Russia-backed or aligned threat actors have compromised networks at multiple organisations in the UK and other countries, including at least one Fortune 500 business and more than 15 healthcare providers, and appear to be using them to launch cyber attacks on Ukrainian targets.
This is according to new analysis by researchers at Lupovis, a cyber security intelligence and data science specialist spun out of Scotland’s University of Strathclyde, and a graduate of the NCSC for Startups programme, which has developed a deception-as-a-service platform to counter threat actors by turning the tables on them.
Lupovis’s team deployed five chained decoys on the internet to engage Russian attackers and lure them in by making them appear to be related to Ukrainian government bodies, officials and critical national infrastructure (CNI) targets.
“The most concerning finding from our study is that Russian cyber criminals have compromised the networks of multiple global organisations,” said Xavier Bellekens, co-founder and CEO of Lupovis. “Russian criminals are re-routing through their networks to launch cyber attacks on Ukrainian targets, which effectively means they are using these organisations to carry out their dirty work.”
The decoy chain itself began with a so-called honeyfiles decoy, which generated fake documents containing information such as credentials and details of other critical network assets, which were leaked strategically on key underground forums and Telegram channels.
Threat actors following the trail were led to one of two web portals mimicking potential targets, configured to insecurely attempt to authenticate into an application programming interface (API). These portals further led to high interaction and secure shell (SSH) services configured to accept the fake credentials from the web portals and report an attack if the full chain was followed.
“Through deceptive-based cyber tools and decoys, we can lure threat actors towards enticing targets and trick them into thinking they are reaching something of value,” said Bellekens. “Through this reconnaissance, we can also understand how threat actors operate and how they share information across their peers.
“Security defenders, organisations and governments can use this intelligence to understand Russian threat actors and the techniques they are deploying to target victims, and to compromise organisations to carry out their dirty work.”
Bellekens said the decoys drew in three types of adversary: opportunistic, automated ones such as bots or scanners; human adversaries who found the decoys on their own, without following the breadcrumb trail; and human adversaries who opened the fake documents, extracted the information within them, and took the bait.
Those falling into the latter two categories were tagged with indicators allowing the research team to differentiate between bots and humans, and of the humans who were random hackers or script kiddies, and were the more interesting adversaries who were the target of the exercise.
He said the telemetry showed between 50 and 60 human attackers on the decoys, many of whom accessed them within minutes of them going live. They performed a variety of cyber attacks against the decoys, ranging from simple reconnaissance, to recruiting them into botnets in the service of distributed denial-of-service (DDoS) attacks.
The decoys also faced a number of DDoS attacks themselves, often quite fierce ones, as well as attempts at targeted SQL injection, remote file inclusion, Docker exploitation, and use of leaked Ukrainian credentials and known common vulnerabilities and exposures (CVEs).
Full attribution to known APT groups – Cozy Bear et al – is a more complex proposition and not currently possible from Lupovis’s standpoint, but Bellekens said it had been relatively straightforward to identify the attackers as Russia-based or -backed, based on their tactics, techniques and procedures (TTPs).
The links to the various legitimate organisations were demonstrated via IP address data collected during the incoming cyber attacks.
“We gather the data and IP addresses of who is attacking the decoys,” Bellekens told Computer Weekly. “If you look at the range of IP addresses – which are usually relatively static when assigned to an organisation – what we then see is which organisation is currently attacking the decoy.”
But there are some limitations to this technique. “Can we say with certainty the organisation that has been breached? The answer is no,” said Bellekens.
“But what are the chances that somebody within a large organisation is using its technology to launch a cyber campaign for Russia? To be frank, there is a chance someone supports Russia inside the organisation, but it is highly unlikely.”
Nevertheless, for the implicated organisations, the possibility that they have been breached and have threat actors flying under their radar on their networks and using them for cyber attacks without their knowledge, should be exceptionally concerning.
This is because it means they are critically exposed to data exfiltration, extortion and ransomware attacks, but it also potentially exposes them to compliance and legal risks.
Bellekens said the evidence his research had turned up demonstrated the effectiveness of using deceptive tactics on cyber criminals.
“We’ve been building walls for a long time,” he said. “But at some point, we have to realise as a community that letting adversaries come to us may be part of the larger answer.
“More broadly, organisations should focus on having visibility across the infrastructure. Whet we have seen across these attacks is that people do not have enough visibility within their network to detect these types of attack being launched.
“This raises other questions – if you don’t have the capability to identify that an attack is being launched, what else is happening on your network?”