Including distributed denial-of-service (DDoS) attacks, defacements, and attempted sabotage attributed to Kremlin-sponsored actors, IBM analysts have gathered evidence suggesting that the Russian cybercriminal group Trickbot (known as Wizard Spider, DEV -0193, ITG23) systematically attacked Ukraine since the beginning of the Russian invasion of the country, was guided and acted directly in the interests of the special services of the Russian Federation.
From mid-April to mid-June 2022, the Trickbot group conducted at least six cyber campaigns against organizations in Ukraine. The attackers deployed several malware, IcedID, CobaltStrike, AnchorMail and Meterpreter. Before the Russian invasion, the Trickbot gang did not target Ukraine, and the malware used by the group was configured to not run on systems using the Ukrainian language. Systematic attacks observed against Ukraine include registered and suspected phishing attacks against Ukrainian state authorities, Ukrainian citizens and organizations, as well as the general population.
Four of these cyber campaigns were discovered by the Ukrainian government’s computer emergency response team CERT-UA, which is tracking them under the group name UAC-0098.
The company’s experts in the field of cyber security risk analysis and insider threats in the private and public sectors identified two cyber spam campaigns against targets in Ukraine.
As a result of the analysis of the received data, it was established that the cybercrime group ITG23 independently controls the delivery of emails and malware, that is, they are not carried out by independent distribution affiliates. None of these cyber campaigns are compatible with the methods used by ITG23’s known third-party affiliates to deliver useful data to their targets.
Experts also discovered several new malicious programs and tools and established a number of features of cyber campaigns that were conducted directly by ITG23 personnel under the direction of Russia:
- three out of six cyber campaigns used a malicious Excel downloader used to download useful data that was not present in other cyber campaigns;
- two campaigns use ISO image files to distribute payloads; these ISO files were likely created by the proprietary ISO builder that powered previous campaigns delivering ITG23 payloads;
- five out of six cyber campaigns directly download CobaltStrike, Meterpreter or AnchorMail to the target machine. Typically, this payload is downloaded later in an infection that begins with malware such as Trickbot, Emotet, or IcedID (suggesting that these attacks are part of targeted cyber campaigns where ITG23 is ready to immediately deploy higher cost backdoors );
- the CobaltStrike and IcedID payloads used in four of the six cyber campaigns use ITG23 Tron, Hexa, or Forest crypters (the presence of an ITG23 crypter with a sample is strong evidence that its developer, distributor, or operator may be part of or affiliated with ITG23 with the group).
Therefore, we can expect a further increase in the activity of cyber groups associated with Russia, their criminal activities on a wider scale, as well as an increase in the risk of threats to the financial sector.