they've increased the level of sophistication of their operations as well, yes?

Dick O'Brien: Yeah, yeah. I mean, I think there has been a notable step change in their capabilities over the past couple of years based on what they used to do before. In terms of APT groups, they were quite unsophisticated. They just kind of – they tended to favor quantity over quality. They seemed to kind of attempt to infect as many computers as possible and see what they could get from there. But as noted by the Ukraine government and as seen by ourselves, they're now kind of doing what you would expect a modern APT group to do, that is, moving laterally across the network, trying to steal credentials, all of that kind of thing. So, whether more resources have been put into the group or whether there's been a change of management or whatever, but they definitely seem to be much more capable than they were a few years ago.

Dave Bittner: And is that a trend that tracks, you know, across the organizations that you all have your eye on? I mean, are we seeing overall a general increase in sophistication of these groups?

Dick O'Brien: Overall, yes. I think all of these groups tend to, you know, they tend to watch what's going on in the general threat landscape and they're quick to copy successful trends. But by and large, yeah, there has been a marked increase in sophistication, and I would say particularly with regard to actors from regional powers, maybe, as opposed to global powers, that their capabilities have come on an awful lot in the past five to seven years. And yeah, there has been a shift away from custom malware to, I guess, publicly available tools and even legitimate tools, albeit used in a malicious way.

Dick O'Brien: These have several advantages, really. Number one, it makes it harder to attribute attacks to a particular espionage actor, you know, if the tool is publicly available. And secondly, they're less likely, in the case of legitimate tools or dual-use tools, to maybe raise red flags on a network as opposed to something that is just openly malware.

Dave Bittner: Our thanks to Dick O'Brien from Symantec for joining us. The research is titled, "Shuckworm Continues Cyber-Espionage Attacks against Ukraine." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brendan Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin. Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.