Presented at
REcon 2023,
June 10, 2023, 5 p.m.
(30 minutes)
State-backed actors generally have multiple tools in their kit to conduct cyber operations, but in recent years we've seen an uptick in the number of APT groups using disruptive tooling. One of the most prolific groups conducting disruptive cyber operations is part of the Russian Military Intelligence, also known as the GRU.
Since the beginning of the invasion in February 2022, we’ve seen 12 wipers deployed against Ukrainian Government and Business entities and in October 2022, the use of capabilities expanded, affecting logistics companies in the neighbouring country of Poland.
Over the course of the invasion, the GRU’s approach to disruptive operations has evolved. At the start of the invasion, the GRU was likely using a new wiper for each individual operation. They later changed to a reusable capability, employing a novel loader that bypassed some Windows security features, but some components of the operations remained consistent, such as the use of Group Policy Objects (GPO) to deploy and execute the payloads.
At the same time, as tactics have evolved, their quick pace caused them to make mistakes, including multiple operational and developmental errors in the tooling.
In this talk, you’ll hear about the disruptive arsenal at play by taking an in depth look at all of the wipers and the associated support tools used by the GRU in Ukraine. We’ll also evaluate the techniques used by the actors and what that tells us about their ability to rapidly prototype and deploy new payloads.
Presenters:
-
Luke Jenkins
Luke Jenkins is a Technical Principal Analyst on the Cyber Espionage team at Mandiant, now part of Google Cloud. In this role he tracks and analyses Advanced Persistent Threats (APTs) from nation state hackers globally. Since early January 2022, Luke has been closely monitoring Russia backed threat groups targeting Ukraine.
Luke earned a bachelor's degree in Computer Forensics from the University of South Wales.
Links:
Similar Presentations: