Aggression, Orchestration and Preparation
The world’s eyes are focused on Russia and Ukraine. Most of us can’t quite comprehend what’s happening in Ukraine – let alone Russia’s outlandish and abrupt actions. They seem barbaric from our vantage point. But it helps if we remind ourselves these actions are far from abrupt. In fact, what we’re witnessing is the result of a detailed and well-rehearsed playbook.
What’s happening on the ground in Ukraine is very human, and real. It’s painful and brutal, and we need to remember those facts. There’s a cyber war running in the background according to a playbook that the Russian regime has been building for years.
The cyber playbook can help us understand how the pieces came together, and how we can prepare our responses without getting mired in the inhuman realities on the ground. It can help us describe what’s happened, what’s happening, and what will happen.
Practicing the Playbook
The current Russian regime spent years planning its offensive in cyberspace. It’s been targeting the private sector with techniques to overcome defenses thrown against it by defenders. And over the years it’s devised feints, misdirections, and practices to knock through those defenses.
Preparing to invade Ukraine, it included a number of ready-made cyber warfare plays… particularly those aimed at firmware.
Why firmware? Because it’s the component that most defenders take for granted. Like the back heel kick in European football or the wildcat formation in American football, firmware is often overlooked and the weaponization of it catches opposing teams by surprise.
And of course they need to practice with their new firmware capabilities. One thing the Russian regime needed to practice over the last few years was how to make sustained, material use of firmware in cyber warfare.
WIth those thoughts in mind and with a view across the past several years, we can see a number of unique firmware plays practiced by organizing them around goals, each of which requires and includes pre-placed implants.
- “Temporary Disruption” play: make the opponent scramble to figure out why things aren’t working quite the way they’re supposed to.
- Cyclops Blink: On February 23rd, the CISA, the National Security Agency, UK’s Cyber Security Center, and the Federal Bureau of Investigation released a joint Cybersecurity Advisory (CSA) reporting that Sandworm / Voodoo Bear was using new malware, referred to as Cyclops Blink. “Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.” How? Through firmware.
- VPNFilter: Network devices became the focus of firmware-level exploits with the advent of the VPNFilter malware in 2018. VPNFilter targeted equipment from nearly all major manufacturers, including Asus, D-Link, Huawei, Linksys, Mikrotik, Netgear, QNAP, TP-Link, Ubiquiti, Upvel and ZTE. And where was VPNFilter targeted to have the greatest impact? Critical infrastructure in Ukraine.
- “Persistent Access” play: FInd way to plant long-term surveillance tools without alerting EDR, SIEM or endpoint tools.
- Lojax: In 2018, researchers discovered a firmware-level rootkit being used by Fancy Bear. They dubbed the rootkit LoJax, a play on the name of Absolute Software’s “LoJack”, a legitimate laptop anti-theft solution. Samples of LoJack software were tampered with to hardcode new configuration settings, forcing the implanted target to then communicate with a command-and-control server owned by Fancy Bear rather than the legitimate Absolute Software server. The malicious software was installed into device firmware, allowing it to persist even if the device was reinstalled or the hard drive were replaced.
- Sunburst: global technology supply chains were attacked in 2020 by a group of actors referred to as UNC2452. SolarWinds, a popular maker of network management software, acted as the unwilling Trojan Horse in a campaign that impacted 18,000 of their customers. UNC2452 has also been called APT29 and CozyBear.
- “Industrial or Government Espionage” play: Use network device vulnerabilities – generally in their firmware – to gain a foothold in industry or government programs.
- APT29 COVID Research Data: In an attack by the group commonly known as ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’, initial access was primarily targeted at firmware in Citrix, Fortigate and PulseSecure network devices.
- Pulse/Fortigate/Citrix/Cisco/F5 Network Device Exploitation: The same vulnerabilities were exploited in a string of actions aimed at infrastructure targets in the U.S.
- “Permanent Disruption” play: “If you can’t compromise them, just break them.”
- NotPetya: the “most devastating cyber attack in history” started in – by now this should be no surprise – Ukraine in 2017. A play designed by Sandworm to pick surprise and irritate Ukrainian government agencies and offices rather than score a goal, NotPetya was a simple move – like the heel kick – that was so wildly successful it was picked up by every kid juggling a ball: “Within hours of its first appearance, the worm raced beyond Ukraine and out to countless machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania.”
- BlackEnergy: this sophisticated malware uses rootkit and process-injection techniques, robust encryption, and a modular architecture known as a “dropper”. The players practiced their moves by using a variant in the December 2015 cyber attack on Ukraine’s power grid.
- Hermetic Wiper is a recently-observed wiper being used to deploy a wiper that targets Windows devices, manipulating the Master Boot Record (MBR) firmware and resulting in subsequent boot failure.
- WhisperGate is another wiper being used to erase data and brick systems. It attacks the MBR with a command to erase data from the C: partition by overwriting it with fixed data. With its first appearance being made in Ukraine, speculation – if not consensus opinion – is that WhisperGate comes from “malicious actors linked to or backed by the Russian government.”
Having seen this before, we expect to see all these plays come together when the squads take their positions. Some plays, like attacks implanted into firmware or supply chains, take time to evolve, especially if you are not accustomed to seeing them. But these are definitely the moves they’re making.
Preparation For Cyber Defenders
The playbook metaphor has served its purpose and it’s time to return to the serious matter at hand. We’re talking about the Russian regime leveraging offensive and stealthy cyber weapons that can be used alongside planes and troops in the takeover of a sovereign nation.
How do we prepare? Cybersecurity teams are constantly seeking to counter the actions that we see framed above as plays that are currently being run against us. Part of this includes guarding the otherwise hidden firmware attack vectors.
Eclypsium helps our customers, including the United States Government and its allies, in the following areas.
- For Temporary or Permanent Disruption, firmware vulnerabilities are currently ignored by enterprise security. This needs to change and Eclypsium has pioneered a way to include such issues without overwhelming security teams.
- For Persistent Access, the Russian threat actors who are involved in the current cyber activity have previously demonstrated firmware implant capabilities both in PCs and network devices. These implants must quickly alert and trigger action by security teams. Eclypsium makes this possible automatically and at scale.
- For Industrial or Government Espionage, the dwell time of months and years is not acceptable. Organizations need to be able to check device integrity to quickly find firmware implants and take action. Eclypsium sensors are now being used by organizations in a way that is completely transparent to operations, either continuously monitoring in the background or at key deployment and maintenance events.
A Free Assessment Tool
Eclypsium has connections with Ukraine: our founders are from Ukraine, and today we have team members in Ukraine who we’re concerned about. We built a special version of our QuickScan tool to help defenders in Ukraine discover potential implants and wipers in their PCs and servers, and it is available below for no charge. QuickScan by Eclypsium identifies vulnerable firmware components and possible firmware implants. To assess other equipment types, or if any anomalies are detected or other firmware-related difficulties occur, just Contact Us to schedule a more in-depth analysis.