Russian hackers are using their presence inside the networks of organizations in the UK, US and elsewhere to launch attacks against Ukraine, a new report from Lupovis has revealed.
The Scottish security firm set up a series of decoys on the web to lure Russian threat actors so it could study their tactics, techniques and procedures (TTPs).
This included fake “honeyfile” documents leaked to cybercrime forums and spoofed to contain what appeared to be critical usernames, passwords and other information.
Other decoys included insecurely configured web portals designed to mimic Ukrainian political and governmental sites, and “high interaction and ssh services.” The latter were configured to accept the fake credentials from the web portals.
The exercise highlighted just how primed and ready Russian threat actors are to seize on any evidence of Ukrainian targets. Some 50–60 human actors interacted with just five decoys, with many of them reaching the honeypots within just a minute of them going live.
The duped hackers attempted to carry out a variety of attacks, ranging from reconnaissance of the lure information to conscripting them into DDoS botnets, and exploitation of SQL injection and other bugs.
More shocking was what Lupovis found subsequently.
“The most concerning finding from our study is that Russian cyber-criminals have compromised the networks of multiple global organizations, including a Fortune 500 business, over 15 healthcare organizations and a dam monitoring system,” the vendor explained.
“These organizations were based in the UK, France, the US, Brazil and South Africa, and Russian criminals are rerouting through their networks to launch cyber-attacks on Ukraine, which effectively means they are using these organizations to carry out their dirty work.”
Lupovis hypothesized that the threat actors may be Russian cyber-criminals rather than state actors.
“Given that our research shows over 15 healthcare organizations had been compromised by Russian criminals, this could suggest the attackers are working under the radar on their networks and using their access to launch attacks on other institutions,” it argued.
“Once they are discovered, they then launch ransomware attacks on the healthcare organizations’ systems or perform data breaches. This would suggest attackers are maximizing every tool in their arsenal to compromise an organization before moving on to their next victim.”