In 2018, Russia’s hacking agency, GRU, infected more than half a million routers worldwide with malware known as VPNFilter and they similarly attempted to create a botnet of hacked firewall devices that was discovered just ahead of Russia’s Ukraine invasion in February.
But Mandiant analysts argue that only now are they seeing that hacking of edge devices used to accelerate the agency’s pace of operations and to achieve persistence inside networks that lets the GRU pull off repeated intrusions against the same victims.
That’s meant that instead of having to choose between stealthy cyberespionage and disruptive cyberattacks that destroy the very systems they’re spying on, the agency has been able to “have their cake and eat it too,” as Roncone puts it.
Ukraine’s own cybersecurity agency, known as the State Services for Special Communications and Information Protection, or SSSCIP, agrees with Mandiant’s conclusion that Russia has quickened its pace of cyber-operations since the start of the war in February, according to Viktor Zhora, a senior SSSCIP official.
He confirms that the GRU, in particular, has come to favour targeting edge devices while other Russian intelligence agencies, such as the FSB, continue to use phishing emails as a common tactic. But he argues that the examples of repeated wiping of the same organisation in quick succession, or a wiping attack followed by an espionage operation against the same target, remain relatively rare.
Instead, Zhora contends that the GRU’s switch to a faster operating rhythm shows how the agency’s hackers are racing – struggling, even – to keep up with the speed of physical war.
“Operating in a covert mode over the last eight years, having unlimited financial resources, widely available human resources, gave them a lot of opportunities. They used that time to test, to probe and develop new technologies. Now, they’ve needed to increase the density of their attacks, and they require much more resources,” says Zhora.
“They still try to carry out their expected role, to be Russia’s most active and destructive agency. But with sanctions, with the intellectual flow out of Russia, with difficulties in human resources and infrastructure, their operational limits are significantly greater. But we can see in the tactics they use that they’re still seeking new opportunities for intelligence and wiping options.”
At times, Roncone and Wolfram say, GRU hackers do seem to be struggling to keep up with the new pace they’ve set. In one case, they saw the hackers backdoor an email server but set up their command-and-control server incorrectly, so that they failed to control it. In another case, they sent the wrong commands to a wiper tool, so that it failed to wipe the systems it had infected.
“It’s just the tempo and probably a bit of human error and burnout that leads to this sort of ‘oopsies,'” says Roncone.
Another shift in the GRU’s hacking to “quick and dirty” methods can be seen in the specific wiper malware that it uses, according to Roncone and Wolfram. Since May, Mandiant has observed GRU hackers deploying the relatively simple, targeted wiper malware known as CaddyWiper in nine different operations targeting Ukrainian organisations – five attacks in May and June, then another four last month.
The decision to make that small, straightforward wiper code its sabotage payload of choice represents a stark contrast with years past. In 2017 and 2018, the GRU group Sandworm unleashed complex destructive worms inside of target networks that took months to hone and deploy: automated, self-replicating, multi-featured code such as the Olympic Destroyer malware designed to cripple the Pyeongchang Winter Olympics and the NotPetya malware that hit Ukrainian networks and spread worldwide, causing an unprecedented $10 billion in damage.
In the early days of Russia’s invasion, for reasons that aren’t quite clear, Kremlin hackers targeting Ukraine appear to have used a grab bag of at least half a dozen wiping tools of varying quality inside of victim networks, such as HermeticWiper, WhisperGate and AcidRain. But in more recent months, the GRU appears to have deployed mainly CaddyWiper, again and again, Mandiant found, though in modified forms, changed just enough to evade detection.
Ukraine’s SSSCIP, for its part, declined to confirm whether it has seen the same nine CaddyWiper attacks Mandiant had tracked.
“It’s like they’ve said, ‘We’re not gonna build out a fancy multifaceted wiper like NotPetya that can worm on its own. What we need is just something that’s really lightweight and easily modifiable and easily deployable,'” says Roncone.
“So, they’re using this not-that-great, does-the-job wiper, which seems like part of shifting their entire tactical strategy to accommodate these fast-paced operations.” And while those quick-and-dirty methods may not be as flashy or as innovative as the GRU cyberattacks of the past, they can nonetheless inflict serious digital chaos in a country that needs every resource it has to fend off Russia’s invaders.
- A Wired report