Russian Hackers Shift Tactics, Target More Victims with Paid Malware

Russian hackers, particularly Advanced Persistent Threat (APT) groups, are intensifying their cyberattacks, expanding targets beyond governments and utilizing readily available malware. Flashpoint researchers reveal the evolving tactics, emphasizing the need for organizational protection. Recent reports indicate collaboration among state-sponsored groups in Iran for large-scale attacks, paralleled by activities in Russia. Amid the ongoing Ukraine-Russian War, Russian APT groups are adapting tactics, using paid tools instead of custom payloads, and sharing delivery techniques.

These groups, like APT28, APT29, Gamaredon, Gossamer Bear, UAC-0050, and UAC-0149, are broadening their targets beyond governments to include various entities, motivated by espionage, intelligence gathering, or financial gain. APT28 impersonates government organizations in multiple countries, while APT29 utilizes droppers and downloaders. Gamaredon is active in the Russia-Ukraine conflict, using malicious documents, and Gossamer Bear targets Ukraine and NATO countries.

Security Officer Comments:
Flashpoint's report identifies HTML-based droppers and infostealers as common tools in Russian APTs' killchain, along with NTLM hash stealing. Notable campaigns showcase APT29's use of multiple loaders in spear-phishing attempts. Organizations can protect themselves by monitoring abnormal child processes, detecting web proxy downloads, implementing DLL side-loading detections, and reviewing network logs for mock API services.

Suggested Corrections:
To mitigate the escalating cyber threats from Russian hackers and APT groups, organizations should monitor abnormal processes, detect malicious downloads through web proxies, implement DLL side-loading detection, review network logs for suspicious activity, strengthen authentication and access controls, provide regular security training, maintain up-to-date patch management, and collaborate with cybersecurity partners for threat intelligence sharing. These measures collectively enhance cybersecurity posture and defend against evolving attack tactics.