Last-minute paper: Battlefield Ukraine: finding patterns behind summer cyber attacks

Presented at VB2017, Oct. 5, 2017, 3 p.m. (30 minutes)

Ukraine has unwillingly found itself the battlefield of hacker group(s) with supposedly Russian roots and the anti-virus industry. This is not the first time that Ukraine has attracted the attention of cybersecurity experts. Suffice it to recall in this regard the several waves of cyber attacks against the critical infrastructure of Ukraine using the BlackEnergy [1] and Industroyer [2, 3] industrial malware supposedly created by a Russian hacker group. This summer, we noticed that a supply-chain attack through the popular in Ukraine *M.E.Doc* accounting software ended with a splash of the NotPetya ransomware-wiper [4]. During the *M.E.Doc* campaign, we discovered that attacks were run with the help of several pieces of specially crafted ransomware: XData (AES-NI clone) [5], WannaCry.NET (WannaCry clone) [6], and NotPetya (Petya & Misha & WannaCry clone). It is worth mentioning that the first notable infection through the trojanized* M.E.Doc* [7] with the XData ransomware happened in the middle of May - more than a month before NotPetya was launched. Now, we are seeing another ongoing campaign against Ukrainian organizations that follows a similar pattern. First, the attackers hacked the web server of the Ukrainian producer of another piece of accounting software [8], to upload the Chthonic (Zeus-based) backdoor seen in June in the nation-state attack against Ukrainian government institutions [9] and PSCrypt 2, a clone of the GlobeImposter (Globe-based) ransomware [10]. Then, they spear-phished the targets to lure them into downloading and installing one of these options. We are continuing to work with the victims to find out more information about the attack vectors. In our talk, we'll show the timeline and highlight the patterns behind these attacks, including: * The attack vectors * The types of used malware in the context of previous nation-state attacks * Ransomware design style * C&C domains * Peculiarities in the language use Finally, we'll share our hypotheses as to who is behind the summer attacks in Ukraine. [1] [https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/ ](https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/) [2] [https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32\_Industroyer.pdf ](https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf) [3] [https://dragos.com/blog/crashoverride/CrashOverride-01.pdf ](https://dragos.com/blog/crashoverride/CrashOverride-01.pdf) [4] [https://nioguard.blogspot.com/2017/06/eternalpetya-ransomware-analysis.html ](https://nioguard.blogspot.com/2017/06/eternalpetya-ransomware-analysis.html) [5] [https://nioguard.blogspot.com/2017/06/xdata-ransomware-attacked-users-in.html ](https://nioguard.blogspot.com/2017/06/xdata-ransomware-attacked-users-in.html) [6] [https://nioguard.blogspot.com/2017/06/one-more-attack-to-ukraine-via-medoc.html ](https://nioguard.blogspot.com/2017/06/one-more-attack-to-ukraine-via-medoc.html) [7] [https://nioguard.blogspot.com/2017/07/comparing-medoc-backdoors-in-176-186.html ](https://nioguard.blogspot.com/2017/07/comparing-medoc-backdoors-in-176-186.html) [8] [https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html ](https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html) [9] [https://nioguard.blogspot.com/2017/06/chthonic-trojan-is-back-in-nation-state.html ](https://nioguard.blogspot.com/2017/06/chthonic-trojan-is-back-in-nation-state.html) [10]

Presenters:

• Anders Carlsson - Blekinge Institute of Technology
  Anders Carlsson Anders Carlsson has 30 years of experience in computer security, network security  and digital forensics. He was educated and earned a degree as a Computer Engineer/Lieutenant-Commander specialist in the Submarines of the Royal Swedish Navy, where he worked for 25 years. Since 1999 he has been employed by BTH, Blekinge Institute of Technology, as a senior researcher, where he is responsible for networks, network security, computer security and digital forensic at B.Sc. and M.Sc. levels. He has also been involved in the EU_ISEC project (2007-2013) to develop courses and train law enforcement officers within EUROPOL and BKA (the Federal Police in Germany) in forensics. He was a project manager in BAITSE (Baltic Academic IT-Security Exchange) 2010-2013, a project aimed at exchanging knowledge and harmonizing IT security in academic institutions within Sweden, Latvia, Poland and Ukraine. He continued this work as General Manager for the EU-TEMPUS IV, and founded project ENGENSEC (Educating NexT Generation IT Security Experts) that will end in November 2017.
• Alexander Adamov - NioGuard Security Lab
  Alexander Adamov Alexander Adamov is the founder and CEO of NioGuard Security Lab, which designs open-source sandbox-based solutions and tests security software against targeted attacks and ransomware. As a teacher, he develops and teaches the Advanced Malware Analysis course in universities in Ukraine and Sweden within the EU project called ENGENSEC. Alexander has worked for Kaspersky Lab, Lavasoft, Samsung, Mirantis and Acronis and has spoken at various security conferences and workshops such as Virus Bulletin, Kaspersky Virus Analysts Summit, OpenStack Summit, OWASP, HackIT, and BSides.

Links:

• https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-battlefield-ukraine-finding-patterns-behind-summer-cyber-attacks
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2017/Adamov-VB2017-Battlefield-Ukraine.pdf

Similar Presentations:

• DEF CON 31 (2023) / Legend of Zelda: Use After Free (TASBot glitches the future into OoT)
• DEF CON 29 (2021) / The Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities In The Global Food Supply Chain.
• VB2018 / Artificial intelligence to assist with ransomware cryptanalysis