Microsoft on Thursday fingered Russian military intelligence as the likely culprit behind ransomware attacks targeting Polish and Ukrainian transport and logistics companies over the past month.
If the assessment by members of the Microsoft Security Threat Intelligence Center (MSTIC) is correct, it could cause concern for the US government and its European counterparts. Poland is a member of NATO and a staunch supporter of Ukraine’s attempt to repel an unprovoked Russian invasion. The hacking group that has linked the software company to the cyberattacks — known more widely as Sandworm and in Redmond, Washington, as Iridium — is one of the most talented and destructive in the world and is widely believed to be backed by Russia’s GRU, military intelligence agency .
Sandworm was definitely linked to the NotPetya wiper attacks of 2017, a global outbreak that a White House assessment said was caused
$10 billion in damages
, making it the most expensive hack in history. Sandworm was also definitely linked to hacks in Ukraine’s power grid, leading to widespread outages during the coldest months of 2016 and again in 2017.
Last month, Microsoft said that Polish and Ukrainian transport and logistics companies had been the target of cyberattacks using never-before-seen ransomware masquerading as Prestige. The threat actors, according to Microsoft, have already gained control over the victim networks. Then, in a single hour on October 11, the hackers used Prestige on all of their victims.
Once in place, the ransomware would scan all files on the infected computer’s system and encrypt the contents of files ending with .txt, .png, gpg and more than 200 other extensions. Prestige then appended the .enc extension to the file’s existing extension. Microsoft attributed the attack to an unknown threat group, which they dubbed DEV-0960.
On Thursday, Microsoft updated the report to say that based on forensic artifacts and overlaps in victimology, crafting, skills and infrastructure, the researchers have determined that DEV-0960 is highly likely to be iridium.
“The Prestige campaign could highlight a measured shift in Iridium’s calculus for destructive attacks and signal an increased risk for organizations that directly deliver or transport humanitarian or military assistance to Ukraine,” MSTIC members wrote. “More broadly, this may pose an increased risk to organizations in Eastern Europe that may be viewed by the Russian state as providing war-related support.”
Thursday’s update further states that the Prestige campaign differs from destructive attacks over the past two weeks, which have used malware tracked as AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) to target multiple critical target infrastructures in Ukraine. While the researchers said they still don’t know which threat group is behind these acts, they now have enough evidence to identify Iridium as the group behind the Prestige attacks. Microsoft is in the process of notifying customers who have been “affected by Iridium but have not yet purchased their freedom,” they wrote.
To emphasize the sophistication of the attacks, Iridium members used multiple methods to deploy Prestige on target networks. These included:
Scheduled Windows Tasks
coded PowerShell commandsand
GPOs for default domains
“Most ransomware operators develop a preferred craft for their payload deployment and execution, and that craft tends to be consistent across victims unless a security configuration prevents their preferred method,” MSTIC members explained. “In this Iridium activity, the methods used to deliver the ransomware into the victim environments varied, but it does not appear to be due to security configurations preventing the attacker from using the same techniques. This is particularly notable given that the ransomware deployments all occurred within an hour.”
The post contains technical indicators that can help people find out if they have been attacked.
Go to discussion…
This article was previously published on Source link