An analysis of two Department of Homeland Security reports focusing on Russia’s reputed interference in the 2016 U.S. election revealed multiple commonalities between the infamous hacking campaign, dubbed Grizzly Steppe, and activity by the Carbanak cybercrime group.
TruSTAR, the threat intelligence exchange provider that conducted the research, has cautioned that its findings do not necessarily mean that APT 28 (Fancy Bear) or APT 29 (Cozy Bear), the two Russian government-sponsored threat groups tied to Grizzly Steppe, are one and the same as Carbanak, which is also tied to Russia and has garnered a reputation for stealing from financial institutions. Still, one also cannot summarily dismiss the notion that the groups are somehow related or share certain personnel, especially because they have adopted similar tactics, techniques and procedures (TTPs).
In a Friday blog post, TruSTAR CEO Paul Kurtz offered possible explanations for the overlap between these threat actors, suggesting, for example, that Grizzly Steppe actors may be borrowing infrastructure used by Carbanak as an efficient or lazy shortcut.
Or perhaps Carbanak hackers are repurposing the work of Fancy Bear or Cozy Bear to falsely portray themselves as Russian operatives in order to deceive analysts. “This is possible thanks to the highly collaborative dark web, where information sharing and open toolkits are very common,” Kurtz wrote in the blog.
Or the truth could be some combination of the above.
Kurtz told SC Media in an interview that Grizzly Steppe and Carbanak’s mutual TTPs include shared registry keys, exploits of vulnerabilities, URLs and software. He specifically cited the active exploitation of critical Adobe Flash Player use-after-free vulnerability CVE-2016-7855, as well as the expert use of PowerShell code, which requires sophisticated technical knowhow.
“The TTP connections of Grizzly Steppe and Carbanak’s PowerShell deployment are interesting because the workflow and logic followed the same pattern,” said Kurtz. “Both groups use PowerShell to bypass UAC [User Account Control]… install backdoors and handle encryption,” as well as to run hidden command prompts that remove services the attackers launched in order to run custom scripts, delete files and scan for sandbox environments, he added.
To conduct its analysis, TruSTAR amassed the contents of a Dec. 29, 2016 DHS-FBI Joint Analysis Report on Grizzly Steppe as well as a more detailed DHS report issued on Feb. 10, 2017, and compared them with cyber intelligence that was gathered on Carbanak and shared on the company’s intel exchange platform.
While the similarities between Grizzly Steppe and Carbanak might be intriguing to observers, Kurtz stressed that the attribution of these campaigns is not as important and understanding how they are carried out. “What really helps us solve the problem is to understand the instrumentations they’re using in order to succeed, agnostic of who the actor is,” said Kurtz, adding that TruSTAR’s findings emphasize the importance of governments and the private sector collaborating together on sharing threat data to create meaningful intelligence.
Alexis Dorais-Joncas, intelligence team lead at ESET, which has published voluminous analysis of APT 28 (ESET calls the group Sednit), was not especially convinced by the TruSTAR report.
“The source code of Carberp, the malware used by the Carbanak group at a certain time, was leaked online in 2013. We have seen many malware families and groups integrate some code from Carberp into their own malware over time, Sednit being no exception. We do not consider this to be a strong overlap between the two gangs,” said Dorais-Joncas in an email interview with SC Media.
“As for infrastructure [reuse] between groups, TruSTAR did not provide any evidence of this (except a fancy visualisation that can’t be verified for its accuracy), and it is not something ESET has seen in the past. Care must be taken when assuming infrastructure reuse between groups, as the groups could simply be using the same infrastructure suppliers…” Dorais-Joncas added.