An APT Spies on Russia

Executive Summary

On Monday, October 7, 2024, the Russian cybersecurity company Kaspersky unveiled an update on the Advanced Persistent Threat (APT) group nicknamed ‘Awaken Likho’ saying that their signature tactics, techniques, and procedures (TTPs) have changed in recent attacks [4]. The group has been active since July 2021 and has so far only spied on Russian government agencies, government contractors, and industrial enterprises without a hint of any sort of monetary motive. Their techniques and know-how have grown over time, showing improved skill and consistent funding for their operations [3]. Their methods of intrusion include phishing attacks like malicious emails and malicious URL links, mixed in with basic social engineering techniques [3]. Once inside the system, the APT manages their breaches with MeshAgent, a software that allows users to remotely manage devices by connecting to the MeshCentral server, in comparison to the APT’s previous use of UltraVNC for command and control [3]. The group then collects data, executes commands, and establishes persistent access in order to entrench themselves within the system itself [3]. 

Background

Due to the strategic importance to Russia and Kaspersky’s astute findings that attacks have increased since the Russian invasion of Ukraine in 2022, it is safe to say this incident is likely associated with the conflict [3]. Despite Kaspersky not associating ‘Awaken Likho’ with any nation-state or terrorist organization, Ukraine and its partners are likely behind this incident due to the similarity of their targets. As of this year, Ukraine has been targeting Russia’s industrial sectors, so industrial espionage information may be incredibly useful to them and warrant constant funding [1]. However, until solid proof is uncovered as to which nation-state or terrorist organization is behind these attacks, the origin of the attacks remain circumstantial which is where a majority of APT attacks remain. 

Impact

Since this story is ongoing, it is tough to say what impact these attacks may have on Russia, the war, or any company/contractor affected. Information that may have been leaked could have included anything from financial spreadsheets to future plans, confidential trade secrets, personal information of employees, or even defense contracts with the Russian government. The only thing indirectly confirmed is that machines were compromised, but as of now, nothing can be guaranteed until a more thorough report is published [3].

Significance

Awaken Likho is not the only APT out there as the Russians themselves have multiple APT groups attacking organizations all over Eastern Europe from Ukraine to Poland [2]. If an influential nation has an organization seen as key to its success or national security, then by nature other nations will have an interest in seeing that organization fail or be weakened. Awaken Likho and other APTs show that criminal trends and petty internet crimes need to be monitored just as much as current geopolitical threats and overall global tension. Organizations must see the risks associated with strategic influence in their country, and mitigate them accordingly with their own means.

References

[1] Aljazeera, “Russia and Ukraine target each other’s energy sectors,” 2024 https://www.aljazeera.com/news/2024/4/27/russia-ukraine-target-each-others-energy-sector

[2] Flashpoint Intel Team, “Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024,” 2024 https://flashpoint.io/blog/russian-apt-groups-cyber-threats/

[3] Kaspersky, “Awaken Likho is awake: new techniques of an APT group,” 2024 https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/

[4] Kaspersky, “Kaspersky uncovers new cyberespionage campaign targeting government entities in Russia,” 2024 https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-new-cyberespionage-campaign-targeting-government-entities-in-russia