Viper Carder
Legendary Vouched Carder♛
Staff member
Premium User
Support Staff
Verified Seller
♛ Forum Elite ♛
Registered
- Joined
- Feb 28, 2024
- Messages
- 1,699
- Reaction score
- 49
- Points
- 48
- Awards
- 3
Russian threat actors use networks of organizations in countries that support Ukraine to launch cyberattacks, a recent report from Lupovis, a cybersecurity firm, claims.
Researchers planted various decoys imitating Ukrainian documents or websites to bait Russian hackers. Not knowing the true nature of the decoys, threat actors tried using them to launch attacks against Ukraine.
According to Xavier Bellekens, the CEO of Lupovis, pro-Russian hackers quickly reacted to newly posted information on Ukraine. Up to 60 human attackers flock to a piece of data within a minute of it appearing online.
“As we shared the breadcrumb data directly on Russian forums, telegram groups, and on the dark web, the response was almost immediate,” Bellekens told Cybernews.
Worryingly, threat actors later used the data obtained via decoys to launch attacks against Ukraine, rerouting them via IT networks of organizations in the US, the UK, France, Brazil, and other nations.
“We collected a couple of scripts that contained Russian language, pointed to Russian websites, and targeted Ukrainian government websites. While these could still be false flag operations, it is highly unlikely given the fact that we scattered and shared information about the decoys on Russian forums, telegram channels, etc.,” Bellekens explained.
Planting the bait
Researchers planted various decoys named after Ukrainian government departments or critical national infrastructure (CNI) objects all around the web to lure potential threat actors.
For example, fake documents that send a beacon once opened were ‘leaked’ in Russian forums and amongst pro-Russian groups. Researchers also set up decoy websites, masquerading as Ukrainian political or government sites.
“They were also configured to insecurely attempt to authenticate into an API. The way in which the authentication was purposely created could allow for a credential to the next decoy type to be found,” claims the report.
Final decoys, SSH services, were configured to accept counterfeit credentials taken from fake websites and report a critical attack.
“We collected a couple of scripts that contained Russian language, pointed to Russian websites, and targeted Ukrainian government websites.”
Bellekens said.
Hunting the hunters
Decoys allowed the researchers to discover that some Russian adversaries landed on the set-up websites without following the bait. That’s likely because adversaries have done their own recognizance. Others, however, followed the predetermined attack path.
According to the report, adversaries carried out a variety of attacks on the decoys, from intelligence gathering to turning them into bots to perform DDoS attacks. Attackers tried SQL injection, RCE attacks, docker exploitation, and using known CVEs against the decoys.
Since researchers also set up non-Ukrainian decoys, they were able to deduce that threat actors were significantly more aggressive towards lures imitating Ukrainian organizations. For example, threat actors were prone to using scripts to attack Ukrainian websites, institutions, and websites supporting Kyiv in the war against Russian occupation.
“The most concerning finding from our study is that Russian cybercriminals have compromised the networks of multiple global organizations, including a Fortune 500 business, over 15 healthcare organizations, and a Dam Monitoring System,” reads the report.
The organizations in the US, UK, France, Brazil, South Africa, and elsewhere were used to reroute Russian attacks on fake targets in Ukraine.
Not only does this suggest that using foreign networks for attacks is a common practice for Russian cybercriminals, but it also shows that Russian hackers have a significant presence in foreign networks.
“There are 13 different critical national infrastructures in the UK and 16 in the USA. Some CNIs are well protected. However, we also know that a wide range of sectors, such as maritime and healthcare, and smaller entities, have difficulties implementing and increasing their cybersecurity […]. These are likely prime targets,”
Researchers planted various decoys imitating Ukrainian documents or websites to bait Russian hackers. Not knowing the true nature of the decoys, threat actors tried using them to launch attacks against Ukraine.
According to Xavier Bellekens, the CEO of Lupovis, pro-Russian hackers quickly reacted to newly posted information on Ukraine. Up to 60 human attackers flock to a piece of data within a minute of it appearing online.
“As we shared the breadcrumb data directly on Russian forums, telegram groups, and on the dark web, the response was almost immediate,” Bellekens told Cybernews.
Worryingly, threat actors later used the data obtained via decoys to launch attacks against Ukraine, rerouting them via IT networks of organizations in the US, the UK, France, Brazil, and other nations.
“We collected a couple of scripts that contained Russian language, pointed to Russian websites, and targeted Ukrainian government websites. While these could still be false flag operations, it is highly unlikely given the fact that we scattered and shared information about the decoys on Russian forums, telegram channels, etc.,” Bellekens explained.
Planting the bait
Researchers planted various decoys named after Ukrainian government departments or critical national infrastructure (CNI) objects all around the web to lure potential threat actors.
For example, fake documents that send a beacon once opened were ‘leaked’ in Russian forums and amongst pro-Russian groups. Researchers also set up decoy websites, masquerading as Ukrainian political or government sites.
“They were also configured to insecurely attempt to authenticate into an API. The way in which the authentication was purposely created could allow for a credential to the next decoy type to be found,” claims the report.
Final decoys, SSH services, were configured to accept counterfeit credentials taken from fake websites and report a critical attack.
“We collected a couple of scripts that contained Russian language, pointed to Russian websites, and targeted Ukrainian government websites.”
Bellekens said.
Hunting the hunters
Decoys allowed the researchers to discover that some Russian adversaries landed on the set-up websites without following the bait. That’s likely because adversaries have done their own recognizance. Others, however, followed the predetermined attack path.
According to the report, adversaries carried out a variety of attacks on the decoys, from intelligence gathering to turning them into bots to perform DDoS attacks. Attackers tried SQL injection, RCE attacks, docker exploitation, and using known CVEs against the decoys.
Since researchers also set up non-Ukrainian decoys, they were able to deduce that threat actors were significantly more aggressive towards lures imitating Ukrainian organizations. For example, threat actors were prone to using scripts to attack Ukrainian websites, institutions, and websites supporting Kyiv in the war against Russian occupation.
“The most concerning finding from our study is that Russian cybercriminals have compromised the networks of multiple global organizations, including a Fortune 500 business, over 15 healthcare organizations, and a Dam Monitoring System,” reads the report.
The organizations in the US, UK, France, Brazil, South Africa, and elsewhere were used to reroute Russian attacks on fake targets in Ukraine.
Not only does this suggest that using foreign networks for attacks is a common practice for Russian cybercriminals, but it also shows that Russian hackers have a significant presence in foreign networks.
“There are 13 different critical national infrastructures in the UK and 16 in the USA. Some CNIs are well protected. However, we also know that a wide range of sectors, such as maritime and healthcare, and smaller entities, have difficulties implementing and increasing their cybersecurity […]. These are likely prime targets,”
