Russia-backed Trident Ursa group now net widens to aim at ‘large petroleum refining company’ within NATO nation
New research from Palo Alto Networks’ Unit 42 team revealed that Russia’s Trident Ursa (aka Gamaredon) advanced persistent threat (APT) group has been ‘unwavering’ in its continued cyber conflict operations since the invasion of Ukraine in February. While Trident Ursa has primarily targeted Ukrainian entities with Ukrainian language lures, the researchers saw a few instances of them using English language lures.
“We assess that these samples indicate that Trident Ursa is attempting to boost their intelligence collection and network access against Ukrainian and NATO allies,” the researchers wrote in a blog post on Tuesday. “In line with these efforts to target allied governments, during a review of their IoCs we identified an unsuccessful attempt to compromise a large petroleum refining company within a NATO member nation on Aug. 30.”
Unit 42 researchers listed a couple of filenames used in the unsuccessful attack. These included MilitaryassistanceofUkraine[dot]htm, Necessary_military_assistance[dot]rar, and List of necessary things for the provision of military humanitarian assistance to Ukraine[dot]lnk.
Apart from the unsuccessful attempt to compromise a large petroleum refining company within a NATO member nation on Aug. 30, the Unit 42 researchers also detected an individual who appears to be involved with Trident Ursa threatened to harm a Ukraine-based cybersecurity researcher immediately following the initial invasion, and multiple shifts in their tactics, techniques and procedures (TTPs).
The post added that as the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. “Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.”
Given the ongoing geopolitical situation and the specific target focus of this APT group, Unit 42 researchers continue to actively monitor for indicators of their operations, the researchers revealed. “In doing so, we have mapped out over 500 new domains, 200 samples and other Indicators of Compromise (IoCs) used within the past 10 months that support Trident Ursa’s different phishing and malware purposes.”
Unit 42 researchers are providing this update along with known IoCs to highlight and share current overall understanding of Trident Ursa’s operations.
“One of our most surprising observations was when an individual named Anton (in Cyrillic, Антон) who appeared to be tied to Trident Ursa threatened a small group of cybersecurity researchers on Twitter, on the same day Russia invaded Ukraine (Feb. 24, 2022),” the researchers wrote. “It appears that Anton chose these researchers based on their tweets highlighting Trident Ursa’s IoCs in the days prior to the invasion.”
Identifying that the first tweets came from Anton (@Anton15001398) as the invasion was underway, to Ukraine-based threat researcher Mikhail Kasimov (@500mk500), teh researchers pointed to several tweets in which he said, ‘run, i’m coming for you.’ Likely figuring his first tweets to Kasimov were too unnoticeable, his last tweet included the #Gamaredon hashtag so it would be more publicly discoverable by other researchers, the post added.
On the same day, Anton used a different account (@YumHSh2UdIkz64w) to send Shadow Chaser Group (@ShadowChasing1) and TI Research (@tiresearch1) the ominous message ‘let’s be friends. We do not want to fight, but we do it well!,’ the Unit 42 post added. “Two days later, on Feb. 26, Anton sent his last and most threatening tweet yet. In it, he provides Mikhail Kasimov’s full name, date of birth and address along with the message, “We are already in the city, there is nowhere to run. You had a chance,” it added.
Unit 42 researchers said that it imagined “these direct, threatening communications from this purported Trident Ursa associate were unsettling to the recipients (especially Mikhail Kasimov, a researcher operating from within the war zone). To their credit, the targeted researchers were undaunted, and tweeted additional Trident Ursa IoCs over the weeks following these threats. Kasimov, along with a large number of other researchers from around the world, continues to routinely publish new IoCs for this APT.”
Trident Ursa has used fast flux DNS as a way to increase the resilience of their operations, and to make analysis of their infrastructure more difficult for cybersecurity analysts, the researchers revealed. “Infrastructure using fast flux DNS rotates through many IPs daily, using each one for a short time to make IP-based block listing, takedown efforts and forensic analysis difficult.”
“The use of this technique is the primary reason Unit 42 researchers focus on Trident Ursa’s domains instead of their IPs,” the post said. “Since June 2022, we’ve seen Trident Ursa use several other techniques in addition to fast flux to enhance their operational efficacy. A number of legitimate tools and services have been used by this threat actor in their operations. Threat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not necessarily imply a flaw or malicious quality to the legitimate product being abused,” it added.
Unit 42 identified that the initial example of additional techniques “we’ve observed uses legitimate services to query IP assignments for malicious domains. By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the malicious domains. The malware uses the IP returned through this communication for follow-on communications with the malicious domain,” it added.
In the second example, Trident Ursa uses Telegram Messenger content to look up the latest IP used for command and control (C2). In this way, the actor is attempting to supplement DNS for when targets successfully block malicious domains.
“On Nov. 15, we noticed that the Trident Ursa domain niobiumo[dot]ru was assigned to the U.S. Department of Defense Network Information Center IP 147.159.180[dot]73,” Unit 42 researchers wrote in the post. “We quickly identified that Trident Ursa had no operational control over, or use of, that IP. Trident Ursa had seeded the fast flux DNS tables for its root domains with ‘junk’ IPs in an attempt to confuse researchers and protect its true operational infrastructure. Instead of using root domains, they were instead using subdomains for their operations. The true operational IP could only be found by querying DNS upon a subdomain,” it added.
Unit 42 highlights two observations stemming from its analysis of Trident Ursa’s DNS activity. Firstly, for its operational infrastructure outside of Russia, Trident Ursa has relied primarily on VPS providers located within one of two autonomous systems (AS), AS14061 (DigitalOcean, LLC) and AS20473 (The Constant Company, LLC). Over the past six weeks, of the 122 IP addresses identified outside of Russia, 63 percent of them were within AS14061 and 29 percent were within AS20473. The remainder were located across several AS owned by UAB Cherry Servers.
Secondly, over 96 percent of Trident Ursa’s domains continue to be registered and under the DNS of the Russian company reg[dot]ru, a company that – to date – has taken no action to block or deny this malicious infrastructure.
Unit 42 also identified that over the past few months, Trident Ursa has relied upon a couple of different tactics to initially compromise victim devices using VBScripts with randomly generated variable names and concatenation of strings for obfuscation. “Each of these tactics ultimately rely on the delivery of malicious content through spear phishing.”
“Over the past three months, we’ve seen Trident Ursa use two different, yet very similar, droppers. The first dropper, usually named 7ZSfxMod_x86.exe, is the traditional 7-Zip self-extracting (SFX) archive technique the actor has used for years,” the researchers wrote. “In these SFX files, the installation configuration script runs an embedded VBScript using Windows Script Host (wscript.exe). The second dropper, usually named myfile.exe according to the executable’s RT_VERSION resource, is effectively a loader that drops two files and eventually runs them as VBScript using wscript,” they added.
Evidently, Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts – along with a significant amount of obfuscation – as well as routine phishing attempts to successfully execute their operations.
“This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains and new techniques and try again – often even reusing previous samples,” the Unit 42 researchers wrote. “Continuously operating in this way since at least 2014 with no sign of slowing down throughout this period of conflict, Trident Ursa continues to be successful. For all of these reasons, they remain a significant threat to Ukraine, one which Ukraine and its allies need to actively defend against,” they added.
Palo Alto said that the best defense against Trident Ursa is a security posture that favors prevention. It recommends that organizations search network and endpoint logs for any evidence of the indicators of compromise associated with this threat group, and ensure cybersecurity solutions are effectively blocking against the active infrastructure IoCs.
The research also suggests implementing a DNS security solution to detect and mitigate DNS requests for known C2 infrastructure. In addition, if an organization does not have a specific use case for services such as Telegram Messaging and domain lookup tools within their business environment, add these domains to the organization’s block list or do not add them to the allow list in the case of Zero Trust networks. It also suggests applying additional scrutiny to all network traffic communicating with AS 197695 (Reg[dot]ru).
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
