Microsoft connects Russian Iridium hackers to Prestige ransomware attacks targeting Ukraine, Poland organizations

The Microsoft Threat Intelligence Center (MSTIC) updated an earlier advisory that assesses Russia-based threat hacker group Iridium ‘very likely’ executed the Prestige ransomware-style attack targeting organizations in Ukraine and Poland. The Iridium group, tracked by Microsoft, publicly overlapping with Sandworm, has been consistently active in the war in Ukraine and linked to destructive attacks since the start of the war. 

MSTIC disclosed last month evidence of a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland utilizing a previously unidentified ransomware payload. MSTIC observed the new ransomware, which labels itself in its ransom note as “Prestige ranusomeware”, being deployed on October 11 in attacks occurring within an hour of each other across all victims. The ransomware payload was deployed by the hacker after an initial compromise that involved gaining access to highly privileged credentials.

The attribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known Iridium activity. Additionally, review of technical artifacts available to Microsoft links Iridium to interactive compromise activity at multiple Prestige victims as far back as March this year and continuing within the week leading up to the October attack. 

“The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” MSTIC wrote in the updated blog post. “More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.”

Microsoft would like to acknowledge CERT UA for their cooperation and information sharing to assist in our investigations. CERT UA continues to demonstrate incredible resolve and commitment to security despite physical danger, it adds.

MITRE identifies Sandworm as a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455, which has been active since at least 2009. In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations. 

The group was also behind the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.

Microsoft said that in the observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment. “Initial access vector has not been identified at this time, but in some instances it’s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise. In these instances, the attack timeline starts with the attacker already having Domain Admin-level access and staging their ransomware payload,” the post added.

“Most ransomware operators develop a preferred set of tradecraft for their payload deployment and execution, and this tradecraft tends to be consistent across victims, unless a security configuration prevents their preferred method,” MSTIC said. “For this IRIDIUM activity, the methods used to deploy the ransomware varied across the victim environments, but it does not appear to be due to security configurations preventing the attacker from using the same techniques. This is especially notable as the ransomware deployments all occurred within one hour.” 

The Prestige ransomware campaign had several notable features that differentiate it from other Microsoft-tracked ransomware campaigns. These were identified as the enterprise-wide deployment of ransomware which is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks.

Additionally, the Prestige ransomware had not been observed by Microsoft prior to this deployment, and the activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware, also known as HermeticWiper.

MSTIC said that despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks. 

The post aims to provide awareness and indicators of compromise (IOCs) to Microsoft customers and the larger security community. Microsoft continues to monitor this and is in the process of early notification to customers impacted by IRIDIUM but not yet ransomed. MSTIC is also actively working with the broader security community and other strategic partners to share information that can help address this evolving threat through multiple channels.

Microsoft will continue to monitor Iridium activity and implement protections for customers. Looking forward, the threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed. 

MSTIC provides organizations with a set of mitigation actions including blocking process creations originating from PSExec and WMI commands to stop lateral movement utilizing the WMIexec component of Impacket, enabling tamper protection to prevent attacks from stopping or interfering with Microsoft Defender, turning on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for the antivirus product to cover rapidly evolving attacker tools and techniques. 

Additionally, while this attack differs from traditional ransomware, Microsoft called upon organizations to follow its defense against ransomware guidance that helps protect against credential theft, lateral movement, and ransomware deployment used by Iridium. The post also recommended enabling multi-factor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity, including VPNs. Microsoft suggests that organizations download and use passwordless solutions to secure accounts.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.