Protect and secure your data from cyber attacks
Data Protection
Data Security
Data Insights
The 5 Steps to Cyber Resilience
Cloud & SaaS
Enterprise
Industries
Part two of our two-part series focuses on the recent trends and tactics cyberattackers use and what can be done to reduce the risk of these attacks.
As the lines between nation-state bad actors and ransomware gangs continue to blur, one thing becomes clear—cyberattacks will continue. It’s not a matter of if it will happen but when. Cyber resilience is key.
Part one of this blog series examined the recent history of ransomware and wiper attacks and the prevalent nation-states that use these types of cyberattacks. This second blog examines recent trends and tactics these cyberattackers use and what can be done to reduce the risk of these attacks.
The Sandworm threat actor has been responsible for most of the destructive cyberattacks aimed at Ukraine. Some of these have been false-flag operations that appear to be ransomware but, by supplying no functioning recovery feature, are, in fact, wiper attacks.
In 2017, Sandworm launched its most notorious attack: NotPetya. It was meant to focus on Ukraine but took down systems worldwide instead. The White House said its economic impact was over $10 billion. As the war in Ukraine endures, Sandworm has been seen to expand its efforts from not only destruction but also intelligence collection from Ukraine and its allies.
A few weeks before the Russian invasion of Ukraine in 2022, two waves of wiper attacks, HermeticWiper and WhisperGate, purported to be ransomware, were launched. Once again, these attacks targeted machines in Ukraine but impacted systems outside the country, including Latvia and Lithuania.
Some HermeticWiper attacks were observed inside the victim networks for months, with initial access as early as November 2021, by exploiting vulnerabilities in Microsoft Exchange. HermeticWiper used a signed driver from EaseUS Partition Manager to evade Windows Driver Signature Enforcement and corrupt the Master Boot Record. HermeticWiper also deployed a simplistic Golang-based encryptor to some systems, which lacked the sophistication of the rest of the attack chain, leaving many cyber threat intelligence analysts to conclude that the ransomware component was a smokescreen for the wiper attack.
WhisperGate had a similar mode of operation: corruption of a system’s master boot record and then encrypting files with specific file extensions before displaying a fake ransomware note. Even if victims paid the ransomware, it has been determined they would still be unable to recover their data.
Both Sandworm and Cadet Blizzard groups are affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Cadet Blizzard initially became active immediately following the Russian invasion of Ukraine in January 2022, focusing its attacks on Ukrainian government organisations. A period of reduced operations followed. Cadet Blizzard again increased its operations in January 2023 with an expanded scope that included systems in Ukraine and across Europe, Central Asia, and Latin America.
Cadet Blizzard’s initial access is through exploiting common vulnerabilities in open-source software, web and email servers, and Confluence servers. Once inside a victim’s infrastructure, Cadet Blizzard typically dwells for several months before activating its WhisperGate wiper. Common strategies include using defence evasion techniques to disable end-point security solutions like EDR/XDR and using a victim’s existing IT tooling to move laterally across the network, escalate privileges, and maintain persistence.
While Iran’s Ministry of Intelligence and Security-linked (MOIS) Scarred Manticore threat group has been conducting operations targeting Albania and Israel focused on espionage, they have been handing over initial access they gained to another MOIS-affiliated group, Void Manticore, who use this access to wipe systems. Scarred Manticore conducts its espionage operations, typically dwelling for over a year using its sophisticated Liontail malware framework and reGeorg webshell. Once Scarred Manticore has gained sufficient raw intelligence from the victim, it passes access to the victim’s systems over to Void Manticore, who then focuses on destroying systems, data, and the ability to recover. The Void Manticore arsenal includes a variety of different mechanisms for the destruction of data, ranging from the zeroing of a disk’s partition tables to targeting and corrupting specific files.
Over the past two years, MOIS has continued to sponsor or directly conduct destructive campaigns hidden behind hacktivist fronts that claim responsibility and justify their actions. In July 2022, a front named HomeLand Justice attacked the Albanian government, disrupting government websites and public services. “They have been using the Chimneysweep malware and Zeroclear wipers tools, more recently complemented by ransomware known as “Roadsweep.”
The DarkBit persona is another Iranian example. In February 2023, the MuddyWater threat actor attacked the Technion Israel Institute of Technology in Haifa with a false ransomware operation masquerading as a wiper attack using a front named “DarkBit group.” MuddyWater carried the initial intrusion and handed off access to the DarkBit intrusion set, which conducted extensive reconnaissance, established persistence, and moved laterally to launch a destructive command.
Earlier in 2024, a North Korean threat actor, Moonstone Sleet, developed the FakePenny ransomware, which it used to monetise access to systems in the aerospace and defense industry after first exfiltrating sensitive data from their networks.
Two China-aligned threat actors, “Stone Panda” and “Cinnamon Tempest,” use the HUI Loader malware to deploy remote access trojans, PlugX, Cobalt Strike, and QuasarRAT. In March 2022, Stone Panda started to incorporate more sophisticated defence evasion techniques and used the persistence it gained using Cobalt Strike to deploy multiple strains of ransomware mainly derived from Babuk source code that was leaked in 2021. Stone Panda quickly abandoned any attempts to monetise the encryption of files, leading to speculation that the tactic may have been to mask espionage operations as ransomware attacks.
Active since 2017, the Iranian state-aligned threat actor Pioneer Kitten, or Fox Kitten, initially focused on gaining and maintaining access to a broad range of entities possessing sensitive information of likely intelligence interest to the Iranian government, including:
Pioneer Kitten’s primary means of initial access is exploiting remote access solutions and network appliances. In July 2020, Pioneer Kitten was seen attempting to sell its access and persistence inside these networks on underground criminal forums. In 2024, the U.S. Federal Bureau of Investigation (FBI) determined that Pioneer Kitten had started collaborating with several ransomware gangs, including ALPHV/BlackCat, NoEscape, and Ransomhouse. Pioneer Kitten’s role in enabling these ransomware operators appeared to go beyond just providing initial access similar to an Initial Assess Brokers—instead playing an active role in facilitating encryption, locking down networks to hamper response efforts, and participating in the extortion of victims.
It is not a one-way street with governments helping criminal gangs gain access and maintain persistence. The Russian cybercrime group Storm-2049 has been seen using Xworm and Remcos Remote Access Trojan malware that they have previously used to conduct cybercrime to breach over 50 military targets in Ukraine.
The Chinese-aligned ChamelGang or CamoFei has been targeting government and critical infrastructure for espionage in East Asia, India, and Brazil. At the end of espionage operations, it deploys the CatB ransomware, making it another group blurring the line between cyber espionage and cybercrime. The White House released a press release in July 2021 outlining the threat’s size, “We are aware that [People’s Republic of China] government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars.”
The determined and highly skilled adversaries are adept at evading security controls like EDR, XDR, and driver signing. They are seemingly encrypting and destroying data at a whim or handing access to systems off to those who will. Couple this with increasing geopolitical tensions between the West and countries willing to launch destructive cyberattacks against not just critical infrastructure—but against any organisation that could harm the target country’s economy.
The sophistication of this adversary means we must assume a breach—or that we can be breached. The days of senior cybersecurity executives assuring their boards that, given enough budget and headcount, they can prevent all attacks is over. Just look at the logos of the organisations that have suffered highly disruptive ransomware attacks over the past few years. Many had budgets well into double-digit and even triple-digit millions and security teams of hundreds. The reality is that the motivation is too high, the attack surface is too broad, and the adversary is too adaptive to prevent every attack, so we must move to a posture of resilience.
What does cyber resilience mean? First, we need to architect and build for the worst possible scenarios. With the Cohesity Clean Room solution, this means making sure you’re able not just to recover production systems that deliver products and services to customers but also recover your response capability to a trusted state that ensures your security and IT teams can effectively and efficiently make sure that before that start to recover you don’t reintroduce the vulnerabilities exploited by the attacker, you address the gaps in controls to stop a future similar attack and prevent evasion and remove artifacts of the attack that will just reinfect systems seconds after recovery.
This isn’t just a technology problem. The right processes and skills need to be developed and integrated between the security teams that determine the root cause and the IT teams that bring the systems back to a safe state—informed by what the security teams found. Too often, a destructive cyberattack is seen as purely a “disaster recovery” issue and handed wholesale to the BC/DR team, which fails to build enough threat hunting and forensics capability into their process. This can often result in dozens of failed recoveries and reinfections.
At the same time, security teams must realise that some of the tools they rely on for business-as-usual security operations may be destroyed, evaded, or unreachable. All incident response methodologies, including NIST SP800-61r2 and the SANS Institute Six Step Incident Response process, mandate containment in destructive cyberattacks. Yet many organisations have moved security controls to the end-points, which have just become islands.
How do you use remote forensic imaging software when you’ve just disconnected the network or host? How do you understand your regulatory obligations to notify data subjects or regulators, because you can’t classify encrypted or wiped data looking for PII? Then there’s the fact that the skilled adversary now owns these end-points where controls reside. How confident are we of the signals we’re getting? And how can we conduct our investigation and mitigation tasks in an environment where we can’t be observed or disrupted?
The answer to many of these questions already exists inside most organisations: your backup. As long as your selected vendor has thought through the operational requirements of incident response and recovery from a people, process, and technology perspective, your backup is your secret weapon in dealing with these blurring lines between nation-states and ransomware gangs. So, how do we expand our backup use cases to provide resilience against these skilled and determined adversaries?
The Cohesity Clean Room solution creates an isolated investigatory environment for use by the security operations team that can use Cohesity’s extensive integrations with security operations, tooling vendors, and native capabilities of DataProtect and DataHawk to rapidly understand how the incident happened and the next steps to be taken to mitigate the threat. The solution also creates a mitigation environment where IT operations can quickly rebuild systems to a trusted state or recover systems from backup, patch vulnerabilities, bolster missing or evaded controls, and remove any attack artefacts.
Cohesity DataProtect provides a capability to volume mount snapshot images for forensic analysis stored on a platform with a strong chain of custody. This can be orchestrated by a Security Orchestration & Automated Response (SOAR) platform. Tasks like checking a time series of a system’s filesystem to look for malicious changes or extracting suspicious binaries for detonation in a sandbox are just an API call or a couple of clicks away from your security analysts.
Cohesity DataHawk’s threat-hunting capability allows you to help ensure that the scope of your incidents is sufficient across your infrastructure. The best thing about these capabilities? They work even if you’ve followed incident response best practices and have isolated networks and systems because they’re powered by the data already resident inside Cohesity. No more agents deployed and immune to the kinds of evasion we’re seeing used by the state actors outlined above.
Written By
James Blake
Global Cyber Resiliency Strategist
