Naked Security Naked Security

Russian “government hackers” charged with cybercrimes by the US

What can we learn from the US DOJ indictments against the "Sandworm Team"?

You’ve probably seen the news that six Russians, allegedly employed by the Russian Main Intelligence Directorate, better known as the GRU, have been charged with cybercrimes by the US Department of Justice (DOJ).
The DOJ alleges that the defendants, all men, “caused damage and disruption to computer networks worldwide, including in France, Georgia, the Netherlands, Republic of Korea, Ukraine, the United Kingdom, and the United States.”
This group and its activities, says the DOJ, have been given a variety of different nicknames by cybersecurity researchers: Sandworm Team, Telebots, Voodoo Bear, and Iron Viking.
Sophos cybersecurity expert Chester Wisniewski had this to say about the US charges:

The indictment of the Russian GRU hackers related to the attacks referred to collectively as “Sandworm” is an interesting development in attempts by Western governments to rein in foreign adversary attacks. Sandworm has operated for more than 10 years and has played nearly every card in the attacker playbook. They are accused of having used spearphishing, document exploits, password stealers, living-off-the-land tools, supply chain hijacking and destructive wipers that have pretended to be ransomware in efforts to create false flags for investigators. They have been a noisy operation and many of us have been expecting this day to come for some time.
Another result of this noisiness is they have popularized sophisticated nation-state level tactics to be copied by everyday criminals. While they did not pioneer all these methods, they certainly perfected them and exposed their usefulness in breaching organizations’ defenses. Considering the accused are members of the Russian military intelligence (GRU) they are unlikely to ever be arrested. Three of the accused were previously indicted for other crimes and these indictments might prove to embolden them rather than curb their behavior.
We’re no safer than we were yesterday, and we need to continue to bolster our defenses to be prepared for Sandworm or any of the garden variety criminals they have inspired. Were they to be arrested, their replacements are already in training and the relentless thirst of nation-states to compromise and interfere with their adversaries goes undeterred.

Simply put, this indictment doesn’t really put an end to anything – it’s a reminder that cybercrime is here to say, and that the techniques developed by one group rarely stay within that group for long.

What to do?

As Chester points out above, cybersecurity isn’t only, or even predominantly, about heading off state-sponsored attacks, for the simple reason that the same attack techniques work no matter who carries them out.
(A ransomware attack that ruins all your files will disrupt your immediate business operations just as abruptly whether the attackers try to blackmail you for $3000 or $3,000,000.)
Here are some tips for defending in the most general way against the sort of techniques listed by the DOJ:

  • Spearphishing. Don’t be tempted by links or documents you receive by email just because they align with a special interest of yours. Don’t assume that a document or an email is trustworthy just because the sender knows your name, your job title, or where you work. Even the least subtle porn scammers – crooks who claim to have a sex video of you that doesn’t actually exist, and demand money to “delete” it – frequently include names, phone numbers and even genuine passwords from your accounts as “proof”. That sort of data typically comes from existing public sources, including your corporate profile on your work website, social media accounts where you have intentionally told the world about yourself, or data breaches where a third party has spilled your personal information in a way you couldn’t control. If in doubt, leave it out.
  • Exploits. Sometimes, attackers find an exploitable software bug before anyone else and start using it before any software patches are available – what’s known as a zero-day, because there were zero days during which even an on-the-ball system administrator could have patched proactively. But many attacks – including the infamous and destructive NotPetya worm that the DOJ attributes to the Sandworm team – relied on exploits for which patches were already available. Even though or it’s not always possible to be ahead of the crooks, there’s no reason to let yourself fall behind them if you don’t have to. Patch early, patch often.
  • Living-off-the-land attacks. This is the term used when cybercriminals avoid using new and suspicious malware files to do their dirty work, but instead rely on legimate tools – often, tools commonly used for cybersecurity research and penetration testing – that crop up from time to time even when no actual attack is underway. Most modern cybersecurity tools can detect “grey hat” tools of this sort, such as Mimikatz (a tool that looks for left-over passwords in memory) and PSExec (a tool that automatically launches software on other computers). However, these reports are often ignored as “probably just one of our own team and therefore not worthy of investigation”, even when they are detected in unusual places or are run by unexpected users. Don’t let credible signs of intrusion be ignored, any more than you’d ignore a fire alarm because there wasn’t actually a fire last time. An ounce of prevention is worth a pound of cure.

Remember: there’s no such thing as being “too small” or “not important enough” to be targeted or affected by cybercriminals.


“No one’s too small” section starts at 4:27. Click-and-drag on the soundwaves to fast forward.

Leave a Reply

Your email address will not be published. Required fields are marked *