Russia Attacks Ukraine With RAT

Executive Summary

On October 17, 2024, the Cisco Talos Intelligence Group reported that a Russian APT group named RomCom (UAT-5647) had been infiltrating and attacking Ukrainian and Polish entities since at least late 2023 with the hope of supporting espionage motives and exfiltrating data for as long as possible [3]. The threat group achieved this through a newly developed Remote Access Trojan (RAT) dubbed SingleCamper which performed network reconnaissance, lateral movement, user and system discovery, and data exfiltration after establishing remote tunnels with a tool called PuTTY’s Plink [3]. SingleCamper would be loaded directly from the registry into memory, using a loopback address to communicate with its loader, which made it difficult to spot since registry-based loading and loopback addresses are usually overlooked by antivirus and network scanners [2]. According to Cisco, the infection chain began with a spear-phishing message which would install either a RUST-based downloader or a C++ based downloader. From there, the malware would then try to establish a reverse shell. If successful, the malware would then try to move laterally, compromising edge devices to potentially evade detection during an incident response process [2]. 

Background

Ever since the fall of the Soviet Union in the 1990s, Russia has consistently ranked toward the top in cyber crimes and cyber-meddling all across the world [4]. For nation-states, cyber attacks fall in a gray zone of deniability while being incredibly useful in doing anything from basic to extreme amounts of damage to infrastructure, bank accounts, and global connectivity. For Russia, a nation notorious for its hostile geopolitical environment, a deniable yet effective and profitable weapon is incredibly useful. The usefulness of cyber attacks can be seen in the Russo-Ukrainian War where attacks have damaged infrastructure, systems, and people’s wallets ever since tensions began in 2014 [1]. With the most recent attacks from Russian APTs like RomCom, Russia has begun to shift its cyber attention toward espionage in a more noticeable way as a response to its intelligence failure from the Ukranian offensive into Kursk, an offensive only made possible by Western support from nations like Poland. 

Impact

Since this story is ongoing, it is hard to say what the impact of these attacks may have on Ukraine and their combat readiness in the war. The information involved in the attacks are likely classified. The Ukrainians and Poles are likely still finding out the true scale of the compromised information. Analysis of the keyboard layout of the scanned malicious code showed that Polish victims were likely involved though no victims were identified [2]. Currently, speculation and educated guesses are all that analysts have in determining the success of the Russian operation; but, since information has been published about the attacks as they occurred, it is safe to assume that the damage could be minimal. 

Significance

Cyber attacks against Poland and Ukraine show that a lack of boots-on-the-ground in a conflict may not fully secure a nation from attack. Simple involvement in something like arms shipments or even arms transit may make a nation susceptible to cyber attacks in the modern day. The use of APTs in the Russo-Ukrainian war gives the world a good insight into just how impactful APTs can be in true nation-state conflicts. It shows where the lines in the sand may be for cyber attacks and what attacks may just stay as theory. 

References

[1] Cerf E., “Ukraine blackouts caused by malware attacks warn against evolving cybersecurity threats to the physical world,” 2024 https://news.ucsc.edu/2024/05/ukraine-cybersecurity.html

[2] Korzhevin D., Malhotra A., Svajcer V., Ventura V., “UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants,” 2024 https://blog.talosintelligence.com/uat-5647-romcom/ 

[3] Lakshmanan R., “Russian RomCom Attacks Target Ukrainian Government with New SingleCamper RAT Variant,” 2024 https://thehackernews.com/2024/10/russian-romcom-attacks-target-ukrainian.html

[4] Plis M., “Top 10 countries where security hackers come from & their types,” 2024 https://www.cyberkite.com.au/post/hackers-top-10-countries-where-they-come-from-hacker-types