HC3 Highlights Tactics, Techniques of Four Major Russian Cyber Organizations

May 26, 2022 - The Health Sector Cybersecurity Coordination Center (HC3) issued a brief outlining the tactics, techniques, and procedures (TTPs) of four major cyber organizations linked to the Russian Intelligence Services.

The Russian Intelligence Services are comprised of the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the Main Intelligence Directorate of the General Staff of the Armed Forces (GRU).

As previously reported, Russia’s invasion of Ukraine sparked widespread cyber concerns for US critical infrastructure. The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) have also released numerous warnings about Russian state-sponsored cyber operations.

Verizon’s 2022 Data Breach Investigations Report (DBIR) showed a significant uptick in healthcare cyberattacks. The report noted that “heightened geopolitical tensions are also driving increased sophistication, visibility, and awareness around nation-state affiliated cyberattacks.”

Approximately four in five breaches observed in the report were attributed to organized crime.

As always, healthcare organizations should follow security best practices and maintain awareness of the latest cyber threats and indicators of compromise. Even without being directly targeted, healthcare organizations can become collateral damage to Russian state-sponsored cyberattacks, the American Hospital Association (AHA) warned in February.  

HC3 provided summaries of the TTPs and notable attacks of four major Russian cyber organizations and encouraged the healthcare sector to enforce multifactor authentication, update software, provide end-user awareness and training, and monitor potentially risky services such as remote desktop protocol (RDP).

Turla

Researchers estimate that Turla has been active since 2004, and they are also known as Venomous Bear, CTG-8875, ITG12, KRYPTON, and Iron Hunter. The group typically targets the energy, telecommunications, government, academic, and pharmaceutical industries.

Noteworthy attacks include a 2008 attack on the US Central Command, a 2012 attack on the former Soviet Union prime minister’s office, and an attack against Germany’s government computer network in 2018.

The group is mainly focused on former Eastern Bloc countries and uses sophisticated techniques to execute espionage-focused attacks in search of diplomatic intelligence, HC3 said. Notably, the group is associated with the LightNeuron malware variant, which is a sophisticated backdoor that threat actors have used to target Microsoft Exchange servers since 2014.

APT29

APT29 has been active since 2008 and typically targets organizations within the academic, healthcare, media, pharmaceutical, energy, financial, and government sectors. The group is also known as Cozy Bear, The Dukes, YTTRIUM, and Iron Hemlock.

APT29 executed an attack on the Pentagon in 2015 and one against COVID-19 vaccine developers in 2020. In addition, the group was tied to the 2020 SolarWinds Orion attack, in which it used a trojanized version of the Orion software updates. The attack impacted thousands of SolarWinds, including a US hospital.  

The group largely targets European and NATO countries and leverages large-scale spear-phishing campaigns. HC3 noted that the group prefers long-term operations and often reuses techniques from its previous attacks.

APT28

APT28 (also known as Fancy Bear, Group 74, PawnStorm, Sednit, Snakemackerel, Sofacy, and others) was first observed in 2004. The group frequently targets aerospace, energy, government, defense, government, healthcare, military, and media.

APT28 was tied to a 2016 attack on the US Democratic National Committee and the Clinton Campaign, in which it stole vast amounts of data, including 19,252 emails from DNC and Clinton campaign staffers. The group primarily focuses on NATO countries and frequently turns to password spraying techniques.

APT28 is also known to use phishing and credential harvesting techniques.

Sandworm

Sandworm has been active since 2007 and is also known as Voodoo Bear, ELECTRUM, IRIDIUM, Iron Viking, Qudedagh, and Telebots. The group typically targets organizations within the government or energy sectors.

Sandworm orchestrated multiple attacks on the Ukrainian Government and Critical Infrastructure in 2015, 2016, and 2022. In addition, the group was responsible for the 2017 NotPetya attacks, which shut down a US pharmaceutical manufacturer and impacted medical record systems at dozens of US hospitals.

The group is associated with Industroyer, BadRabbit, and BlackEnergy malware, along with other variants. Sandworm has been known to commit destructive attacks against ICS and computer systems, HC3 concluded.