Security researchers have uncovered a three-year cyber attack on a Russian oil company that appeared at first glance to be state-sponsored, but later was found to be the work of cyber criminals seeking financial gain. The discovery is a cautionary tale for security experts not to be too rash when when drawing conclusions about high-profile cyber attacks.
Researchers at artificial intelligence-based threat-intelligence firm Cylance uncovered a three-year campaign against the world’s largest publicly trade oil company, Rosneft, that began around the same time as the company launched a $10 billion deal to take nearly 20 percent of Rosneft private.
Such events often reek of state-sponsored espionage activity; indeed, the the deal itself from a company described as a “foreign policy tool” of the Russian government was met with much global attention and scrutiny, with some questioning its motives, researchers said.
“More than half of the company is owned by Moscow and serves as a major pillar of critical infrastructure for Russia as well as other neighboring nation states,” researchers wrote in a report published Tuesday about the campaign.
However, upon further examination, the attack uncovered by Cylance turned out to be the work of cyber criminals setting their sites on a rather ambitious target.
“The techniques and targeting we normally associate with state or state-sponsored espionage efforts are also being used by ordinary criminals motivated by financial gain,” Kevin Levilli, director of threat intelligence at Cylance, told Security Ledger. “Targeted attacks come in all flavors–including crime–and defenders should be vigilant to this fact and resist jumping to conclusions when they see activity that might otherwise scream ‘APT (advanced persistent threat).’”
Hiding in plain sight
Indeed, when Cylance researchers discovered that a threat actor meticulously used command and control (C2) domains to mimic more than two dozen other state-owned oil, gas, chemical, agricultural and major Russian financial exchanges, they assumed at first the attack must be state-sponsored.
“In July 2017, Cylance stumbled upon some interesting macros embedded in Word documents we uncovered in a common malware repository that seemed to be aimed at Russian-speaking users,” researchers wrote. “We observed the same type of document resurface in the beginning of 2018 and decided to take a closer look.”
There were a few clues pointing researchers in the direction of state or state-sponsored groups being responsible for the malware for the purposes of espionage, Levilli told us.
You might want to listen to: Podcast Episode 116: Cryptojacking and MikroTik’s Bad-Feeling Feel Good Patch Story
“The attackers chose their targets carefully and with purpose, and used malware that might be of use in a reconnaissance effort mounted by an APT group as part of a multi-stage attack,” he explained. The target company itself also was a big red flag alerting researchers that the campaign was very likely the work of a state-sponsored actor, Levilli said.
A closer look revealed that researchers’ first impression in this case was wrong, however. Researchers now believe the attack was a financially-motivated criminal attack that uses what researchers refer to as “business e-mail compromise,” or BEC, he said.
“The threat actor first harvests victim credentials through straight-shot collection via keylogging malware, then it conducts reconnaissance of the people inside the target organization with whom the initial victim has contact,” Levilli said. “And then, in some cases, additional victims are directed to fake websites that resemble actual target organization pages where even more credentials are taken.”
In this way, once a threat actor succeeds in the compromise of dozens of target e-mail accounts, he or she can log into those email accounts, and–posing as the true owner of the account–change bank routing numbers and otherwise misdirect company funds to accounts under their control, he said.
Cloak and dagger?
To get to the bottom of the attack, researchers used some “malware archaeology,” discovering that the toolset in the Rosneft campaign had been used before to rip off users of the video game “Steam,” Levilli told us. In fact, the threat actors had modified the tools only slightly to target “this different and decidedly bolder set of targets,” he said.
“Eventually, we were able to tie our analysis of the malware and infrastructure used here with research that had been published by Group-IB,” a company that claimed to have helped some of the victim organizations, Levilli said. This “helped provide the context of the BEC attack, and shed some light on the copy-cat websites,” he said.
“In this new context, it became clear that this was likely just a criminal enterprise and not an effort whose principal aim was state-sponsored espionage,” Levilli explained. “We now suspect that a criminal threat actor, likely based in Russia or Eastern Europe, is responsible for the attacks.”
If this is indeed the case, why adopt the style of a state-sponsored or APT attack in the first place? Levilli said there are a couple of reasons. Firstly, targeted APT attacks are largely effective; thus, the cyber criminals also increase their chances of success in ripping off their victims.
Secondly, hiding behind what looks like a state-sponsored attack also could buy those really responsible time or hide them in plain sight, since security experts will initially search for a different type of bad actor once the attack is first discovered, he said.
“Their use challenges attempts at attribution by playing into the confirmation bias that network defenders and researchers may have when encountering the initial signs of attack,” Levilli said. The research into the Rosneft attacks is leading Cylance researchers to caution other security experts to be careful when jumping to conclusions about who’s responsible for similar types of attacks.