Pierluigi Paganini May 22, 2021

FSB National Coordination Center for Computer Incidents (NKTsKI) revealed that foreign hackers have breached networks of Russian federal agencies.

A joint report published by Rostelecom-Solar and the FSB National Coordination Center for Computer Incidents (NKTsKI) revealed that foreign hackers have stolen information from Russian federal agencies.

The attacks were spotted in 2020, threat actors leveraged spear-phishing attacks, exploitation of vulnerabilities in web applications, hacking the infrastructure of contractors to penetrate the infrastructure of the Russian federal executive authorities.

Experts believe that threat actors behind the intrusions are sophisticated cyber mercenaries engaged by a foreign state.

“The level of attackers (the technologies and mechanisms used, the speed and quality of the work they have done) makes it possible to qualify them as cyber mercenaries pursuing the interests of a foreign state. Such attackers could stay inside the infrastructure for a long time and not give themselves away.” reads the report. “The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and mail correspondence of key federal executive authorities.”

Once compromised the networks of the targeted agencies, hackers gathered sensitive information from internal systems. Attackers gained access to mail servers, electronic document management servers, file servers, and workstations of various levels to steal data of interest.

The threat actors employed two previosuly undetected piece of malware dubbed Mail-O and Webdav-O.

“Mail-O is a downloader program that accesses the Mail.ru Cloud associated with account sewn into the sample. All communication takes place using the Cloud API Mail.ru” states the report. “Webdav-O is another malware that has never been described before. Like Mail-O, it interacts with the management server through the Yandex.Disk cloud. The malware supports two authentication methods: basic (with login and password) and oauth (with using a token).”

According to the report, the hackers have specifically targeted systems within federal agencies and designed their malware to bypass the most popular Russian antivirus Kaspersky that is usually installed by government offices.

“The malware developed by cybercriminals used the cloud storages of the Russian companies Yandex and Mail.ru Group to download the collected data. The hackers disguised their network activity as the legitimate utilities Yandex Disk and Disk-O. Such malware has never been encountered anywhere before;” continues the report.

• FSB concludes these are unprecedented attacks for multiple factors including:
• Level of threat, the attacks hit federal significance;
• 5th level of threat according to the model used by Solar JSOC;
• Complete compromise of infrastructure and theft of confidential government data;
• Involvement of previously undetected malware;
• The use of multiple attack vectors;
• The use of Russian cloud providers “Yandex” and Mail.ru Group;
• Zero-detection rate of the artifacts involved;

FSB did not attribute the attack to any foreign country.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Russian federal agencies)

[adrotate banner=”5″]

[adrotate banner=”13″]