Nation-state conflict has come to dominate many of the policy discussions and much of the strategic thinking about cybersecurity. When events of geopolitical significance hit the papers, researchers look for parallel signs of sub rosa cyber activity carried out by state-sponsored threat actors—espionage, sabotage, coercion, information operations—to complete the picture. After all, behind every story may lurk a cyber campaign.
But ordinary criminals read the newspaper too and are keenly aware of the bias some researchers bring to the table. Exploiting that bias can provide additional camouflage, another layer of seeming invisibility, making threat actors harder to detect.
In this Threat Intelligence Bulletin, we’ll show how an investigation into the apparent targeting of a state-owned Russian oil company led to the uncovering not of a state-sponsored campaign but of the bold activity of what we believe to be a criminal effort motivated by the oldest of incentives—money.
Background
Rosneft calls itself the world’s largest publicly traded oil company, and, according to recent analysis in the New York Times, it is also a prominent foreign policy tool of the Russian government. More than half of the company is owned by Moscow and serves as a major pillar of critical infrastructure for Russia as well as other neighboring nation states.
So when a deal reportedly worth an excess of $10 billion was announced to take nearly 20% of the company private, news organizations around the world took note.
The deal quickly became the subject of international political intrigue: Who were the buyers? Why was it sold? Who brokered the deal? Facts that became even more apparent when the transaction received conspicuous mention in the now-infamous Steele Dossier.
Reporters, business leaders, and international observers also focused scrutiny on Rosneft in part because the deal was, according to news reports, fraught with delays and setbacks and came to involve a cast of characters that reportedly included a former Qatari diplomat turned head of a sovereign wealth fund.
Everything we learned about Rosneft in the last few years—its status as critical infrastructure, the huge sums of money involved in its privatization, its domestic and international political significance—made it a highly likely and legitimate target of foreign espionage efforts.
Indeed, when we at Cylance first saw the name “Rosneft” emerge in our research, we thought that was exactly what we were looking at: another state or state-sponsored espionage effort.
But we soon discovered that our initial impressions were flawed.
Evolution of a Threat
In July 2017, Cylance stumbled upon some interesting macros embedded in Word documents we uncovered in a common malware repository that seemed to be aimed at Russian-speaking users. We observed the same type of document resurface in the beginning of 2018 and decided to take a closer look.
Upon closer inspection, we noticed that the malware author meticulously used command and control (C2) domains which very closely mimicked their real counterparts in the Russian oil and gas industries, in particular Rosneft and subsidiaries of Rosneft.
As we investigated further, we discovered that the threat actor had created similar sites to mimic more than two dozen mostly state-owned oil, gas, chemical, agricultural, and other critical infrastructure organizations, in addition to major Russian financial exchanges.
The first Rosneft-related site we came across was “rnp-rosneft[.]ru” which was designed to resemble the legitimate webpage “mp-rosneft[.]ru”. The only reference to this domain we could identify was the email address “sec_hotline@mp-rosneft[.]ru” which was used by Rosneft for confidentially reporting corporate fraud, corruption, and embezzlement.
After a bit of malware excavation, we discovered that the author had been operating for more than three years with very few changes to the actual malware used other than his/her targets. Interestingly, we uncovered evidence that suggests the actor started out targeting the gaming community, specifically users of Steam, then quickly evolved to more lucrative endeavors.
Technical Analysis
Phishing Documents Analysis
Cylance researchers identified several phishing documents which used Microsoft Office macros to deliver malicious implants to their targets. It’s not entirely clear whether these were specifically targeted at isolated groups or utilized the old spray-and-pray method to cast a much wider net. Let’s take a look at one:
SHA256: 7bb9f72436bcbb5fcb190ebc2cce77e1ea41ba0e6614bf2347b4514e7d65da4a
Filename: На ознакомление.doc ~ For Review.doc
