In a report published last week, the Russian government said unidentified foreign hackers have breached and stolen information from Russian federal executive bodies.
According to the joint report by Rostelecom-Solar, a cybersecurity division of Russian telco Rostelecom, and the National Coordination Center for Computer Incidents (NKTsKI), a cybersec org created by the Russian Federal Security Service (FSB), the attacks took place in 2020. The report notes the high sophistication of the threat actors calling them likely state-backed:
“Evaluating attackers in terms of training and qualifications (used technologies and mechanisms, the speed and quality of the work done by them), we are inclined to classify this group as cyber mercenaries pursuing the interests of a foreign state,” the report reads. However, Russia did not attribute the attacks to any specific country or threat group.
The report says that in order to breach Russian federal agencies, the attackers used such entry vectors as exploiting vulnerabilities in web applications, spear-phishing, and compromising the IT infrastructure of government contractors. Their goal was information stealing:
“After a complete compromise of the infrastructure, the attackers proceeded to collect confidential information from all sources of interest: such as mail servers, electronic document management servers, file servers, and workstations of various levels,” the report said.
Once they breached a victim, the attackers would deploy two previously unknown malware strains the researchers dubbed Mail-O and Webdav-O. The two malware strains are stealthy backdoors that allowed the intruders to execute commands on compromised hosts and exfiltrate information. Attackers’ command and control servers were hosted on local Russian cloud providers, Mail-O exfiltrated data to Mail.ru Cloud servers, and Webdav-O to Yandex.Disk, a Russian alternative to Google Disk.
The malware was designed to bypass Kaspersky antivirus software, which is widely used on Russian federal networks. Both Mail-O and Webdav-O disguised their network traffic as communications for Mail.ru’s Disk-O and the Yandex.Disk applications.
Additional technical details about the two malware strains are laid out in the full report.