Six degrees of separation is a theory that everyone in the world is six, or fewer steps, from any other person in the world. This theory was popularized through Kevin Bacon, who has been in so many movies, that it’s believed he can be linked to any actor in a maximum of six links.
Just as people can be linked to each other, companies that rely on third parties for data processing and services are also linked. Trusted relationships between partners often open security holes between networks. The partners are naively considered trusted, and traditionally, they haven’t been thought to be a potential source of malicious activity. Of course, with recent breaches and knowledge, this has dramatically of late!
If the target of an advanced attacker is difficult to penetrate, the attacker will open its sights on a partner company to gain access. Depending on the complexity, thoughtful adversaries could target multiple third parties in an attempt to gain access to their main objective. Lets explore this theory through recent real-world findings.
Russian cyber operations
Recently, the LookingGlass Cyber Solutions’ Threat Intelligence Group (CTIG) discovered an active Russian state-sponsored cyber espionage campaign targeting Ukrainian government, law enforcement and military officials. The operation’s goal was to steal information that would provide insight into near-term Ukrainian intentions and plans relating to military strategy and troop movement. Dubbed “Operation Armageddon” due to the author’s name used in a Word document used in the attacks, the campaign has been active since at least mid-2013.
The Security Service of Ukraine (SBU) has publicly released at least two statements regarding these attacks, in September 2014 and March 2015. The SBU attributed these attacks to specific branches of the Russian Federal Security Service (FSB). LookingGlass’ findings support the statements made by SBU.
What makes this campaign interesting is the motivation for the attacks: obtaining an advantage in kinetic warfare against Ukraine. Through extensive temporal and technical analysis, LookingGlass found evidence that correlates waves of Operation Armageddon with Russian military activity in and around Ukrainian conflict areas. It is clear Russia continues to advance their information warfare components of their overall modern warfare strategies in order to further their global interests.
Each attack in the campaign has started with a targeted spear phishing email convincing the victim to either open a malicious attachment or click a link leading to malicious content. The attackers use documents either previously stolen from or of high relevance and interest to Ukrainian targets, often government officials, in order to lure their victims into opening the malicious content. Upon execution of the most recent samples of malware, a self-extracting archive (SFX) dropper launches a legitimate lure document as well as a script used to download payloads from a remote Command and Control (C&C) server either operated or controlled (compromised) by the attackers. Older samples from the campaign used either Adobe or Microsoft Word icons, but sometimes did not actually open a lure document.
Throughout the course of the campaign, the final payloads have been some form of Remote Administration Tool (RAT) – either the “Remote Manipulator System” (RMS), which is a very popular RAT commonly distributed in Russian hacking forums, or UltraVNC, which is a RAT that’s freely available online. These RATs have both been categorized as malicious by the AntiVirus industry. Additionally, early campaign payloads have also included malware that modifies the DNS servers used by victim machines in order to redirect traffic.
While very uncommon, campaigns of this nature and the attack vectors used are not new. This demonstrates both the sophistication of the malware and the simplicity of the attack approaches. Malicious batch scripts within the SFX archives send identifying information about the infected machine back to a C&C server, including the MAC address and computer name. The RATs have also been used to steal legitimate documents related to the Russian-Ukrainian conflict to be used as lures in the next waves of the attacks.
Clearly, Russia has significant digital warfare capabilities. But as their targetssecure themselves, they become more difficult to compromise. If the main target can’t be easily accessed, they adjust to alternate paths to the target. The obvious alternates are the trusted partners of the target. If those alternates are also secure, the possible list of vulnerable companies and networks expand. Similar to six degrees of Kevin Bacon, partners of partners become valuable opportunistic targets. Once a vulnerable company is compromised, their trusted access into other partners allows exploits that didn’t work previously to bypass security controls. A potential “keys to the kingdom” scenario – once past the initial partners’ defenses, the advisory is free to roam the connected partner networks.
Real world examples
Russia has the capabilities and resources to engage in long campaigns against targets and their partners. While a company might not consider itself a target of nation state attacks, there is evidence that even unrelated companies can be targets or unintentionally (or innocently) get caught in the crossfire. Some examples and their relationship to possible targets are as follows:
- If Russia is targeting the Ukraine and can’t penetrate the networks directly, they might target the ISPs that Ukraine uses inside the country or ISPs that provide connectivity to the rest of the world;
- If the Ukraine purchases computers from a company like Lenovo, Russia may target Lenovo or Lenovo partner companies for avenues for delivering exploits; and
- A company that provides food services for the military may use a third party credit card processor. Compromising the credit card processor could allow access to computers that may be located at military installations.
To put this into further perspective, the LookingGlass CTIG found waves of cyber attacks from the Russians directly correlated with the timing of military events, and were geared towards gathering intelligence to empower themselves on the physical battlefield – a digital method of espionage in its truest of form. Using a wave of spear phishing attacks and targeting many different government officials, they had both the resources and patience to attack from many different directions while not triggering any alarms at typically thought of targets – proving the main target isn’t always the way in.
Even though Russian cyber capabilities are reputed to be robust, based on the individuals targeted and the nature of the TTPs implemented, the activity detected and the correlation to real world events thus far implies the actors are more focused on collecting timely intelligence regarding Ukrainian military strategies to obtain an advantage in the ongoing war. This, however, does not mean they could not use this for more sophisticated cyber espionage, or even specific cyber attacks. While the LookingGlass CTIG only found evidence of Ukraine being targeted in these attacks, it is plausible that the same techniques are being used elsewhere.
If I’m a global enterprise how does this impact me?
The important take away for enterprises of all kinds is that third party vulnerabilities cannot be overlooked. Just because an organization has top notch security practices in place, it doesn’t mean their partners will not be targeted for their valuable insider access. If partners are given secure insider access, their systems must be continually monitored, reviewed and assessed for their security vulnerabilities.
Partners may think of themselves as unlikely targets, but as we have seen with the attacks against the Ukrainian government and military, partners and other connected individuals can be used to gain access to more valuable data at seemingly unrelated organizations.
Jason Lewis is the chief collection and intelligence officer at LookingGlass Cyber Solutions. He leads analysis and research efforts, which include maintaining and expanding a global sensor networkfor tracking exploits and malicious hosts, exploring new technologies for improving current data analysis techniques, evaluating and obtaining new sources and types of data and investigating new threats to infrastructure and techniques used by malicious actors.
