Recorded Future releases cyber threat analysis covering cybercrime, Russian state, and Ukraine war

Recorded Future reported Tuesday that it remains highly likely that Russian intelligence, military, and law enforcement services have a longstanding, tacit understanding with cybercriminal threat actors. The intelligence company also determined that in some cases, these agencies are almost certain to maintain an established and systematic relationship with cybercriminal threat actors, either by indirect collaboration or recruitment.

“Based on our understanding of cybercriminal and hacktivist activities related to the Russian war in Ukraine, it is likely that cybercriminal threat actors are working alongside the Russian state to coordinate or amplify Russian offensive cyber and information operations,” Recorded Future wrote in its latest report titled, ‘Dark Covenant 2.0: Cybercrime, the Russian State, and the War in Ukraine.’

Recorded Future has observed Russian and Russian-speaking threat actors targeting the U.S., U.K., the North Atlantic Treaty Organization (NATO), Japan, and others for financial gain and ego-driven publicity in support of Russia. Additionally, it said that cybercriminal organizations like Conti have overtly declared allegiance to the Russian government, and commodity malware like DarkCrystal RAT, Colibri Loader, and WarZoneRAT, which are available on top-tier Russian-language forums, are being used by advanced persistent threat (APT) groups to target entities in Ukraine.

Russian cybercriminal groups, tools, and TTPs (tactics, techniques, and procedures) likely serve to provide plausible deniability for state-sponsored threat actors involved in the Russian war in Ukraine, according to the report. “It is likely that financially motivated threat actors who are capitalizing on geopolitical instability are also aiding and abetting the interests of the Russian state, be it coincidentally or intentionally.”

Furthermore, Russian law enforcement seizures of the dark web and special-access sources preceding the war appeared to be a show of good faith by the Russian state, signaling its willingness and ability to thwart cybercrime. “However, we believe it is likely that these enforcement actions were intended to undermine allegations of cooperation between cybercriminals and the Russian state, providing further plausible deniability.”

Additionally, several cybercriminal industries have undergone transformational changes as a result of the Russian war in Ukraine. “These include changes to the malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) threat landscapes, a rise in Russian payment card fraud, shifts in cybercriminal targeting, changes in infrastructure and hosting, and more,” the report added.

In 2021, Recorded Future detailed how established, distributed networks of individuals in the Russian cybercriminal world and officials in Russian law enforcement or intelligence services — also known colloquially as siloviki — are connected. The report detailed how the relationships in this ecosystem are often premised on unspoken, yet understood, agreements that consist of malleable associations. The research was based on historical activity, public indictments, and ransomware attacks. Overall, the report broke down the associations between the Russian cybercriminal environment and the siloviki into three key categories – direct associations, indirect affiliations, and tacit agreements.

“Since our first report, the Russian government has invaded Ukraine, an event that has illuminated our understanding of Russia’s capabilities and shortcomings as they relate to military strength and cyber capacity,” Recorded Future wrote. “For example, a series of leaks about the cybercriminal groups Conti and Trickbot (Wizard Spider) provided an unprecedented look at the relationship between these groups and the state. The conflict has given rise to self-described hacktivists conducting pro-Russian attacks purportedly motivated by patriotic interest; in some cases, however, it is likely that such groups are providing the Russian government with plausible deniability.”

Recorded Future observed that the February 2022 Russian invasion of Ukraine has resulted in a broader humanitarian crisis in Europe as well as heightened international tensions. Several pro-Russian threat actor groups, as well as some previously unseen entities from within the cybercriminal ecosystem, have participated in the conflict, which Russia has conducted across the physical, information, and cyber domains. 

The war has already seen large-scale distributed denial-of-service attacks (DDoS), website defacements, phishing and spam campaigns, malware deployment, and wiper attacks against numerous Ukrainian entities in both the government and private sectors. 

Russian APT groups like UAC-0113 have been using commodity malware available on top-tier Russian-language forums as well as deploying attacks that employ overt hallmarks of ransomware to mask their use of custom, destructive tooling, Recorded Future assessed. “The use of commodity tooling appears to have increased in comparison to past years, during which custom malware was primarily used in operations. In some cases, commodity malware is likely being adopted to complicate attribution efforts or provide plausible deniability for Russian state-sponsored threats. In other cases, commodity tools are likely used for expediency and to reduce the costs of espionage campaigns,” the report added.

Addressing KillNet, which has been in the news this week, Recorded Future reported that the self-described pro-Russian hacktivist group considered to be among the most disruptive hacktivist sources of cyberattacks targeting Ukrainian and NATO entities maintains several social media accounts and websites. “The majority of these sites and accounts were created beginning in late January, dating almost one month before the beginning of the invasion in Ukraine, and continuing through June 2022,” it added.

“On July 7, 2022, we identified a post on the “@killnet_reservs” Telegram channel that claimed responsibility for a DDoS attack on congress[.]gov, leaving it inaccessible for approximately 90 minutes, returning HTTP errors 503 (Service Temporarily Unavailable), 522 (Connection Timed Out), 524 (Time Out), and 525 (SSL Handshake Failed). Maintained by the Library of Congress, congress[dot]gov is the official online repository and archive of US federal legislation information pertaining to the US Senate and House of Representatives,” Recorded Future said. “The attack marks the first time in which Killnet has claimed responsibility for a verified DDoS attack on a website related to a US federal government entity.”

Since that initial incident against the Library of Congress, Recorded Future observed at least three more, separate instances in which Killnet has claimed to have targeted entities in the United States. “While these claims consisted of purported DDoS attacks against the identified entities, there were some instances in which Killnet purports to have conducted targeted intrusions as well.” 

The organizations that Killnet has claimed to target reports associated with the claims. These include Lockheed Martin on Aug. 3, last year; state government websites in Colorado, Kentucky, and Mississippi, and others on Oct. 5; and websites for US airports including Los Angeles International, Chicago O’Hare, and Hartsfield-Jackson International in Atlanta on Oct. 10. 

The report also addressed Xaknet, a pro-Russian hacktivist group that was briefly active immediately following the Russian invasion of Ukraine. “Xaknet conducted DDoS attacks against several Ukrainian government entities — attacks which were rated as “credible” by the Cybersecurity and Infrastructure Security Agency (CISA). Xaknet began its activities with an initial wave of DDoS attacks on or about March 2, 2022, that took a number of local Ukrainian government websites offline for several days,” it added.

Recorded Future has predicted that Russian intelligence services have historically relied upon their relationship with the cybercriminal ecosystem to facilitate reconnaissance operations or support efforts meant to destabilize their targets. The Russian government’s war against Ukraine has made this long-standing relationship even more vital, especially as the conflict becomes protracted and the Russian military forces falter. 

Furthermore, entities operating on Russian cybercriminal forums, such as hacktivists or ransomware threat actors, can provide plausible deniability, tooling, or access for state-sponsored threat actors. They also can engage in activities that could be diversionary, as many of their actions are often overt, highly publicized, and challenging to validate. The services, accesses, and tooling these entities provide very likely privilege them with a favorable relationship with the Russian security services in return, in which they are protected from prosecution unless they run afoul of the agreement or become engaged with political opinions counter to the goals of the Russian government. This apparent symbiotic relationship will almost certainly persist for the foreseeable future.

A development observed by Recorded Future has been the increase in self-described pro-Russian ‘hacktivist’ entities concerning the conflict in Ukraine, which somewhat mirrors the emergence of Russian state-sponsored APT ‘hacktivist’ proxies like Cyberberkut at the outset of their efforts against Ukraine in 2014. 

It is likely that the current iterations of these false hacktivist organizations — Killnet, Xaknet, and others — are likely to continue to play a role in conducting operations against entities in NATO and the west, as this provides a veneer of plausible deniability for Russia in these operations, enabling the Russian government to subvert claims of state-sponsored attacks against Western entities.

Last week, Alejandro N. Mayorkas, U.S. secretary of homeland security met with Thierry Breton, European Commissioner for Internal Market,  and said that in the context of the EU-US Cyber Dialogue that the U.S. Department of Homeland Security and the European Commission’s Directorate-General for Communications Networks, Content and Technology are keen on launching dedicated workstreams in the fields of information sharing, situational awareness, and cyber crisis response; cybersecurity of critical infrastructure and incident reporting requirements; and cybersecurity of hardware and software. 

“The workstreams are expected to invite and involve as appropriate other relevant institutions and agencies working on cyber issues, including the European External Action Service, the Directorate-General for Defence, Industry, and Space, and the U.S. Department of State,” according to the officials. “In addition, a cyber fellowship led by DHS and DG CNCT is expected to be launched with a pilot that will involve an exchange of cyber experts in 2023.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.