Last-minute paper: Battlefield Ukraine: finding patterns behind summer cyber attacks

Thursday 5 October 15:00 - 15:30, Green room

Alexander Adamov (NioGuard Security Lab)
Anders Carlsson (Blekinge Institute of Technology)



Ukraine has unwillingly found itself the battlefield of hacker group(s) with supposedly Russian roots and the anti-virus industry. This is not the first time that Ukraine has attracted the attention of cybersecurity experts. Suffice it to recall in this regard the several waves of cyber attacks against the critical infrastructure of Ukraine using the BlackEnergy [1] and Industroyer [2, 3] industrial malware supposedly created by a Russian hacker group.

This summer, we noticed that a supply-chain attack through the popular in Ukraine M.E.Doc accounting software ended with a splash of the NotPetya ransomware-wiper [4]. During the M.E.Doc campaign, we discovered that attacks were run with the help of several pieces of specially crafted ransomware: XData (AES-NI clone) [5], WannaCry.NET (WannaCry clone) [6], and NotPetya (Petya & Misha & WannaCry clone). It is worth mentioning that the first notable infection through the trojanized M.E.Doc [7] with the XData ransomware happened in the middle of May - more than a month before NotPetya was launched.

Now, we are seeing another ongoing campaign against Ukrainian organizations that follows a similar pattern. First, the attackers hacked the web server of the Ukrainian producer of another piece of accounting software [8], to upload the Chthonic (Zeus-based) backdoor seen in June in the nation-state attack against Ukrainian government institutions [9] and PSCrypt 2, a clone of the GlobeImposter (Globe-based) ransomware [10]. Then, they spear-phished the targets to lure them into downloading and installing one of these options. We are continuing to work with the victims to find out more information about the attack vectors.

In our talk, we'll show the timeline and highlight the patterns behind these attacks, including:

  • The attack vectors
  • The types of used malware in the context of previous nation-state attacks
  • Ransomware design style
  • C&C domains
  • Peculiarities in the language use

Finally, we'll share our hypotheses as to who is behind the summer attacks in Ukraine.

[1] https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/

[2] https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

[3] https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

[4] https://nioguard.blogspot.com/2017/06/eternalpetya-ransomware-analysis.html

[5] https://nioguard.blogspot.com/2017/06/xdata-ransomware-attacked-users-in.html

[6] https://nioguard.blogspot.com/2017/06/one-more-attack-to-ukraine-via-medoc.html

[7] https://nioguard.blogspot.com/2017/07/comparing-medoc-backdoors-in-176-186.html

[8] https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html

[9] https://nioguard.blogspot.com/2017/06/chthonic-trojan-is-back-in-nation-state.html

[10] https://www.bleepingcomputer.com/news/security/before-notpetya-there-was-another-ransomware-that-targeted-ukraine-last-week/

 

 

Alexander-Adamov-web.jpg

Alexander Adamov

Alexander Adamov is the founder and CEO of NioGuard Security Lab, which designs open-source sandbox-based solutions and tests security software against targeted attacks and ransomware. As a teacher, he develops and teaches the Advanced Malware Analysis course in universities in Ukraine and Sweden within the EU project called ENGENSEC. Alexander has worked for Kaspersky Lab, Lavasoft, Samsung, Mirantis and Acronis and has spoken at various security conferences and workshops such as Virus Bulletin, Kaspersky Virus Analysts Summit, OpenStack Summit, OWASP, HackIT, and BSides.

 

Anders-Carlsson-web.jpg

Anders Carlsson

Anders Carlsson has 30 years of experience in computer security, network security  and digital forensics.

He was educated and earned a degree as a Computer Engineer/Lieutenant-Commander specialist in the Submarines of the Royal Swedish Navy, where he worked for 25 years.

Since 1999 he has been employed by BTH, Blekinge Institute of Technology, as a senior researcher, where he is responsible for networks, network security, computer security and digital forensic at B.Sc. and M.Sc. levels. He has also been involved in the EU_ISEC project (2007-2013) to develop courses and train law enforcement officers within EUROPOL and BKA (the Federal Police in Germany) in forensics.

He was a project manager in BAITSE (Baltic Academic IT-Security Exchange) 2010-2013, a project aimed at exchanging knowledge and harmonizing IT security in academic institutions within Sweden, Latvia, Poland and Ukraine. He continued this work as General Manager for the EU-TEMPUS IV, and founded project ENGENSEC (Educating NexT Generation IT Security Experts) that will end in November 2017.



Register.jpg

VB2017 OVERVIEW

WHY ATTEND

SPEAKERS

PROGRAMME

REGISTER NOW!

VENUE

BOOK HOTEL

VB2017 DRINKS RECEPTION

VB2017 FOOSBALL TOURNAMENT

2017 PÉTER SZŐR AWARD


Other VB2017 papers

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…