A series of attacks targeting transportation and logistics organizations in Ukraine and Poland with Prestige ransomware since October have been linked to an elite Russian military cyberespionage group.
Researchers with Microsoft Security Threat Intelligence (MSTIC) pinned the ransomware attacks on the Russian Sandworm threat group based on forensic artifacts and victimology, tradecraft, capabilities, and infrastructure overlapping with the group’s previous activity.
The attackers deployed the ransomware payloads across their victims’ enterprise networks. This tactic has rarely been seen in attacks targeting Ukrainian organizations, and it matches previous Russian state-aligned activity, such as the use of the HermeticWiper destructive malware before the start of the invasion of Ukraine.
“As of November 2022, MSTIC assesses that IRIDIUM very likely executed the Prestige ransomware-style attack,” MSTIC said.
“The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine.
“More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.”
The threat actors’ sophistication was highlighted by their use of multiple methods for Prestige ransomware deployment, including the use of Windows scheduled tasks, encoded PowerShell commands, and the Default Domain Group Policy Object.
In its previous report, Microsoft shared a list of indicators of compromise (IOCs) and advanced hunting queries to help admins defend against Prestige ransomware attacks.
Notorious Russian military hackers
Sandworm (aka BlackEnergy, Voodoo Bear, TeleBots) is a Russian hacking group active for at least two decades since the mid-2000s, with its members believed to be part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
They have been linked to attacks leading to the Ukrainian blackouts of 2015 and 2016 [1, 2, 3] and the KillDisk wiper attacks targeting Ukrainian banks.
The group is also believed to have created the NotPetya ransomware that caused billions of damage starting in June 2017.
In October 2020, the U.S. Department of Justice charged six of the group’s operatives for hacking operations linked to the NotPetya ransomware attack, the PyeongChang 2018 Olympic Winter Games, and the 2017 French elections.
Earlier this year, in February, a joint security advisory issued by U.S. and U.K. cybersecurity agencies also pinned the Cyclops Blink botnet on the Russian military cyberspies before its disruption that prevented its use in attacks.