eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Microsoft Outlook Flaw Exploited by Russia's APT28
Bottom Line: This ongoing campaign by the Russian state-sponsored threat actor, APT28, not only compromises the security of the targeted nations but also poses a broader threat to international security and the integrity of global information systems. The targeted exploitation of software vulnerabilities underscores the sophistication of APT28 and the broader implications for national and international cybersecurity.
According to a new statement from authorities in Germany, the Czech Republic, the European Union, and NATO, the Russian state-sponsored Advanced Persistent Threat (APT) APT28 (aka Fancy Bear, Pawn Storm, Strontium, Forest Blizzard, and TA422), is targeting entities in Czechia and Germany. In this campaign, APT28 targeted both political and state-run organizations in the two countries, with the goal of accessing sensitive geopolitical information.
APT28 is a highly sophisticated state-sponsored threat actor group that has operated since at least 2014. The group is attributed to Military Unit 26165 of the Russian Federation's military intelligence agency, GRU.
In observed attacks, APT28 exploited a known vulnerability in Microsoft Outlook. The vulnerability, tracked as CVE-2023-23397 (CVSS 9.8), is a critical elevation of privilege vulnerability. Exploitation of CVE-2023-23397 enabled APT28 to access Net-NTLMv2 hashes, which in turn could be used to access victim accounts via a NTLM relay attack. To hide the origin of the attacks, APT28 carried them out via hundreds of compromised Small Office/Home Office (SOHO) routers. The U.S. Justice Department coordinated with German authorities to remediate compromised SOHO routers. Additional technical details on the campaign have not been shared publicly at this time.
To defend against similar attacks, organizations are strongly recommended to ensure applications remain up to date on security patches. Additionally, organizations should deploy endpoint monitoring capabilities to both workstations and servers, to enable the rapid identification and remediation of threats.
eSentire Threat Intelligence Analysis:
APT28 has a long history of targeting both private organizations and government entities around the world. This campaign has drawn significant international condemnation with the U.S. Justice department calling on Russia to “stop this malicious activity and abide by its international commitments and obligations” and Czechian authorities stating, “attacks targeting political entities, state institutions and critical infrastructure are not only a threat to national security, but also disrupt the democratic processes on which our free society is based”. While the public disclosure of this recent campaign is likely to force the group to alter their tactics, similar activity is almost certain to continue.
This week, APT28 was attributed to an unrelated campaign targeting the Polish Government. The group employed phishing emails with links to ZIP archives disguised as images. The archives contained malicious executable files that used DLL side-loading to execute batch scripts and downloaded further malicious payloads. APT28 maintains a wide variety of initial access methods including malware, vulnerabilities, and social engineering, as such, organizations need to employ a defence-in-depth approach to security that includes vulnerability management, network and endpoint security, and log monitoring.
The eSentire Threat Intelligence team continues to track activity associated with Russian state-sponsored threat actors, including APT28. eSentire Managed Vulnerability Service has plugins in place to identify devices vulnerable to CVE-2023-23397. eSentire Managed Detection and Response for Network has detections in place to identify CVE-2023-23397 exploitation. Additionally, the eSentire product suite includes a variety of detections for Tactics, Techniques, and Procedures (TTPs) known to be employed by APT28.
Law Enforcement Action Against LockBit
Bottom Line: Despite significant law enforcement pressure disrupting its operations and revealing its leadership, the LockBit ransomware gang remains active and continues to target organizations worldwide.
In February 2024, a taskforce operating under the name Operation Cronos, comprised of law enforcement organizations from Australia, Canada, Finland, France, Germany, Japan, Netherlands, New Zealand, Poland, Sweden, Switzerland, Ukraine, United Kingdom, and the United States announced the disruption of the LockBit ransomware gang’s operations. As part of this announcement, LockBit’s servers in several countries were taken down, two arrests were made, over 200 cryptocurrency accounts were frozen, 14,000 accounts related to exfiltration or infrastructure were identified, and the United Kingdom’s National Crime Agency (NCA) took control of LockBit’s remaining infrastructure.
On May 5th, the NCA resurrected the seized platform to reveal the depth of its investigation into the gang, teasing new information about LockBit's operations through a series of countdowns. They shared how the gang allegedly did not delete data as promised after ransom payments, undermining their credibility further.
Also on May 5th, the City of Wichita disclosed they were the victims of a disruptive cyberattack, for which the LockBit ransomware gang claimed responsibility. This incident significantly impacted the city’s infrastructure, affecting services crucial to daily operations and public welfare. The city's IT network was compromised by ransomware, leading to the encryption of crucial data and forcing city authorities to shut down several IT systems. LockBit escalated the situation by listing the City of Wichita on their extortion portal shortly after the attack, threatening to publish all stolen files unless a ransom was paid by May 15, 2024. This rapid move to extortion was notably aggressive, given that ransomware groups typically allow more time for negotiations. As of the latest updates, multiple public services in Wichita, such as library systems, public Wi-Fi, and automated services, remain offline.
On May 7th, the NCA formally identified Dmitry Khoroshev as LockBitSupp, a key leader of the LockBit ransomware gang; Dmitry was allegedly the administrator and developer of LockBit. Additionally, the UK along with the United States and Australia sanctioned Dmitry, implementing travel bans and freezing his assets. In response, LockBitSupp stated, in Russian, “It’s not me, I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?” While LockBitSupp denies the allegations, the U.S. Department of State has placed a $10 million bounty for information leading to the arrest and/or conviction in any country of Dmitry Khoroshev.
eSentire Threat Intelligence Analysis:
Recent events surrounding the LockBit ransomware gang highlights the evolving challenges faced by global cybersecurity efforts. Coordinated actions like Operation Cronos have demonstrated the potential impact of international law enforcement when agencies collaborate, managing to infiltrate LockBit’s darknet operations and disrupt its infrastructure. Identifying the gang's leadership was a significant step forward, but LockBit's rapid move to extortion and continued targeting of organizations like the City of Wichita emphasize their adaptability and resilience.
The City of Wichita's breach showcases the destructive impact ransomware can have on public infrastructure, disrupting essential services and requiring painstaking recovery efforts. Healthcare systems face even more dire consequences, as evidenced by the recent LockBit attack on Hôpital de Cannes in France. Despite previous law enforcement disruptions, LockBit successfully breached the hospital, stealing sensitive patient data and demanding a ransom. The attack underscores how ransomware can jeopardize patient care and data integrity, with the release of confidential medical information causing lasting harm. These incidents illustrate the importance of comprehensive response strategies, as well as robust cybersecurity measures to protect critical systems.
Organizations can significantly strengthen their defenses against ransomware like LockBit by adopting a defense-in-depth strategy, which relies on layering various security measures. First, network segmentation isolates key systems to contain malware spread, while regular, encrypted backups provide a secure fallback if systems are compromised. Advanced endpoint security tools, such as antivirus and Endpoint Detection and Response (EDR), detect and block suspicious activity, complemented by Multi-Factor Authentication (MFA) to prevent unauthorized access. Educating employees through security awareness training reduces the chances of successful phishing attacks and other exploits stemming from human error. As well, ransomware threat actors often to use stolen user credentials to mask themselves as legitimate users and gain access to an environment without the possibility of being immediately detected. Organizations that also adopt credential monitoring for their disclosure through breaches and infostealers on the dark web are more resilient to ransomware.
Additionally, vulnerability management, which includes frequent software updates, patching, and regular vulnerability assessments, proactively addresses potential weaknesses. Developing an incident response plan ensures organizations can swiftly identify, contain, and recover from attacks while maintaining proper communication and legal protocols. Collaborating with other organizations through threat intelligence sharing is crucial for anticipating and defending against emerging tactics. Collectively, these strategies offer a comprehensive defense-in-depth approach that minimizes vulnerabilities, accelerates detection, and ensures efficient mitigation.
The ongoing cat-and-mouse game between LockBit and law enforcement reveals the persistent necessity for enhanced global cooperation, intelligence-sharing, and streamlined legal frameworks. Ultimately, future strategies to counter ransomware will depend on agile defensive measures, education on the risks, and fostering international collaboration to outpace the sophistication of cybercrime networks.
Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale
Bottom Line: Russian threat actors are employing Large Language Models (LLMs) in information campaigns to spread propaganda, influence public opinion, and sow discord. The CopyCop influence operations exemplifies how these actors are exploiting LLMs to manipulate and disseminate influence content at scale.
On May 9th, Recorded Future released a report on the CopyCop influence network. This network is a Russia-aligned operation that uses Large Language Models (LLMs) to plagiarize, translate, and edit political content on divisive topics such as the Ukraine conflict, the Israel-Hamas war, and U.S. elections. The threat actors tailor content for specific audiences in the U.S., UK, and France, aligning it with pro-Russian narratives.
CopyCop operates at a large scale using affiliated websites, social media, and forums to disseminate its content, intricately linked to the disinformation outlet DCWeekly, which is managed by John Mark Dougan, a U.S. citizen who fled to Russia in 2016. CopyCop collaborates closely with Russian state-sponsored actors such as Doppelgänger and Portal Kombat to extend its reach. The network also bolsters disinformation efforts by amplifying content from fronts like the Foundation to Battle Injustice (FBR) and InfoRos. The FBR has previous connections to the Russian oligarch Yevgeny Prigozhin, while InfoRos functions as an inauthentic news agency, likely operated by Unit 54777 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). In a strategic expansion of its influence capabilities, CopyCop launched XposedEm in April 2024, a self-hosted video-sharing platform and forum, further diversifying its tools for spreading disinformation.
Initial campaigns focused on Ukrainian audiences, using Coordinated Inauthentic Behavior (CIB) across hundreds of social media accounts. These campaigns aimed to erode confidence in Ukraine’s military and political stability. Later campaigns in the U.S. and Germany used newly established but fraudulent news outlets. The U.S. campaign sought to deepen divisions ahead of the 2024 election by amplifying anti-LGBTQ+ sentiments, criticizing the U.S. military, and exploiting debates about American support for Ukraine. In Germany, the operation highlighted economic and social challenges to undermine government trust and bolster nationalism.
eSentire Threat Intelligence Analysis:
The cornerstone of CopyCop's operation lies in its use of generative AI and large language models to edit authentic news content and inject political biases, enhancing credibility while shaping narratives to match its objectives. By using AI, CopyCop can rapidly create scalable disinformation that resonates with various audience segments. This strategic utilization of AI allows the network to reach broader audiences efficiently and tailor its content with a high degree of specificity, making the disinformation more persuasive.
CopyCop’s focus on the Ukraine conflict, Israeli military actions, and U.S. politics are specifically designed to exploit existing divisions and erode confidence in democratic institutions. The group adapts its messaging to target audiences in the U.S., UK, France, and other Western nations, heightening societal divisions to amplify its impact. CopyCop leverages its influence operations to manipulate public perception, aiming to interfere with elections, fuel political discord, and undermine governmental stability.
A key element of CopyCop’s campaign is its advanced technological infrastructure. The network uses tools like Matomo and Keitaro to measure engagement and refine its tactics, making it adept at scaling operations and ensuring its campaigns remain effective. This level of organization indicates a well-funded, technologically proficient operation capable of continuously adapting its tactics based on audience reactions and engagement metrics.
Influence campaigns are difficult to combat as they rely on a combination of partially true and fake information along with previously established political lines. Disrupting these campaigns requires information sharing and a coordinated response from global governments, tech companies, and news agencies. Organizations can help minimize the impact of influence operations by training users to identify LLM prompts and other AI generated content markers.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
