Wednesday 4 October 11:20 - 11:50, Red room
Hossein Jazi (Fortinet)
Since the Russian invasion of Ukraine in 2022, the number of cyber-attacks against these countries, especially Ukraine, has increased, and several cyber threat actors have performed politically motivated operations to collect sensitive data from their victims’ machines. But these attacks are not limited to this time frame – in fact, tensions have been running high since Russia's annexation of Crimea in 2014 and the independence declarations of the regions of Donetsk and Luhansk.
Several cyber threat actors took advantage of this unstable geopolitical situation to operate their cyber espionage campaigns. One of them is RedStinger, a new threat actor that we have tracked since September 2022. While some of the activities of this actor were reported by Kaspersky in March 2023 as BadMagic, we have been able to trace this group back as far as at least late 2020.
We uncovered at least five different campaigns that were operated by this threat actor in the past three years, in late 2020, April 2021, September 2021, April 2022, and September 2022. It is worth mentioning that some of these campaigns lasted for a couple of months and the actor was actively monitoring and collecting data during that time.
The primary targets of this threat actor were entities in Russia and Ukraine. We identified a number of military and transportation entities that have been targeted by this actor as well as some officers and individuals that were involved in the September East Ukraine referendums. RedStinger was able to successfully exfiltrate different data such as screenshots, USB drive data, keystrokes and microphone recordings.
RedStinger mainly used spear-phishing emails to target its victims. These phishing emails usually contain an archive file with a name that motivates people to open it. The archive files had embedded lures which were official documents or letters related to the attack. For example, in one of the cases the lure was about the Luhansk region. The initial infection vector used by this actor varies, but all eventually dropped a piece of malware that we named DBoxShell.
DBoxShell utilizes cloud storage services such as DropBox as a command-and-control (C&C) mechanism. Using this malware, the actor performed reconnaissance on victims to assess whether the targets were interesting or not and decided if they wanted to deploy additional malware and toolsets.
In this talk, we present an in-depth analysis of the operations, toolsets and TTPs used by this threat actor in the past three years. We also will talk about victimology and attribution.
Roberto Santos obtained his degree in computer engineering at the Polytechnic University of Madrid, specializing one year after in cybersecurity at Carlos III University (Madrid) and achieving a Master's degree in that matter. He has extensive experience, obtained in well-known companies such as Panda Security, Telefonica and Malwarebytes. In these organizations he held different positions such as reverse engineer and threat intelligence researcher. Over the last year he has written about several first class APT attacks. Most of his work is available to the public online.
Hossein Jazi serves as a senior specialist within the threat intelligence team at Fortinet. He is an active researcher whose research interests include APT tracking, malware analysis, cyber threat intelligence, and machine learning. Currently his focus is on hunting and tracking APTs and publishing blogs on their activities. He has been specializing in cybersecurity and APT analysis for over 13 years.