31 January 2022

The story of the four bears: Brief analysis of APT groups linked to the Russian government (Part 3)


The story of the four bears: Brief analysis of APT groups linked to the Russian government (Part 3)

Introduction: Analytics from Cybersecurity Help decided to publish the series of articles dedicated to the known APT groups (supposedly) linked to the Russian government. In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear (APT 28), Cozy Bear (APT 29), Voodoo Bear (Sandworm), and Berserk Bear (Energetic Bear).

Here is the third article in the series which is dedicated to the Voodoo Bear. You can read the first article here and the second one here. This post doesn’t highlight all of Voodoo Bear cyberattacks but briefs the readers with the most prominent incidents and their nature. As in European folklore fairy-tale “The Story of the Three Bears” each “Bear” in this series has its own character and distinctive features.

Voodoo Bear

The Voodoo Bear (aka Sandworm, Telebots, Iron Viking, BlackEnergy, Olympic Destroyer) is, probably, the most ferocious member of the “Bear” family. While Fancy Bear and Cozy Bear focus on stealing and leaking data (Fancy Bear), the third “brother” specializes in subversive operations that can be devastating. It is this group that is responsible for the first blackout caused by hackers in a history. The threat actor has successfully proven that disaster movie scenario could be realized in a real life. Power grid cyberattacks leading to the blackout, frozen computer systems all over the world because of NotPetya cyberattack and almost ruined opening ceremony of Winter Olympics in Pyeongchang – it’s all about the Voodoo Bear.

In October 2020, US authorities have charged six Russian military officers accusing them in hacking Ukrainian critical infrastructure, NotPetya attacks, destabilizing political situation in Georgia, hacking French election, etc. According to the indictment, all six officers are connected with Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. The same agency is apparently connected with another member of the “Bears” family, Fancy Bear. But while the Voodoo Bear is the Unit 74455, Fancy Bear is the Unit 26165. So, the different units mean the different goals.

The threat actor has a large arsenal of malware some of which are advanced modified versions of once primitive tools. This is the case with BlackEnergy and NotPetya, two prominent malicious tools developed by lone cybercriminals and then vastly improved by the Voodoo Bear.

BlackEnergy

The BlackEnergy malware has been used in cyberattack on Ukrainian power grid on December, 23 in 2015. The attack led to the first blackout in history. Hackers attacked Ukrainian energy company Prykarpattyaoblenergo, and approximately 23,000 people in Western part of a country were left without power for 1-6 hours. You can find more information about this attack in a SANS Institute report.

The BlackEnergy was created by researcher Dmytro Oleksiuk (aka Cr4sh) apparently in 2007. At that time, it was the DDoS trojan. By the end of 2007 cybersecurity firm Arbor Networks have identified about 30 botnets build using BlackEnergy. The 2010 version of a malware had capabilities beyond DDoS. In 2014, the third version of BlackEnergy had been equipped with a variety of plug-ins. In 2009, Oleksiuk tried to distance himself from his creation and wrote in his blog that the source code of his tool was publicly accessible and anyone could use it.

Industroyer

On December, 17 in 2016 – almost a year after the first Ukrainian blackout – Voodoo Bear attacked another energy company, Ukrenergo. About 20% of Kyiv population were left without power for one hour. This time the threat actor used another malware family called Industroyer (aka Crash Override). According to the cybersecurity firm ESET this malicious tool is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure. Industroyer can control electricity substation switches and circuit breakers directly. The malware makes use of industrial communication protocols utilizing worldwide in a power supply infrastructure, transportation control systems, etc.

NotPetya

Just like the BlackEnergy, NotPetya is another one incarnation of the less sophisticated tool created by independent developer. The original ransomware strain Petya was discovered in March 2016. It was supposedly created by someone who called himself JanusSecretary. But NotPetya version used in June 2017 which caused chaos all over the world was much different. Someone – allegedly it was the Voodoo Bear – took JanusSecretary’s original version and turned it into powerful cyberweapon lacking key ransomware capabilities. According to Kaspersky Lab, NotPetya is actually a wiper masquerading as a ransomware, and hackers can’t decrypt victims’ disk, even if a payment was made. And again, not only Voodoo Bear stole someone else’s code and brand it also borrowed a distribution method from North Korean hackers.

The month prior the NotPetya attack the world was hit by another ransomware called WannaCry which propagated through the unfamous EternalBlue exploit. This exploit was created by US National Security Agency and stolen from it by The Shadow Brokers hackers. Later it turned out that the NotPetya wiper used the same propagation mechanism.

The NotPetya destructive attack hit Ukraine on June, 27 in 2017 and spread around the world. Hackers have compromised the software update mechanism of M.E.Doc – a Ukrainian tax preparation program – to spread the wiper. The attack quickly spread beyond Ukraine and hit France, Germany, Italy, Poland, Russia, the United Kingdom, and the United States.

Olympic Destroyer

On February, 9 in 2018 hackers attacked the opening ceremony of Winter Olympics in Pyeongchang, South Korea. At the very beginning of the event something has been switching off every domain controller in Olympics data centers in Seoul. Nobody couldn’t connect to the Wi-Fi, thousand TVs on a stadium switched off, RFID gates stopped working and visitors couldn’t print their tickets. As a result, IT team of Games were forced to shut down all the servers for the whole night.

Professionals from Cisco Talos have analyzed the samples used in this attack. The malware – called Olympic Destroyer – was not from the threat actor looking for data from the Olympics but had one goal – to disrupt the event. The Olympic Destroyer hadn’t any data exfiltration functionality and appear to perform only destructive functionality. The destructive nature of this malware was aimed to render the machine unusable by deleting shadow copies, event logs and tried to make use of PsExec & WMI for further move through the environment. This was the case with NotPetya too.

Summary: The Voodoo Bear is the most ferocious member of the “Bear” family. It doesn’t focus on cyber espionage or stealing and leaking data but aimed to cause physical damage to the critical equipment. This is the group behind the first ever blackout caused by the cyberattack.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024