Why New Cyberattacks Against Russia Matter to SMBs Everywhere
According to a prominent CISO, nation-state actors are now using a certain type of cyberattack targeting Russia against small and medium-sized businesses (SMBs). That’s why it is important for every organization — regardless of size — to be aware of these types of recent attacks and how they could hit closer to home, wherever that might be.
Russian Cyberattack Overview
Security researchers have been tracking a series of spear-phishing attacks targeting Russian government entities. They say an unknown nation-state threat actor started the attacks just days after Russia invaded Ukraine, and later replicated the attacks, with a variety of twists, following the original campaign.
However, all the campaigns have something in common. Researchers at MalwareBytes found the threat actor used timely and familiar lures to reel in victims, with the following approaches:
“Free map of Ukraine”: Attackers sent their victims targeted emails offering a free interactive map of Ukraine, but those who downloaded the file got something malicious instead.
The document, titled “interactive_map_UA.exe,” executed custom malware and implanted a Remote Access Trojan (RAT) on the target’s endpoint, so that attackers could gain access and communicate with each infected device.
- “Free Log4j patch”: This campaign targeted Russian-controlled media outlet R/T (formerly Russia Today) and claimed to contain “urgent vulnerability fixes” for Log4j, and spoofed both a Russian Ministry and Rostec, a Russian-owned defense conglomerate.
Knowing that the targets might identify this ploy as a phishing attack, the threat actors included a link to a legitimate page on Virus Total, which reads, “No security vendors and no sandboxes flagged this file as malicious,” across the top. The Virus-Total page was unrelated to the attachment.
- The threat actors also spoofed legitimate social media accounts that could help build trust in this fake Log4j patch request.
- The “job offer”: In another episode of this spear-phishing campaign, the advanced persistent threat (APT) group sent users an email, encouraging them to apply for an oil analyst job with Saudi Aramco. The email used a technique that the MITRE ATT&CK® framework labels “template injection."
Attackers use this approach to execute malicious code via user documents and hide those actions. In this case, a Microsoft® Word document dropped several malicious instructions, including a Virtual Basic (VB) script called “HelpCenterUpdater.vbs” which was really designed to help attackers.
BlackBerry CISO on APT Attacks
While the APT group behind the attacks discussed here targeted Russian Government entities, BlackBerry SVP and Chief Information Security Officer John McClurg says a growing number of organizations are at risk of attacks by nation-states and other sophisticated actors.
Why would they target a small or medium sized business (SMB)?
McClurg explained all during a recent podcast episode:
“I’ve seen firsthand in many of my past assignments where our adversaries – particularly those that have the prowess that nation-states bring to the battle space – know that in a connected world, if I want to get at [a target] directly, I may not be able to do that because he’s got his act together. But I know he’s becoming more and more connected with small-to-medium businesses who he needs to partner with, but who haven’t had the resources or the time or the focus to raise their level of security to the point that they should. They know I’m connecting to them, and they will strive and look for an opportunity to strike in the gap.”
And the number of attackers trying to “strike in the gap” as McClurg says, is also steadily increasing. This was a key finding in Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar, published by the U.S. Department of Homeland Security.
“An expanding array of new entrants — both nation-states and non-state actors — with significant capabilities, is reshaping the cyber threat landscape… The increasing ability to buy cyber tools on a commercial basis allows both nation-state and non-state actors to leapfrog by crossing the line from emerging threat to an established threat quickly; thus leapfrogging is seen as a key driver in the cyber threat landscape.”
This means organizations of all sizes must also find a way to leapfrog in response, raising our collective cyber defense capabilities across industry verticals and across borders.
Cybersecurity: We Must ‘Lock Shields’
In McClurg’s view, every company’s cybersecurity is tightly linked with third-party cybersecurity. And he says threat actors will take advantage of this fact until we collectively become more proactive.
“That’s why I say we’ve got to lock shields. We’ve got to make sure that the rising tide that we're trying to affect, throughout the community, actually includes some of these partners—our small-to-medium businesses—and that we bring them along.
Because in a connected world, these third-party relationships, as we saw in the Solar-Winds affair and even in the recent Okta compromise, have been identified by these very sophisticated, very capable adversaries, where they can strike and pursue their interests.”
If defending against these kinds of threats feels daunting given your current resource levels, we can help. The CylanceGUARD® managed XDR platform combines artificial intelligence (AI) with human threat experts to manage cybersecurity incident alerts, deal with and prevent attacks, and fill in the resource and skills gaps that could leave you vulnerable to highly sophisticated threats.
Another resource worth checking out is CISA’s Cyber Essentials collection.
It is time to lock shields, one organization at a time.