Hackers are targeting critical Russian infrastructure for money and not espionage

• The attackers used macros embedded in Microsoft Word documents to spread malware.
• Over two dozen sites of critical Russian infrastructure companies were cloned by the attackers over the last three years.

Nation-state sponsored cyberattacks have a repeated attention-grabbing occurrence in the last few years, due to their geopolitical implications. The people reporting on cyber threats also eventually form a bias towards painting a dramatic picture behind every story and nation-state attacks are the most dramatic ones among all such stories.

This, sometimes, ends up providing cybercriminals with an added layer of anonymity, due to a misguided narrative. A recent attack, which was speculated to be a state-sponsored attack against a Russian state-owned company, ultimately turned out to be a much simpler crime, that primarily focused on stealing money.

The Target

Rosneft is a Russian state-backed oil giant that touts itself as the world’s largest publicly traded company. It is, however, also a foreign policy tool for the Kremlin and serves as a pillar in the critical infrastructure for Russia and it’s surrounding countries.

In December 2016, it was announced that 20 percent of the company was being taken private for over $10 billion dollars. This event led to a lot of speculation and interest from around the world. It was estimated that the move could also have made the firm an ideal target for foreign espionage. But this was soon proven wrong in an investigation conducted by Cylance.

Long-term malware campaign

Threat researchers at Cylance first found Microsoft Word documents in July 2017, with embedded macros containing a common malware that was seemingly aimed at Russian-speaking users. This was repeated in 2018, which prompted them to investigate further.

The researchers found that the malware communicated with its C2 servers, whose domains were quite similar to actual server domains of Russian oil and gas companies. The domains used by the malware were quite close to the domains of Rosneft and its subsidiaries.

The first such site found was “rnp-rosneft[.]ru”, mimicking the legitimate “mp-rosneft[.]ru” website owned by Rosneft.

“The only reference to this domain we could identify was the email address “sec_hotline@mp-rosneft[.]ru” which was used by Rosneft for confidentially reporting corporate fraud, corruption, and embezzlement,” according to Cylance.

The threat actor hadn’t just done this for the oil and gas sector but also for over two dozen state-owned companies in chemical, agricultural, financial and other critical sectors. The researchers found that the malware author had operated for over three years with the same malware and a changing target. Surprisingly, the attacker began their exploits by targeting Steam users in the gaming community, as per the investigation.

It is not clear if the phishing documents used in the campaign were targeted at specific groups of employees or just meant to be spread in the spray-and-pray method. The technical analysis of some of these phishing documents can be found here.

Attack Infrastructure

It was also found that the attackers’ domains were exposed due to the use of free bulk SSL certificates from Cloudflare.

“The attacker put a lot of time and effort into closely imitating legitimate domains and continually altered their targets over time. They would also occasionally register legitimate domains after the domains had expired...The actor relied heavily upon the Lithuanian provider “vpsnet[.]lt” likely as a result of the low-cost overhead of a couple euros per month per virtual private server (VPS),” the researchers stated.

Initially, the Cylance team was unclear about the origins of this attack campaign. However, they gained clarity after an article was published in a Russian edition of Forbes.

Ilya Sachov, founder and CEO of a security company Group-IB, wrote about an organized campaign by a threat actor who was creating clones of legitimate sites of Russian critical infrastructure companies.

The article contained unpublished research findings of Group-IB which included the clones of Rosneft domains, meant for harvesting login credentials and bolstering the campaign. Cylance had also independently found almost all the domains mentioned in the Group-IB findings.

From the overlapping findings and the history of the threat actor’s attacks on the gaming community in the past, it was evident that it was the work of a criminal group, but not a nation-state. This investigation highlights the importance of the presence of inherent biases when evaluating threat intel. The research also demonstrates how critical infrastructure across the globe is increasingly being targeted by cybercriminals with varying skills and motives.