It’s Time for CISOs to Decipher the Threat Actor Strategy
This blog post is for CISOs, CSOs, CIOs, and all their stakeholders.
I’d like to start off with a personal story. In addition to my work in cybersecurity at VMware, I also have been busy in every spare moment with our non-profit that delivers humanitarian aid to Ukraine and eastern Europe. Over the weekend, I received a very credible email. It was a phishing attempt but it took me a minute to recognize that. It appeared to be from my Bank (one of the big ones) to notify me that there had been a double payment on my mortgage.
Here’s what was troubling about this email: It showed a level of intelligence about my personal banking habits and used those to create a veil of credibility in addition to urgency:
- Double mortgage payments have happened in be discarded out of hand. A double mortgage payment has the potential of being an urgent problem (a hallmark of phishing emails.)
- The formatting looked very much like emails I get from my bank. With all the logos, disclaimers, and formatting - the one difference was the link they asked me to click.
- The timing of the email was closely correlated to my mortgage payment. Had this come at a different time it would not be credible.
Fortunately, as professional paranoids, these clues alerted us to be very careful. As we investigated just a little further, this email proved to be a well-constructed phishing attempt. But this blog post is not about me being a target of malware. It is about the changing dynamic with respect to known threat actors out of Russia.
It is about you, as an executive stakeholder for your corporation, and what you should take into consideration as a standard of care when it comes to protecting your enterprise against well-known and publicized threat actors during this period of escalating cyber-attacks worldwide.
Specifically, we’ll examine two essential things that you should include in your security strategy:
First: Utilize best-of-breed solutions (people, process, technology) for your enterprise to defend against threat actors today and in the future
Second: Expand your awareness of relevant threat actors and an understanding of their MO.
What is the consequence of not paying attention to these two critical aspects of security strategy? It is expensive on multiple levels.
In November 2021, according to Bloomberg law, a lawsuit was filed against the Solarwinds Corporation board in Delaware by two pension funds citing: “oversight failures that ‘defied elementary cybersecurity standards’ for a massive cyberattack by Russian hackers1. The suit notes that Solarwinds outsourced software development to contractors in eastern European countries, including Belarus, which made infiltration of the Solarwinds Orion system by Russian nation-state actors a “heightened risk,” presumably one that should have been anticipated. The threat-actor group to whom the Solarwinds breach is attributed is known as Nobelium by Microsoft.
A recent motion to have the class action lawsuit dismissed against Solarwinds, its CEO, CFO, VP of Security Architecture, and private equity investors was denied in US District Court. Court documents allege that SolarWinds' “purported security measures were ‘woefully deficient and not as represented.’” As this case winds its way through the legal system it will serve as a vivid illustration of how important it is for a vendor to take cyber hygiene and cyber vigilance seriously for itself and especially for customers who rely upon its service2.
In August of 2021, T-Mobile suffered a massive breach that impacted an estimated 50 million customers and subjected many to the risk of SIM swap attacks. News reports suggest that more than 30 class-action lawsuits have been filed against T-Mobile to date as a direct result of the breach. T-Mobile’s stock price is trading at about 83% of pre-breach levels. According to reports, the threat actor, a 21-year old Virginia native living in Turkey, publicly claimed that T-Mobile’s security was “terrible” and gave evidence for that assessment in public fora.
Along with these high-profile, high-stake breaches are many others from 2021 including ransomware attacks on the energy sector, law enforcement, financial services (insurance), automotive, and food and agriculture. One thing we all share across sectors and industry verticals - cybercrime must be expected. This assumption of breach mentality can be interpreted as assuming that a breach will happen, or that a breach has already happened but may not yet be detected. We also can assume, according to research from Ponemon Institute, that these breaches will be costly to reputation, company valuation, and out-of-pocket remediation, with the average total cost for breaches of 50 million to 65 million records exceeding $400M3.
What does a best-of-breed solution look like?
We are at the point in this Zero Day world that we must detect security breaches in real-time, not after the fact. Real-time detection goals should be aimed at detection and prevention/remediation within hours instead of days.
VMware’s telemetry indicates that persistence by a nation-state intruder is established within the first 72 hours of an attack. Industry reports are that the average time to detect a breach is 212 days with an average time to contain being 75 days. Collecting event logs and doing post-processing to identify anomalies is no longer a viable strategy because persistence is already established, backup C2 on a sleep cycle is in place, and lateral movement has begun.
Allowing a time between commencement of an attack and its detection on the order of 212X the time it takes for persistence to be established is a non-starter of a security strategy. Event detection and response now must be enabled to be cross-enterprise and full-stack as well as real-time.
In addition, the assumption that attacks are at the edge of the network is also invalidated by the facts on the ground: attacks come through trusted channels of east-west traffic, not just north-south. Insider threats are a significant risk. Anomaly detection requires full coverage for both outsider threats as well as supply-chain and insider threats.
As a way to demonstrate the effectiveness of your security strategy, here are three necessary metrics to use:
- Elapsed time for detection of incidents from the time of the first intrusion in actual practice.
- % detection of TTPs in industry benchmark tests
- Frequency of updates to detect emerging TTPs.
Why should you understand the profiles of threat actors?
As a CISO I had the resources and teams who specialized in managing vulnerabilities, examining threat actors to understand the implications of their operations, and hunting for IOCs and threat signatures within our environment. Many of the details are handled by these specialized and talented team members. Fifteen years ago, this was handled by the largest Tech companies and financial services.
Today, a critical element of enterprise security strategy is meaningful threat intelligence regardless of sector or vertical. Either outsource it or create the capability in-house and ensure they have the resources necessary to provide you with timely and relevant updates to keep your DFIR capabilities current. This is the time for you to develop “over the horizon” vision to anticipate threats and potential action or collateral damage from nation-states and cybercrime organizations. For example, when the Conti Trickbot Forum leak occurred earlier this year, it provided a golden opportunity for threat researchers and threat hunters to level up their understanding of the Trickbot and Conti TTPs.
Three particular threat actors are of interest here: Wizard Spider, Sandworm, and Gamaredon. The first two were covered recently in the MITRE Evaluation where Carbon Black received a 100% rating..
Wizard Spider, TEMP.MixMaster, Gold Blackburn, FIN12
According to Malpedia, the "Wizard Spider group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which Grim Spider appears to be a subset. The Lunar Spider threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides Lunar Spider affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of web injects and a malware distribution function. Grim Spider is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for Wizard Spider, a criminal enterprise of which Grim Spider appears to be a cell. The Wizard Spider threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.”
Sandworm aka: Sandworm Team, Black Energy, BlackEnergy, Quedagh, Voodoo Bear, TEMP.Noble, Iron Viking
A US Department of Justice indictment in October 2020 identified six cybercriminals that makeup Sandworm (aka Telebots, Voodoo Bear, and Hades) as agents in Unit 74455 of Russia’s GRU military intelligence agency. They are responsible for the most wantonly destructive cyberattacks over a stretch of five years including the electrical grid in Ukraine, the release of NotPetya against Ukrainian accounting software in 2017, and a cyberattack that hit the IT infrastructure of the 2018 Winter Olympics. NotPetya, the most devastating and expensive cyberattack to date, went on to affect organizations around the world including Merck, FedEx, Maersk, Saint-Gobain, Mondelez, and medical records in healthcare organizations around the world.
The implications of the TTP of Sandworm - this is an incredibly destructive Russian cyber offensive unit that highlights the need for cyber vigilance by all organizations given its history of targeted attacks including critical infrastructure and widespread collateral damage, destructive wipers and OT manipulation. Indicators of initial compromise exist in critical infrastructure today, and according to threat research published by Mandiant, it is reasonable to assume that intrusions such as this are part of a larger contingency operation by the GRU.
The criminal underground and the development of disruptive/destructive elements is also linked to the GRU. Sandworm’s major tools are wiping and data destruction as seen in the 2015 elections in Ukraine that resulted in widespread
The game that is being played with these cyberattacks is scale. This was the case wtih NotPetya. The ideal channel for achieving scale is via Supply Chain attacks and this is of great concern in critical infrastructure and the OT environment. In the event of wide-scale destructive attacks, this would be done by executing on many compromised targets simultaneously.
Gamaredon/Armageddon Group aka: Primitive Bear, Shuckworm, ACTINIUM
Gamaredon has been around since at least 2013 and appears to be emerging with newly developed technical skills around custom malware.
According to Malpedia: “In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware.”
MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage. The Ukrainian Security Service has attributed activities of this group to Russian Federal Security Service. In the months leading up to the Russian invasion of Ukraine (Feb 2022), this group has targeted organizations critical to emergency response as well as organizations involved in the distribution of humanitarian aid. MSTIC notes that the scale of operations of ACTINIUM has escalated
It wasn’t until I was writing this report that I realized that Russian state threat actors are specifically targeting organizations like our non-profit. We’re taking steps to educate our team members and board on what to look for in terms of attack vectors and ensuring we strengthen the controls around our attack surface.
As a security strategist, executive, investor, or board member, we can no longer assume that threat actors will not be an issue. No one is too small, and no digital attack surface is immune. VMware prevented 100% of attacks tested during MITRE Engenuity ATT&CK® evaluation using TTPs by both Sandword and Wizard Spider.
This is the essential minimum performance for your standard of care. Learn more here!