Eighteen months of campaigns featured a rapidly evolving tool-set
Cyber confusion reigns as threat groups with state ties get down with a bit of not-so-friendly fire in attacking the infrastructure of a Middle Eastern government.
Researchers at Symantec believe that a Russian-speaking hacker group hijacked the infrastructure of their Iranian rival Crambus (aka OilRig) in 2018.
During this attack the hacker group known as Waterbug (aka Turla) dropped malware onto computers that Crambus had captured. This malware was communicating back to known Waterbug C&C servers. The order in which Symantec believes this unique event happened is that first Crambus hacked and took control of sections of the computer infrastructure of an as-yet unnamed Middle Eastern government.
Potentially sensing an opportunity to gain added network power and to stick one into a rival the Waterbug threat group dropped a task scheduler called msfgi.exe onto a computer in Crambus network. The very next day they used Mimikatz to move horizontally across the network.
The Mimikatz hacking tool was deployed onto Crambus’ network in early 2018. “Mimikatz was downloaded via the Powruner tool and the Poison Frog control panel. Both the infrastructure and the Powruner tool have been publicly tied to Crambus by a number of vendors,” Symantec researchers note in its report.
The particular variant of Mimikatz used in the attack actually ties it to the Waterbug group as they have heavily modified it by rewriting nearly all of the original code, with the exception of the sekurlsa::logonpasswords credential stealing feature.
Russian Cyber Hackers WaterBug Previous Activity
If this is one threat group taking over another’s infrastructure, it marks an interesting escalation in tactics and demarcates the growing sophistication of the Russian threat group Waterbug.
Since early 2018 Waterbug have been linked to an array of attacks targeting organisations in 10 different countries. This includes the Ministry of Foreign Affairs across three continents, an ICT organization in the middle-east, as well as an educational institution in south Asia.
Tracking these attacks researchers have noted that the group is getting more sophisticated and are deploying new weapons throughout the year. These new tools include a custom hacking tool that combines four previously leaked hacking tools, EternalBlue, EternalRomance, DoublePulsar and SMBTouch all into one executable.
They are also using visual basic scripts that preform system reconnaissance after an attack that sends data back to controlled servers.
Symantec notes that PowerShell attacks are still popular as the group uses: “PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs.”
Motive for Cross Attack
What exactly is happening between these two hacker groups, that have ties back to state actors, is still unclear. Symantec found that the whole affair gets a bit messy as a legitimate systems administration tool named IntelliAdmin suddenly appeared in Crambus’ network. It appears to have been dropped in by Waterbug backdoors onto computers that had not been compromised by Crambus.
Some believe that this is a false flag operation intended to sow confuson and throw researchers and the cyber defense community off its game.
One scenario Symantec has put forward is that Waterbug were gearing up to attack the Middle Eastern government systems itself, but after a recon showed that Crambus had already started a similar attack, it was just easier to take over its network which also gave them access to the government systems.
While Symantec still has a host of unanswered questions it notes that: “Waterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape.”