Cyberattacks on Russian Research Institutes: Analysis and Attribution

By Riley ThompsonTechnology News

Experts Analyze Cyberattacks on Russian Research Institutes

In the fall of 2020, an unnamed Russian research institute reached out to Doctor Web specialists for assistance. The institute’s staff had noticed a series of technical issues that suggested the presence of malware on one of the servers within their local network.

During the investigation, company experts determined that the institute had been the target of a focused attack using specialized backdoors. Even more concerning, a detailed analysis of the incident revealed that the organization’s network had been compromised for a long time, and apparently by more than one APT group.

Attacks on the Research Institute

Researchers report that the first hacker group compromised the institute’s internal network as early as the fall of 2017. The initial infection was carried out using BackDoor.Farfli.130—a modification of the backdoor also known as Gh0st RAT. Later, in the spring of 2019, Trojan.Mirage.12 was installed on the institute’s network, followed by BackDoor.Siggen2.3268 in June 2020.

The second hacker group compromised the institute’s network no later than April 2019, this time starting with the installation of the BackDoor.Skeye.1 backdoor. Researchers also discovered that around the same time—in May 2019—Skeye was deployed in the network of another Russian research institute.

In June 2019, FireEye published a report on a targeted attack against the government sector in several Central Asian countries using the same backdoor. Later, from August to September 2020, Doctor Web’s virus analysts recorded the installation of various trojans by this group in the institute’s network, including the previously unseen DNS backdoor BackDoor.DNSep.1 and the well-known BackDoor.PlugX.

Additionally, in December 2017, BackDoor.RemShell.24 was installed on the servers of the institute that contacted the experts. This malware family had previously been described by Positive Technologies in their research on Operation Taskmasters. Analysts note that they have data that could definitively determine which of the two APT groups used this backdoor.

Attribution

The activities of the first APT group did not allow experts to clearly identify it as one of the previously described hacker groups. However, analysis of the malware and infrastructure used showed that this group has been active since at least 2015.

According to Doctor Web, the second APT group that attacked the institute was TA428, previously described by Proofpoint researchers in their report on Operation Lag Time IT. The following facts support this conclusion:

  • The code of the DNSep and BackDoor.Cotx backdoors shows clear overlaps and borrowings, and the author of DNSep clearly had access to Cotx’s source code.
  • Skeye.1 and Trojan.Loader.661 were used in the same attack, with the latter being a known TA428 tool.
  • The backdoors analyzed in these attacks share command and control server addresses and network infrastructure with backdoors used by TA428.

The illustrations below (not included here) show part of the infrastructure used in the attack, highlighting overlaps between the Skeye backdoor and another well-known APT backdoor, PoisonIvy, as well as overlaps between the infrastructures of Skeye and Cotx.

Additional Resources

Indicators of compromise are available on the company’s GitHub, while comparative code analysis of the discovered backdoors and technical descriptions of the malware can be found via the links provided above.

Leave a Reply