27-year-old Egor Igorevich Kriuchkov believed that he had his next victim in sight. Arriving in the US in July 2020 – despite the Coronavirus pandemic – he began communicating with an employee of a business via WhatsApp. Kriuchkov had a simple proposition. In exchange for the employee inserting a USB stick infected with ransomware into his company’s computer systems, Kriuchkov would pay an initial $500,000, followed by an additional $1 million once the attack was successful. Unfortunately for Kriuchkov, the employee spilled the beans and the FBI soon arrested the Russian national.
Kriuchkov’s target was Tesla.
This is a sign of the increasing lengths that today’s sophisticated cyber-criminal gangs are willing to go to. As cyber defenses and user awareness improve – albeit somewhat slowly – these Advanced Persistent Threat (APT) groups are becoming more inventive when it comes to executing and monetizing their attacks.
- Neutralizing ransomware: The medicine you need to better protect your business
APTs and the Darknet
Since at least 2016, APT groups have been utilizing the Darknet to infiltrate large corporations and steal significant amounts of data. There are estimated to be around 100 active APT groups, of which over 90 percent are backed by hostile nation states and are either a function of a nation’s military or intelligence branches, or are directly or indirectly funded and supported by their government. As may be expected, some APT’s are more sophisticated than others. Russian APTs are much more advanced than those from Iran, for example, and the long-term goals of Chinese APTs are different to those operating out of North Korea.
‘Double extortion’ attacks
In late 2019, APTs – especially those associated with Russia – began to move away from standard phishing attacks to deploy ransomware, to utilizing the Darknet and combining them with data extraction to create a ‘Double Extortion’ attack.
Once access into the corporate network has been achieved, the APT spends weeks – if not months – extracting data from a target. By utilizing a connection to the darknet, these gangs can exfiltrate huge amounts of data in small chunks over an extended period. For this, they look for poorly monitored and outdated systems – especially those networks which contain Industrial Control Systems, which makes the energy, pharmaceutical, and consumer goods sectors particularly inviting.
This type of data exfiltration was recently faced by the brewing giant Brown-Forman, which was attacked by a Russian APT group known as ‘Gold Southfield’. This group was quick to publicize that it had apparently stolen over 1Tb of data from the company before attempting to deploy the REvil malware on their systems. It’s not surprising why the group were so bullish to promote their attack, since stealing a Terabyte of data is equivalent to making off with not just one stolen car from an airport car park, but all of the cars parked there.
Once the data has been exfiltrated, the APT will attempt to launch a ransomware attack on the company – from inside the company’s own networks, thus bypassing all the perimeter security measures. The company might have to pay the ransom to unencrypt all it’s computers, but if it manages to restore service without paying the ransom (by having offline backups, for example) the APT will then still demand a payment for deleting the data it has stolen, or it will release it on to the dark web. This change in approach has been driven by companies undertaking work to recover quickly from ransomware attacks, so the perpetrators needed a new angle to elicit funds.
Analysis of a typical attack
Once a likely target has been identified, an APT group will undertake a period of reconnaissance. This typically involves using the Darknet to probe a company’s systems looking for potential weaknesses and vulnerabilities, including investigating email and application servers, Cloud-based systems, and ICS estates.
Should this approach not prove fruitful, then there is the option of getting insider help. The Russian group behind the ‘Netwalker’ malware, for example, openly advertises for insider information on the dark web, looking for IT professionals and others with significant network access in Western companies. The group does not allow attacks on Russian-owned businesses, nor does it deal with anyone who’s native language is English – a worrying thought for all those businesses that have outsourced IT operations to other countries.
Once a suitable entry point has been identified and a connection established, the attackers attempt to move laterally across the network to access the data they want. These entry points are made via the Darknet to both blend in with normal network traffic and to obfuscate the origin of the connection. Once the APT is sure it has not been detected, it begins exfiltrating data out via a poorly monitored and vulnerable system – such as ICS. This is what happened in the Equifax breach, which cost the company $1.4 billion. The compromised system connects via the Darknet, and small amounts of data are then continually passed out of the network. In the case of Brown-Forman, the company states that the attackers were inside their systems for less than a month but this timeframe would be incompatible with exfiltrating 1Tb of data. It’s much more likely that access had been obtained and data was being stolen for many months beforehand.
When the APT has all the information it needs, it then activates its ransomware of choice from inside the network. As the APT have already done their homework, they are well aware of how much they can reasonably demand from the victim, which can be tens of millions of dollars. On top of that, the victim may also have to pay out to repair the damage caused to their systems and any regulatory fines. Maersk, the international shipping giant, estimates that the 2017 ransomware attack on the company cost it an estimated $300 million to rectify.
Being able to detect the presence of darknet connections around corporate networks is becoming increasingly vital for large corporations. APTs continue to evolve their tools and tactics, and unfortunately large enterprises are now the unwilling participants in an ever-escalating cyber arms race. Whilst the current Coronavirus pandemic holds the world’s attention, and focus is put on economic recovery, businesses need to accept that the cyber threat is not going away – and that now, more than ever, they need to be extra-vigilant.
Vince Warrington, CEO Dark Intelligence and Protective Intelligence