Nation-state threat actors, ransomware gangs, and cyber resilience

As the lines between nation-state bad actors and ransomware gangs continue to blur, one thing becomes clear—cyberattacks will continue. It’s not a matter of if it will happen but when. Cyber resilience is key.

Part one of this blog series examined the recent history of ransomware and wiper attacks and the prevalent nation-states that use these types of cyberattacks. This second blog examines recent trends and tactics these cyberattackers use and what can be done to reduce the risk of these attacks.

Ransomware as a false flag for a wiper attack

The Sandworm threat actor has been responsible for most of the destructive cyberattacks aimed at Ukraine. Some of these have been false-flag operations that appear to be ransomware but, by supplying no functioning recovery feature, are, in fact, wiper attacks.

In 2017, Sandworm launched its most notorious attack: NotPetya. It was meant to focus on Ukraine but took down systems worldwide instead. The White House said its economic impact was over $10 billion. As the war in Ukraine endures, Sandworm has been seen to expand its efforts from not only destruction but also intelligence collection from Ukraine and its allies.

A few weeks before the Russian invasion of Ukraine in 2022, two waves of wiper attacks, HermeticWiper and WhisperGate, purported to be ransomware, were launched. Once again, these attacks targeted machines in Ukraine but impacted systems outside the country, including Latvia and Lithuania.

Some HermeticWiper attacks were observed inside the victim networks for months, with initial access as early as November 2021, by exploiting vulnerabilities in Microsoft Exchange. HermeticWiper used a signed driver from EaseUS Partition Manager to evade Windows Driver Signature Enforcement and corrupt the Master Boot Record. HermeticWiper also deployed a simplistic Golang-based encryptor to some systems, which lacked the sophistication of the rest of the attack chain, leaving many cyber threat intelligence analysts to conclude that the ransomware component was a smokescreen for the wiper attack.

WhisperGate had a similar mode of operation: corruption of a system’s master boot record and then encrypting files with specific file extensions before displaying a fake ransomware note. Even if victims paid the ransomware, it has been determined they would still be unable to recover their data.

Sandworm and Cadet Blizzard

Both Sandworm and Cadet Blizzard groups are affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Cadet Blizzard initially became active immediately following the Russian invasion of Ukraine in January 2022, focusing its attacks on Ukrainian government organisations. A period of reduced operations followed. Cadet Blizzard again increased its operations in January 2023 with an expanded scope that included systems in Ukraine and across Europe, Central Asia, and Latin America.

Cadet Blizzard’s initial access is through exploiting common vulnerabilities in open-source software, web and email servers, and Confluence servers. Once inside a victim’s infrastructure, Cadet Blizzard typically dwells for several months before activating its WhisperGate wiper. Common strategies include using defence evasion techniques to disable end-point security solutions like EDR/XDR and using a victim’s existing IT tooling to move laterally across the network, escalate privileges, and maintain persistence.

Iran-affiliated threat actors

While Iran’s Ministry of Intelligence and Security-linked (MOIS) Scarred Manticore threat group has been conducting operations targeting Albania and Israel focused on espionage, they have been handing over initial access they gained to another MOIS-affiliated group, Void Manticore, who use this access to wipe systems. Scarred Manticore conducts its espionage operations, typically dwelling for over a year using its sophisticated Liontail malware framework and reGeorg webshell. Once Scarred Manticore has gained sufficient raw intelligence from the victim, it passes access to the victim’s systems over to Void Manticore, who then focuses on destroying systems, data, and the ability to recover. The Void Manticore arsenal includes a variety of different mechanisms for the destruction of data, ranging from the zeroing of a disk’s partition tables to targeting and corrupting specific files.

Over the past two years, MOIS has continued to sponsor or directly conduct destructive campaigns hidden behind hacktivist fronts that claim responsibility and justify their actions. In July 2022, a front named HomeLand Justice attacked the Albanian government, disrupting government websites and public services. “They have been using the Chimneysweep malware and Zeroclear wipers tools, more recently complemented by ransomware known as “Roadsweep.”

The DarkBit persona is another Iranian example. In February 2023, the MuddyWater threat actor attacked the Technion Israel Institute of Technology in Haifa with a false ransomware operation masquerading as a wiper attack using a front named “DarkBit group.” MuddyWater carried the initial intrusion and handed off access to the DarkBit intrusion set, which conducted extensive reconnaissance, established persistence, and moved laterally to launch a destructive command.

North Korean-affiliated threat actors

Earlier in 2024, a North Korean threat actor, Moonstone Sleet, developed the FakePenny ransomware, which it used to monetise access to systems in the aerospace and defense industry after first exfiltrating sensitive data from their networks.

Two China-aligned threat actors, “Stone Panda” and “Cinnamon Tempest,” use the HUI Loader malware to deploy remote access trojans, PlugX, Cobalt Strike, and QuasarRAT. In March 2022, Stone Panda started to incorporate more sophisticated defence evasion techniques and used the persistence it gained using Cobalt Strike to deploy multiple strains of ransomware mainly derived from Babuk source code that was leaked in 2021. Stone Panda quickly abandoned any attempts to monetise the encryption of files, leading to speculation that the tactic may have been to mask espionage operations as ransomware attacks.

The blurring line between nation-state and ransomware gangs

Active since 2017, the Iranian state-aligned threat actor Pioneer Kitten, or Fox Kitten, initially focused on gaining and maintaining access to a broad range of entities possessing sensitive information of likely intelligence interest to the Iranian government, including:

• Academic institutions
• Aviation
• Chemical
• Defence
• Engineering
• Financial services and insurance
• Government
• Healthcare
• Manufacturing
• Media
• Retail
• Technology

Pioneer Kitten’s primary means of initial access is exploiting remote access solutions and network appliances. In July 2020, Pioneer Kitten was seen attempting to sell its access and persistence inside these networks on underground criminal forums. In 2024, the U.S. Federal Bureau of Investigation (FBI) determined that Pioneer Kitten had started collaborating with several ransomware gangs, including ALPHV/BlackCat, NoEscape, and Ransomhouse. Pioneer Kitten’s role in enabling these ransomware operators appeared to go beyond just providing initial access similar to an Initial Assess Brokers—instead playing an active role in facilitating encryption, locking down networks to hamper response efforts, and participating in the extortion of victims.

It is not a one-way street with governments helping criminal gangs gain access and maintain persistence. The Russian cybercrime group Storm-2049 has been seen using Xworm and Remcos Remote Access Trojan malware that they have previously used to conduct cybercrime to breach over 50 military targets in Ukraine.

The Chinese-aligned ChamelGang or CamoFei has been targeting government and critical infrastructure for espionage in East Asia, India, and Brazil. At the end of espionage operations, it deploys the CatB ransomware, making it another group blurring the line between cyber espionage and cybercrime. The White House released a press release in July 2021 outlining the threat’s size, “We are aware that [People’s Republic of China] government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars.”

What can be done to reduce the risk of these attacks?

The determined and highly skilled adversaries are adept at evading security controls like EDR, XDR, and driver signing. They are seemingly encrypting and destroying data at a whim or handing access to systems off to those who will. Couple this with increasing geopolitical tensions between the West and countries willing to launch destructive cyberattacks against not just critical infrastructure—but against any organisation that could harm the target country’s economy.

The sophistication of this adversary means we must assume a breach—or that we can be breached. The days of senior cybersecurity executives assuring their boards that, given enough budget and headcount, they can prevent all attacks is over. Just look at the logos of the organisations that have suffered highly disruptive ransomware attacks over the past few years. Many had budgets well into double-digit and even triple-digit millions and security teams of hundreds. The reality is that the motivation is too high, the attack surface is too broad, and the adversary is too adaptive to prevent every attack, so we must move to a posture of resilience.

The importance of cyber resilience

What does cyber resilience mean? First, we need to architect and build for the worst possible scenarios. With the Cohesity Clean Room solution, this means making sure you’re able not just to recover production systems that deliver products and services to customers but also recover your response capability to a trusted state that ensures your security and IT teams can effectively and efficiently make sure that before that start to recover you don’t reintroduce the vulnerabilities exploited by the attacker, you address the gaps in controls to stop a future similar attack and prevent evasion and remove artifacts of the attack that will just reinfect systems seconds after recovery.

This isn’t just a technology problem. The right processes and skills need to be developed and integrated between the security teams that determine the root cause and the IT teams that bring the systems back to a safe state—informed by what the security teams found. Too often, a destructive cyberattack is seen as purely a “disaster recovery” issue and handed wholesale to the BC/DR team, which fails to build enough threat hunting and forensics capability into their process. This can often result in dozens of failed recoveries and reinfections.

At the same time, security teams must realise that some of the tools they rely on for business-as-usual security operations may be destroyed, evaded, or unreachable. All incident response methodologies, including NIST SP800-61r2 and the SANS Institute Six Step Incident Response process, mandate containment in destructive cyberattacks. Yet many organisations have moved security controls to the end-points, which have just become islands.

How do you use remote forensic imaging software when you’ve just disconnected the network or host? How do you understand your regulatory obligations to notify data subjects or regulators, because you can’t classify encrypted or wiped data looking for PII? Then there’s the fact that the skilled adversary now owns these end-points where controls reside. How confident are we of the signals we’re getting? And how can we conduct our investigation and mitigation tasks in an environment where we can’t be observed or disrupted?

How Cohesity can help

The answer to many of these questions already exists inside most organisations: your backup. As long as your selected vendor has thought through the operational requirements of incident response and recovery from a people, process, and technology perspective, your backup is your secret weapon in dealing with these blurring lines between nation-states and ransomware gangs. So, how do we expand our backup use cases to provide resilience against these skilled and determined adversaries?

• Protect your backups: Implement security best practices like Zero Trust principles, multifactor authentication, least privilege, separation of duties, and 3-2-1 backup strategies. Cohesity DataProtect supports these concepts.
• Augment your detection capabilities with ones that can’t be evaded: The defence evasion tactic of MITRE ATT&CK has more techniques in it than any of the others, with many focused on end-point security. Using your Cohesity backups for threat-hunting gives you capabilities that can’t be evaded.
  • Cohesity DataProtect provides an anomaly detection capability to detect ransomware and wiper attacks.
  • Cohesity DataHawk provides a comprehensive cyber threat intelligence feed of over 100,000 Indicators of Compromise (IOCs) used by ransomware gangs and nation-states that you can passively scan for in a way that isn’t reliant on the susceptible end-point, protecting it from evasion. This included threat intelligence feed, which can be supplemented with internal or other commercial cyber threat intelligence feeds.
• Restored trusted environment and tooling: The Cohesity Clean Room solution prepares your organisation for the effects of a nation-state attack. What happens if our Identity and Access Management system is wiped or is untrusted? What if our door access control systems were unavailable? What if the firmware on our switches were wiped or compromised? What if our voice-over-IP system had been wiped?
  • These are real scenarios that don’t typically fit inside traditional BC/DR Business Impact Analysis but are the first systems needed to start a response to an incident.
  • The Cohesity Clean Room has a concept of a rapidly restored Minimum Viable Response Capability that answers those questions—a protected “Jump Bag” that can be stood up quickly, with all the tools and resources needed made available to kick off the response process.
• Rapid investigation and mitigation: Before we can rebuild or recover systems, we need to understand the incident timeline so we can find vulnerabilities that need to be patched before systems go back into production. Identify gaps or evaded controls that we need to bolster to stop or detect a similar attack if it occurs. And most importantly, you need to understand how the attack happened to identify and remove all the artefacts.
  • This analysis needs to span more than just the encrypted systems. Persistence mechanisms can exist in changes in policy and configurations on other systems, such as adding GPO objects to Active Directory.
  • Identify patient zero: Imagine going through all the effort of recovering from a ransomware incident, but in recovering all the emails without removing artefacts, multiple users now have the phishing email used to kick off the attack sitting unread in multiple users’ email boxes.
  • Hunting for IOCs is a critical part of incident response. Still, we must understand the difference between threat hunting and scanning backups for threats to declare them “clean.”
    • We’ve already discussed proactively hunting for IOCs above. However, reactive, iterative hunting happens throughout the incident response process. During a forensic examination of a machine, we may discover an IOC specific to this particular incident, being able to pump this back into a hunt to identify all of the other systems across an organisation that contains that artifact is a way to ensure the scope of the incident is broad enough to prevent a recurrence of the incident.

The Cohesity Clean Room solution creates an isolated investigatory environment for use by the security operations team that can use Cohesity’s extensive integrations with security operations, tooling vendors, and native capabilities of DataProtect and DataHawk to rapidly understand how the incident happened and the next steps to be taken to mitigate the threat. The solution also creates a mitigation environment where IT operations can quickly rebuild systems to a trusted state or recover systems from backup, patch vulnerabilities, bolster missing or evaded controls, and remove any attack artefacts.

Cohesity DataProtect provides a capability to volume mount snapshot images for forensic analysis stored on a platform with a strong chain of custody. This can be orchestrated by a Security Orchestration & Automated Response (SOAR) platform. Tasks like checking a time series of a system’s filesystem to look for malicious changes or extracting suspicious binaries for detonation in a sandbox are just an API call or a couple of clicks away from your security analysts.

Cohesity DataHawk’s threat-hunting capability allows you to help ensure that the scope of your incidents is sufficient across your infrastructure. The best thing about these capabilities? They work even if you’ve followed incident response best practices and have isolated networks and systems because they’re powered by the data already resident inside Cohesity. No more agents deployed and immune to the kinds of evasion we’re seeing used by the state actors outlined above.

• Understand your regulatory obligations: There are many new regulations, such as those from the Securities & Exchange Commission or the European Union in the form of the Digital Operational Resiliency Act and the Network & Information Systems 2 regulation, that require organisations to report incidents in a timely fashion. In addition, most countries, and even some states, have their own privacy regulations requiring reporting incidents to impacted data subjects, the regulator, or both. After a destructive cyberattack, many organisations struggle to understand what data was impacted due to it having been deleted or encrypted. Cohesity DataHawk provides the ability to classify the impacted data to provide accurate reporting by using the data under management by Cohesity.
• Testing and recovery: Before systems go back into production, it’s important to understand whether any of the mitigations undertaken or the recovery process itself has added any impact to functionality and performance. The Cohesity Clean Room solution includes a workflow and architecture that supports this testing before final redeployment to production servers.

Learn more

• Sign up for a ransomware resilience workshop
• Get the Moor Insights & Strategy report: “Cohesity creates a new data security powerhouse through Veritas deal”
• Read the blog: Protecting the world’s data from cyberattacks: The Cohesity Cyber Event Response Team (CERT)