“Ukraine is, by and large, a Russian cyber attack testing ground,” Vitali Kremez tells me. The head of SentinelLabs has just penned a new report into the actions Russian cyber threat group “Gameredon” is taking against Ukraine, and the wider implications of this. “We assess with high confidence,” Kremez says, “that the Russian targeting and approach towards Ukraine is preparatory and will be replicated across other targets related to the Russian government.”
Kremez is using his report to call out an escalation in cyber espionage attacks on strategic Ukrainian targets—security, military and government related. The attacks are using newly modified Windows malware, likely to be the “preparatory stage” for a full cyber attack. Malware that is designed to collect and return data, seeking instructions from a remote command and control server. The new report claims this cyber campaign has now hit as many as five thousand “unique” entities in Ukraine.
Ukraine can be viewed as a microcosm of the wider cyber standoff between Russia and the west. Fighting without actually fighting, as Kremez puts it in his report. But there are many other factors in there as well, including the honing of social engineering to compromise individuals and capture better intelligence—here the phishing even plays on the conflict to incite patriotism in target individuals to bait the click.Today In: Innovation
One of the inherent cyber dangers with Russia, China, Iran and North Korea, but particularly with Russia, is the potential for state actors to sharpen their tools and techniques on neighbouring countries, not just dissident groups. Russia has become the hybrid warfare master. And, as I reported back in September, the state has invested heavily in duplicating capabilities to avoid compromise and intensify the potency of any attack. And it doesn’t have Ukraine in its sights with this costly approach, it is looking much further west.
Just as in the broader international standoff, the situation between Russia and Ukraine is seeing an intensifying cyber campaign as a proxy for anything physical, which is more difficult to contain. Kremez describes Gamaredon as an illustrative example of how cyber “enables militants to continue fighting even when all other domains are denied by the strategic or political framework. It serves as a solid substitution when kinetic strikes are two costly or dangerous.”
Kremez describes this as a “sophisticated way to opt-out of the traditional zero-sum game of any military operation,” arguing that it maintains the appearance of status quo in the peace process. As ever, attribution and even confirmation in cyber is difficult to achieve, certainly without nation-state defence and monitoring tools.
Gameredon has been active since 2013, evolving its Tactics, Techniques, and Procedures (TTPs) from off-the-shelf exploits to customized malware, and seriously expanding the scale of its operations. The group has also jumped on the social engineering bandwagon as it looks to enhance there quality of the intelligence that its tools collect, targeting specific gatekeeper individuals.
In its report, SentinelLabs warns that Gameredon has “introduced new components that constitute its offensive power,” which Kremez explains “will be replicated towards other military and law enforcement targets pursued by the Russian government.” The campaign itself is tried and tested, socially engineered messages laced with Excel and Word malware, some smart addressing of macro protection and some spoofed Microsoft certificates to improve the success rate of the attacks.
But this isn’t really about Ukraine, it’s just about Russia and its assembling of an unrivalled set of cyber weapons that are being honed regionally to be targeted further afield. The report includes some interesting thoughts on the politics involved, but where Russian cyber is concerned, all eyes are now on the U.S. election as we watch and wait to see what if anything will be unleashed.
“We recommend keeping a close eye and tracking the latest technical developments within the Gamaredon group,” Kremez tells me. “It is a concerning trend indicating larger Russian involvement affecting more conflicts, as in this Ukraine example.”