Russian Hackers Targeted Petroleum Refinery in NATO Country
The Unsuccessful Attack Was Carried Out by the Gamaredon Group.
During the ongoing Russo-Ukrainian conflict, the Russian-linked Gamaredon group attempted to break into a large petroleum refining company within NATO member state, on August 30, 2022.
The unsuccessful attack, which was attributed to Russia’s Federal Security Service (FSB), was just one of multiple intrusions orchestrated by advanced persistent threats (APTs).
Gamaredon, also known, among other names, as Trident Ursa, Actinium, Armageddon, Iron Tilden or Primitive Bear, has a history of primarily going after Ukrainian entities and even NATO allies, with the purpose of harvesting sensitive data. As researchers pointed it out, Gamaredon remains one of the most intrusive, continuously active and focused APTs targeting Ukraine.
As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer.
Palo Alto Networks Unit 42 `s researchers continued monitoring the group’s activities throughout the past 10 months and uncovered more than 500 new domains, 200 malware samples, and multiple shifts in its tactics, suggesting a tendency of adapting its priorities in response to the ever-changing environment.
The crew’s activities were highlighted by security researchers in the days leading up to the military invasion in February 2022, which lead to them also being threatened by a purported Gamaredon associate, displaying the intimidation tactics used by the adversary.
How Does Gamaredon Operate?
A method worth mentioning would have to be the one where, in order to make IP-based denylisting and takedown efforts more difficult, the threat actors use Telegram pages to find command-and-control (C2) servers, and fast flux DNS can rotate through many IP addresses quickly.
Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts – along with a significant amount of obfuscation – as well as routine phishing attempts to successfully execute their operations.
As part of the attacks, weaponized attachments are embedded within spear-phishing emails to install a VBScript backdoor that’s capable of establishing persistence and executing additional VBScript code supplied by the C2 server on the compromised host.
Furthermore, as The Hacker News reports, Gamaredon infection chains have also been observed leveraging geoblocking to limit the attacks to specific locations along with utilizing dropper executables to launch next-stage VBScript payloads, which subsequently connect to the C2 server to execute further commands.
Geoblocking creates a security blind spot since it makes the threat actor’s activities more difficult to track outside the targeted countries.
The hacking group unsuccessfully tried to break into the network of an oil refinery company based in a NATO country “that continues to import oil from Russia,” as the researchers claim. Report’s authors further explained that the petroleum refinery was targeted with malicious files named to imply they cover efforts for military and humanitarian assistance for Ukraine.
At the time this is reported, Unit 42 declined to name the NATO country or the oil company.