Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Risk & Compliance
Technology & Solutions
Threat Landscape
Verticals

Google provides update on observed cyber activity targeting critical infrastructure entities

May 05, 2022
Google provides update on observed cyber activity targeting critical infrastructure entities

Google’s Threat Analysis Group (TAG) observed that hackers have increasingly targeted critical infrastructure entities, including oil and gas, telecommunications, and manufacturing in its latest update. TAG has been closely monitoring the cyber activity in Eastern Europe with regard to the war in Ukraine and has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. 

“Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,” Billy Leonard, a Google researcher wrote in a company blog post. “Financially motivated and criminal actors are also using current events as a means for targeting users,” he added.

The Google TAG analysis matches a March report released by the Office of the Director of National Intelligence (ODNI) on potential cyber-attacks against the U.S. critical infrastructure sectors. The report identified that both state and non-state hackers ‘threaten our infrastructure and provide avenues for foreign malign influence threats against our democracy.’

Leonard also took a deeper look at the cyber activity observed and the actions the team has taken to protect users over the past few weeks. The threat hackers have included APT28 or Fancy Bear, Turla, COLDRIVER, Ghostwriter, and Curious Gorge.

TAG identified APT28 or Fancy Bear, a threat actor attributed to Russia GRU, who was observed targeting users in Ukraine with a new variant of malware, Leonard said. “The malware, distributed via email attachments inside of password-protected zip files (ua_report.zip), is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge, and Firefox browsers. The data is then exfiltrated via email to a compromised email account,” he added.

Security agencies from the U.S. and the U.K. had in July last year released a cybersecurity advisory disclosing malicious cyber activities by Russian military intelligence against the U.S. and global organizations, starting from mid-2019 and are likely ongoing. The joint advisory claimed that the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide. GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and several other identifiers.

Trend Micro also identified Turla, a group that the TAG attributes to Russia FSB, which continues to run cyber activity campaigns against the Baltics, targeting defense and cybersecurity organizations in the region. “Similar to recently observed activity, these campaigns were sent via email and contained a unique link per target that led to a DOCX file hosted on attacker-controlled infrastructure. When opened, the DOCX file would attempt to download a unique PNG file from the same attacker-controlled domain,” it added.

Leonard also highlighted the presence of COLDRIVER, a Russian-based hacker sometimes referred to as Callisto, who continues to use Gmail accounts to send credential phishing emails to a variety of Google and non-Google accounts. “The targets include government and defense officials, politicians, NGOs, and think tanks, and journalists. The group’s tactics, techniques, and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive. Within these files is a link to an attacker-controlled phishing domain,” he added.

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm, Leonard revealed.

Trend Micro also disclosed that Ghostwriter, a Belarusian threat actor, has remained active during the course of the war and recently resumed targeting Gmail accounts using credential phishing. 

“This campaign, targeting high-risk individuals in Ukraine, contained links leading to compromised websites where the first stage phishing page was hosted,” according to Leonard. “If the user clicked continue, they would be redirected to an attacker-controlled site that collected the user’s credentials. There were no accounts compromised from this campaign and Google will alert all targeted users of these attempts through our monthly government-backed attacker warnings,” he added.

In mid-April, TAG detected a Ghostwriter credential phishing campaign targeting Facebook users, Leonard said. The targets, primarily located in Lithuania, sent links to attacker-controlled domains from a domain spoofing the Facebook security team, he added.

Trend Micro also pointed to Curious Gorge, a group TAG that attributes to China’s PLA SSF, which has remained active and launched cyber activity against the government, military, logistics, and manufacturing organizations in Ukraine, Russia, and Central Asia. “In Russia, long-running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company,” it added.

In its March update, Google TAG said that government-backed actors from China, Iran, North Korea, and Russia, and various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. “Financially motivated and criminal actors are also using current events as a means for targeting users. For example, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense,” it added.

Last week, the U.S. cybersecurity agencies updated a previous advisory to include additional Indicators of Compromise (IOCs) for WhisperGate and provided technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware. Since January, these threat vectors have been deployed against organizations in Ukraine to destroy computer systems and render them inoperable, the agencies said.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns