Tag Archive for: Sandworm

Sandworm uses a new version of ArguePatch to attack targets in Ukraine

/in


ESET researchers spot an updated version of the malware loader used in the Industroyer2 and CaddyWiper attacks

Sandworm, the APT group behind some of the world’s most disruptive cyberattacks, continues to update its arsenal for campaigns targeting Ukraine.

The ESET research team has now spotted an updated version of the ArguePatch malware loader that was used in the Industroyer2 attack against a Ukrainian energy provider and in multiple attacks involving data wiping malware called CaddyWiper.

The new variant of ArguePatch – named so by the Computer Emergency Response Team of Ukraine (CERT-UA) and detected by ESET products as Win32/Agent.AEGY – now includes a feature to execute the next stage of an attack at a specified time. This bypasses the need for setting up a scheduled task in Windows and is likely intended to help the attackers stay under the radar.

Another difference between the two otherwise highly similar variants is that the new iteration uses an official ESET executable to hide ArguePatch, with the digital signature removed and code overwritten. The Industroyer2 attack, meanwhile, leveraged a patched version of HexRays IDA Pro’s remote debug server.

The latest find builds on a string of discoveries that ESET researchers have made since just before Russia’s invasion of Ukraine. On February 23rd, ESET’s telemetry picked up HermeticWiper on the networks of a number of high-profile Ukrainian organizations. The campaigns also leveraged HermeticWizard, a custom worm used for propagating HermeticWiper inside local networks, and HermeticRansom, which acted as decoy ransomware. The next day, a second destructive attack against a Ukrainian governmental network started, this time deploying

Source…

US offers bounty for Sandworm, the Russian hackers blamed for destructive cyberattacks

/in


The U.S. government has stepped up its hunt for six Russian intelligence officers, best known as the state-backed hacking group dubbed “Sandworm,” by offering a $10 million bounty for information that identifies or locates its members.

The Sandworm hackers — who work for a division of Russia’s GRU, the country’s military intelligence division — are known for launching damaging and destructive cyberattacks against critical infrastructure, including food supplies and the energy sector.

Sandworm may be best known for the NotPetya ransomware attack in 2017, which primarily hit computer systems in Ukraine and disrupted the country’s power grid, leaving hundreds of thousands of residents without electricity during the depths of winter. In 2020, U.S. prosecutors indicted the same six Sandworm hackers, who are believed to still be in Russia, for the NotPetya attack, as well as several other attacks that targeted the 2018 PyeongChang Winter Olympics in South Korea and for running a hack-and-leak operation to discredit France’s then-presidential frontrunner Emmanuel Macron.

In a statement this week, the U.S. State Department said the NotPetya attack spilled outside of Ukraine across the wider internet, resulting in close to $1 billion in losses to the U.S. private sector, including medical facilities and hospitals.

Read more

The timing of the bounty comes as U.S. officials warn that Russia-backed hackers, including Sandworm, could be preparing damaging cyberattacks that target businesses and organizations in the United States following Russia’s invasion of Ukraine.

Since the start of the invasion in February, security researchers have attributed several cyberattacks to Sandworm, including the use of “wiper” malware to degrade Viasat’s satellite network that the Ukrainian military heavily relies on. Ukraine’s government said earlier this month it had disrupted another Sandworm attempt to target a Ukrainian energy provider using malware it repurposed from cyberattacks it launched against Ukraine in 2016.

The FBI also this month said it conducted an operation to disrupt a massive botnet that infected thousands of compromised routers, including many located in the U.S., by locking…

Source…

Sandworm targets Ukrainian power grid. CISA warns of ICS malware. Updates on Hafnium activity.

/in


Sandworm targets Ukrainian power grid.

Sandworm, also known as Voodoo Bear, and in the org charts Unit 74455 of Russia’s GRU, has deployed CaddyWiper destructive malware and an Industroyer variant being called, simply, “Industroyer2.” ESET tweeted the results of its findings early Tuesday morning, and provided additional details in a report also published Tuesday. “ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company. The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks. The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems. We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine. We assess with high confidence that the APT group Sandworm is responsible for this new attack.”

The incident seems, at first look, an attempted repetition of the 2016 Russian cyberattacks against the Ukrainian grid that ESET mentioned in its report. CERT-UA offered a further description of the attack. It intended to use Industroyer2 against “high-voltage electrical substations” in a fashion tailored to the individual substations. CaddyWiper was used against Windows systems (including automated workstations), and other “destructive scripts” (OrcShred, SoloShred, and AwfulShred) were deployed against Linux systems.

The GRU’s attempt against the Ukrainian power grid appears to be the cyberattack most people were expecting back in February, especially because of the way it tracked earlier GRU takedowns of sections of Ukraine’s power grid. It also appears to have failed, and that failure may be attributed in part to successful Ukrainian defenses as well as to the methods Russia chose to use. In cyberspace as well as on the ground, Ukraine appears to have proved a tougher opponent than Russia expected.

CISA warns of ICS malware.

Late Wednesday the US Cybersecurity and Infrastructure Security Agency (CISA) announced that, with its partners in “the Department of Energy (DOE), the National Security Agency (NSA), and the Federal Bureau of…

Source…

DOJ’s Sandworm operation raises questions about how far feds can go to disarm botnets

/in


Written by Suzanne Smalley
Apr 8, 2022 | CYBERSCOOP

The notion that citizens are protected from unreasonable search and seizure is a bedrock legal principle: A court must issue a search warrant before police can enter a private home and ransack it looking for evidence. 

In what former prosecutors and legal experts call a landmark operation, the Department of Justice has now tested that principle to disrupt a Russian botnet that was spreading malware on a far-flung network of computers. Using so-called remote access techniques, law enforcement effectively broke into infected devices from afar to destroy what the U.S. government calls the “Cyclops Blink” botnet — and did so without the owners’ permission.

While the search warrant publicized by DOJ makes clear that this access did not allow the FBI to “search, view, or retrieve a victim device owner’s content or data,” legal experts say the case does raise questions about how far the government’s power should extend under a federal criminal procedure provision known as Rule 41.

The Kremlin-backed hackers responsible for the botnet — a group known to cybersecurity researchers as Sandworm — exploited a vulnerability in WatchGuard Technologies firewall devices to install malware on a network of compromised devices. By leveraging physical access to a subset of infected devices, the FBI said it was able to reverse engineer its way into accessing all of the botnet’s command and control devices. 

The government’s use of a search warrant to gain such remote access to individual computers without notice to the owners relied on a 2016 amendment to Rule 41, a federal rule of criminal procedure. The culmination of a three-year deliberation process which included written comments and public testimony before the federal judiciary’s Advisory Committee on the Federal Rules of Criminal Procedure — a committee which includes judges, law professors, and attorneys in private practice — the 2016 amendment was ultimately adopted by the Supreme Court and approved by Congress.

While the amended rule has been used previously, legal experts say this case appears to…

Source…