
Russian Intelligence Services Targeting Commercial Messaging Applications Campaign
Indicators of Compromise
APT Groups4
Summary of Actor:Turla Group, also known as Snake or Uroburos, is a sophisticated Russian-speaking cyber-espionage group. It has been active since at least 2004 and is known for targeting government, military, and diplomatic sectors globally. The group employs advanced malware and stealth techniques to maintain long-term access to target networks. General Features:Turla is known for its sophisticated malware tools, such as Snake, Turla, and Carbon. They use watering hole attacks, spear-phishing emails, and custom malicious software. The group operates with strategic goals, often aligned with Russian geopolitical interests. Related Other Groups: APT28,APT29,Dragonfly Indicators of Attack (IoA): Unusual DNS queries Suspicious network traffic patterns Usage of PowerShell and other scripting tools Malicious Office Document attachments Usage of compromised infrastructure for C2 servers Recent Activities and Trends: Latest Campaigns : In recent years, Turla has been observed leveraging COVID-19 themes in spear-phishing campaigns. They have also been linked to attacks on European governments and institutions, emphasizing their focus on political espionage. Emerging Trends : Turla has been increasingly using cloud services for Command-and-Control (C2) infrastructure, as well as evolving their malware to evade modern detection mechanisms.
Summary of Actor:ELECTRUM is a sophisticated and highly capable threat actor group believed to operate out of Russia. They are primarily known for their association with the infamous destructive malware attacks like NotPetya. The group is believed to have ties with Sandworm Team. General Features:ELECTRUM is characterized by their use of custom-built malware and zero-day exploits. They are known for highly coordinated and destructive cyber attacks targeting critical infrastructure, particularly in Ukraine. ELECTRUM leverages spear-phishing and other social engineering techniques to gain initial access. Related Other Groups: Sandworm Team,TeleBots,APT28 Indicators of Attack (IoA): Suspicious network traffic to uncommon domains Use of custom malware such as Industroyer and NotPetya Unexpected system reboots or crashes Unauthorized access to admin credentials Recent Activities and Trends: Latest Campaigns : Recently, ELECTRUM has been linked to a series of attacks targeting electrical grid operators in Ukraine, resulting in temporary power outages and operational disruptions. The use of sophisticated spear-phishing campaigns was noted in these attacks. Emerging Trends : There has been an observable shift towards targeting critical infrastructure outside of Ukraine, including sectors like healthcare and financial services. An increase in the use of ransomware tactics also indicates a possible pivot to financially motivated attacks.
Summary of Actor:Ghostwriter is a cyber espionage campaign attributed to threat actors tied to Belarus with suspected associations to Russia. They are known for influencing operations that focus on forging documents and spreading disinformation to undermine political stability. General Features:Ghostwriter typically engages in disinformation campaigns and military espionage, notably through credential phishing, website impersonation, and other malicious cyber activities aimed at information theft and manipulation. Related Other Groups: APT28,UNC1151 Indicators of Attack (IoA): Credential phishing Document forgery Website defacement Disinformation campaigns Recent Activities and Trends: Latest Campaigns : Recently, Ghostwriter has been linked to phishing campaigns targeting NATO members and European governments, in addition to defacing news websites to spread false information. Emerging Trends : Increasing focus on disinformation campaigns aimed at discrediting political opponents and unrest creation within Europe, including leveraging social media platforms to amplify their messages.
<p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Overview</strong> UAC-0185 is a Russia-linked cyber espionage threat actor active since at least 2022. The group primarily conducts phishing campaigns targeting Ukrainian defense organizations and military personnel to steal credentials from messaging applications and specialized military systems.</p> <p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Key Characteristics</strong></p> <ul dir="auto" node="[object Object]"> <li node="[object Object]">Sophisticated spear-phishing with tailored lures impersonating legitimate Ukrainian entities.</li> <li node="[object Object]">Focus on credential theft from secure communication tools and defense-specific platforms.</li> <li node="[object Object]">Limited use of remote access tools for deeper system compromise.</li> <li node="[object Object]">Alignment with Russian intelligence interests in disrupting Ukrainian military capabilities.</li> <li node="[object Object]">Evolution of phishing infrastructure and delivery methods over time.</li> </ul> <p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Indicators of Attack</strong></p> <ul dir="auto" node="[object Object]"> <li node="[object Object]">Phishing emails disguised as official invitations or communications from defense-related organizations.</li> <li node="[object Object]">Malicious links or attachments leading to credential harvesting pages or malware downloads.</li> <li node="[object Object]">Targeting of accounts in Signal, Telegram, WhatsApp, and systems like DELTA, TENETA, and Kropyva.</li> <li node="[object Object]">Deployment of remote access tools on compromised endpoints.</li> <li node="[object Object]">Use of compromised legitimate servers for email distribution.</li></ul>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION/DETECTION
Technique | Tactic | Detection Strategy | Strategy Name | Analytic | Analytic Description |
|---|---|---|---|---|---|
Spearphishing Link | Initial Access | Detection Strategy for Spearphishing Links | Windows | Correlation of inbound messages with embedded links followed by user-driven browser navigation to suspicious or obfuscated domains; malicious URL delivered, user click recorded, browser process spawned. | |
Spearphishing via Service | Initial Access | Detection Strategy for Spearphishing via a Service across OS Platforms | Windows | Spearphishing attempts delivered via third-party messaging services leading to malicious file downloads or browser-initiated script execution; correlate external-service logins and unexpected navigation. | |
Spearphishing Link | Reconnaissance | Detection of Spearphishing Link | PRE | Monitor for suspicious message activity such as many accounts receiving messages from a single unknown sender; DKIM/SPF and header analysis help detect spoofed senders. | |
Impersonation | Stealth | Detection Strategy for Impersonation | Windows | Detect messages where the sending account or display name (e.g. fake 'Signal Support') does not match the underlying address, and abnormal volumes of support-themed lures. | |
Malicious Link | Execution | User Execution - Malicious Link | Windows | Behavioral chain: a user-facing app handles a link, the same process lineage makes an outbound connection to an untrusted domain, then a file is downloaded or a device-linking URI is invoked. | |
Multi-Factor Authentication Interception | Credential Access | Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying | Windows | Behavior chain involving capture of one-time codes / verification PINs and reuse of intercepted authentication material from sessions not initiated by local user interaction. | |
Device Registration | Persistence | Suspicious Device Registration via Entra ID or MFA Platform | Identity Provider | Adversary registers a new device to a compromised account to gain persistent access; detect anomalous device-link / enrolment events on the account. | |
Data from Local System | Collection | Detection of Local Data Collection Prior to Exfiltration | Windows | Local files collected via PowerShell, WMI, or direct file API calls, with recursive listings, targeted reads (e.g. Signal db.sqlite / config.json) and temporary staging. | |
PowerShell | Execution | Abuse of PowerShell for Arbitrary Execution | Windows | Behavioral chains where PowerShell is launched with encoded commands, unusual parent processes, or suspicious modules, potentially followed by network connections (Turla Signal-theft script). | |
Windows Command Shell | Execution | Behavioral Detection of Windows Command Shell Execution | Windows | Interactive or scripted abuse of cmd.exe / batch files (e.g. WAVESIGN, Robocopy staging); focus on anomalous parent-child relationships and command-line parameters. | |
Exfiltration to Cloud Storage | Exfiltration | Detection Strategy for Exfiltration to Cloud Storage | Windows | Unusual processes accessing large local files then initiating HTTPS requests to cloud-storage domains; Rclone uploads of Signal database content (WAVESIGN). | |
Automated Collection | Collection | Automated File and API Collection Detection Across Platforms | Windows | Automated execution of native utilities/scripts to discover and harvest files periodically (e.g. WAVESIGN repeatedly querying the Signal database). | |
Local Data Staging | Collection | Detection of Local Data Staging Prior to Exfiltration | Windows | File reads across locations followed by writes to temp/staging directories, often compressed or encrypted, prior to exfiltration (Robocopy staging of Signal directories). |