Every now and then in the world of cyber threat intelligence, a report is released that changes the game and reshapes our view on the Threat Landscape. Shadows in the Clouds and APT 1 are two of these reports that immediately spring to mind when one applies the “strategically significant” filter to the cyber threat landscape. January 22 saw another significant addition to this growing body of data when the US affiliated Cybersecurity & Infrastructure Security Agency (CISA) released a web page titled “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.”
This report was hugely significant for several reasons; in part due to the content of the document and the document’s hyperlinks to other reports that pull together a web of insight on attribution, but more so due to the fact that this was an arm of the US government, backed up by the FBI and NSA, attributing malicious cyber activity squarely to the Russian State authorities. Additionally, the hacking activity laid at the door of the Russian Federation within the publication was not just grifting a few bitcoins every now and then (that means you DPRK!) but was squarely calling out cyber-attacks that threatened critical infrastructure. Given the current geopolitical situation between Russia and the West, with many mainstream news agencies assessing Russian forces as poised to invade the sovereign state Ukraine, the CISA report was provocative to say the least.
Clearly the CISA report was an important moment and I needed to be up to speed with its contents. My usual approach would be to read the document from bottom to top, ingest the contents and derive the “so what?” – however, this time I took a different approach…
Using READ. For Speed
My first action was to pass the CISA document URL into READ. and immediately generate a graph of the STIX entities within the report. Accuracy was not the objective at this point, merely gaining a feeling for the content of the document. I stopped to add a few pieces of metadata such as marking the document as private (hence restricted to myself) and adding a Traffic Light Protocol marking of White. Within a few minutes I was exploring the report in visual format using the six default graph layout options that come within the READ. tool. Manipulating the graph using the ‘drag’ and ‘drop’ functionality created the below image.
Figure 1: CISA’s “Understanding and Mitigating Russian State-Sponsored Cyber Threats…” in graph form
Figure 1 shown above demonstrates the power of READ. to extract multiple clearly defined entities from a body of text. But how does this help the analyst understand the content, you may ask?
Give It A Wiggle
Faced with the above graph shown in figure 1, I applied the tried and tested CTI analyst approach of “the wiggle” – that is grabbing a node (the circles) within the graph and giving them a “wiggle” on the screen. The power of this approach is that it quickly demonstrates which of the nodes are more connected than others, with the underlying principle that the more connected the node the more relevant to deriving a “so what?” from the data that particular node is.
Towards The “so what?”…
The wiggling nodes method quickly bought my attention to the top left of the graph and the Sandworm team’s connection to the multiple malware types shown below.
Figure 2: focusing on the Sandworm Team within the CISA report
Sandworm is the “classic” example of a state/cybercriminal nexus organisation that rose to prominence circa 2015 attacking the Ukrainian power grid with a modified version of the BlackEnergy malware. While I closely watched these attacks unfold at the time, my focus had moved onto other things, and I am not as up to speed with Sandworm as I previously was. The graph shown above in Figure 2 helped bring me more up to speed by the links to the Hatman and CrashOveride, two malwares that I had not heard of up until now.
The insight that I gained from these links was to elevate my appreciation of the Sandworm team’s overall technical capability from the relatively low skilled group that I had seen employing BlackEnergy to the far more competent group that deployed CrashOveride. As the CISA document states “CrashOverride malware represents a scalable, capable platform,” and by default a more experienced and skilled iteration of the Sandworm team.
Drawing Further Insight
Simply pivoting through the six graph layout choices provided more insight into the CISA document. While I have no reason to believe the intelligence presented in the CISA document is anything but the truth, as a CTI analyst I approach any intelligence report with a degree of scepticism, always aware of the threat of bias and how this can skew an analysis. Shown below is the same view presented in Figure 1 but organised with the “KLAY” setting.
Figure 3: CISA’s “Understanding and Mitigating Russian State-Sponsored Cyber Threats…” in graph form organised by the “KLAY” setting
The graph in Figure 3 highlighted by frames A and B shows that the intelligence presented in the CISA document “hangs” off two main elements. Point A is the document itself so we would expect 100% of the entities to be connected to this node. However, I was surprised to see how integral the BlackEnergy malware (Frame B in Figure 3) was to the intelligence put forward within the document.
This fact – the centrality of BlackEnergy to the intelligence within the CISA document – I found to be a little disturbing given the history of BlackEnergy.
Although BlackEnergy is now strongly associated with the Sandworm group and in turn the Russian Federation, we should not forget that BlackEnergy started its life being vended on various Russian language cybercriminal forums as a basic DDOS tool. In fact, the whole story of BlackEnergy, and even the Sandworm group that wields it, is a journey from run of the mill cybercriminal to nation state capability. Journeys like these create links within other parts of the underground that can generate connections where there are none and ultimately create report bias.
Given that READ. has shown how central BlackEnergy is to the arguments put forward within the document and how the backstory of BlackEnergy is one of more advanced tools developing from “off the shelf” malware, I would seek to find additional sources to verify the statement and facts put forward within the CISA document.
To be clear: does the ‘connectedness’ of BlackEnergy make me disbelieve the CISA document? – No. However, I would take additional verification steps to ensure that the BlackEnergy, that is so central to the argument put forward in the CISA document, is one and the same as the more advanced BlackEnergy malware that we saw the Sandworm group using once it had stopped being sold on the underground.
Using Elemendar’s READ. tool to analyse the CISA document was insightful and refreshing and made a change from just reading a document bottom to top. The graphing functionality within READ. quickly brought me up to speed with elements of the report that I might otherwise have overlooked; however, at a deeper level, the tool revealed areas of possible bias that I would challenge if I took the analysis further.
The proof they say “is in the trying”, so why don’t you try and replicate my result and challenge some of my own conclusions using the free demo of the tool?