Russian government organizations infected by never-before-seen ransomware variants; possible cyberwarfare campaign

A malicious hacking group allegedly sponsored by state actors managed to compromise systems and steal information from multiple Government organizations of the Russian Federation. These attacks were detected in 2020 although they were revealed until this week.

These attacks were described in a report prepared by Rostelecom-Solar, the cybersecurity division of the Russian telecoms giant, in collaboration with the National Center for the Coordination of Computer Incidents (NKTsKI): “Assessing attackers in terms of training and skills, we believe this is a paid hacking group that collaborates with a state actor,” the report notes.

Agencies report that hackers employed a broad set of attack vectors, including spear phishing campaigns, abuse of web application security flaws, and government infrastructure hacking. Once they got access, hackers carried out confidential information collection attacks from any possible source, including email servers, workstations, among others.

The attackers also employed two strains of malware never before seen and dubbed Mail-O and Webdav-O, which work as backdoors on infected hosts for private information theft. These malware variants allowed all kinds of data to be extracted to control infrastructure hosted by Russian-based cloud service providers.

These malware variants were specially designed to evade the most sophisticated antivirus solutions of the security firm Kaspersky, used in most Russian government agencies. Hackers would have disguised malicious traffic as legitimate communications for applications like Disk-O and Yandex.Disk The report contains more detailed information about these malware variants and the full hacking campaign.

So far the Russian authorities have not attributed this attack to any specific country, although further updates are expected in the coming weeks. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.