The GRU’s Disruptive Playbook | Mandiant
Key Judgments
- Since final February’s invasion, Mandiant has tracked Russian army intelligence (GRU) disruptive operations towards Ukraine adhering to an ordinary five-phase playbook.
- Mandiant assesses with reasonable confidence that this customary idea of operations represents a deliberate effort to extend the pace, scale, and depth at which the GRU can conduct offensive cyber operations, whereas minimizing the chances of detection.
- The tactical and strategic advantages the playbook affords are doubtless tailor-made for a fast-paced and extremely contested working surroundings. We decide this operational strategy could also be mirrored in future crises and battle eventualities the place necessities to assist excessive volumes of disruptive cyber operations are current.
Abstract
On February 24, 2022, Russia invaded Ukraine with troops massed on the border of the 2 nations that had been constructing for the reason that earlier fall. As Mandiant has detailed beforehand in reviews similar to M-Trends 2023 and different sources obtainable in our Ukraine Crisis Resource Center, we have now tracked Russian cyber operations towards Ukraine each main as much as and following the invasion. We categorize these operations stretching again earlier than the beginning of the conflict on February 24, 2022, into six phases, spanning entry operations, cyber espionage, waves of disruptive assaults, and knowledge operations.
Though there was a major concentrate on the sheer quantity of wiper exercise and the notion of “success” of those disruptive operations, there’s extra to the story of Russian army intelligence (GRU) disruptive operations than simply wipers. We’ve noticed the identical 5 elements being executed throughout the disruptive operations in Ukraine, combining the GRU’s cyber and knowledge operations right into a unified wartime functionality. To equip defenders with data of this customary operational strategy, we have now outlined the GRU’s disruptive playbook, which expands on the patterns of tactical and strategic habits Mandiant has noticed. To reveal the playbook in motion, we study a UNC3810 operation focusing on a Ukrainian authorities entity with CADDYWIPER that happened within the fifth section of the conflict, a renewed marketing campaign of disruptive assaults on the finish of 2022.
Overview: The GRU’s Disruptive Playbook
Since Russia’s invasion of Ukraine, Mandiant Intelligence has noticed the GRU function an ordinary, repeatable playbook to pursue its data confrontation targets. The persistent use of this playbook by means of the six phases of Russia’s conflict has indicated its excessive adaptability throughout a spread of various operational contexts, targets, and over 15 completely different harmful malware variants. The playbook has additionally proved extremely survivable and resilient to detection and technical countermeasures, permitting the GRU to stick to a standard set of ways, strategies and procedures (TTPs) regardless of an prolonged interval of aggressive, excessive tempo operational use. Mandiant has noticed the playbook in use by a number of distinct Russian menace clusters all through the conflict, indicating its central function in standardizing operations throughout a number of subteams in an try to ship extra repeatable, constant results.
Throughout the incidents Mandiant has responded to, we have now seen suspected GRU menace clusters usually adhere to the next 5 operational phases:
- Residing on the Edge: Leveraging hard-to-detect compromised edge infrastructure similar to routers, VPNs, firewalls, and mail servers to realize and regain preliminary entry into targets.
- Residing off the Land: Utilizing built-in instruments similar to working system elements or pre-installed software program for reconnaissance, lateral motion and knowledge theft heading in the right direction networks, doubtless aiming to restrict their malware footprint and evade detection.
- Going for the GPO: Creating persistent, privileged entry from which wipers could be deployed by way of group coverage objects (GPO) utilizing a tried-and-true PowerShell script.
- Disrupt and Deny: Deploying “pure” wipers and different low-equity disruptive instruments similar to ransomware to suit quite a lot of contexts and eventualities.
- Telegraphing “Success”: Amplifying the narrative of profitable disruption by way of a sequence of hacktivist personas on Telegram, whatever the precise influence of the operation.
Mandiant assesses with reasonable confidence that this customary idea of operations extremely doubtless represents a deliberate effort to extend the pace, scale, and depth at which the GRU may conduct offensive cyber operations whereas minimizing the chances of detection. The advantages the playbook affords are notably fitted to a fast-paced and extremely contested working surroundings, indicating that Russia’s wartime objectives have doubtless guided the GRU’s chosen tactical programs of motion. Whereas different choices have existed at every stage of the playbook, the GRU has opted for a similar tradecraft repeatedly. We anticipate that comparable operational approaches, or “playbooks”, could also be mirrored in future crises and battle eventualities the place necessities to assist excessive volumes of disruptive cyber operations are current.
Section |
Assessed Tactical Advantages |
Assessed Strategic Advantages |
Residing on the Edge |
|
|
Residing off the Land |
|
|
Going for the GPO |
|
|
Disrupt and Deny |
|
|
Telegraph “Success” |
|
|
The GRU’s disruptive playbook has sought to combine the complete spectrum of data confrontation (Информационное противоборство) capabilities that Russia conceptually defines as cryptographic reconnaissance of data and communication programs (KRIKS), information-technical results (ITV), and information-influence results (IPV). Whereas these ideas usually map to what the menace intelligence group generally refers to as entry operations and their follow-on espionage, assault, and affect missions, you will need to perceive how Russia defines these ideas and seeks to include the completely different elements of its cyber program in its personal phrases. A selected characteristic of the playbook, and extra usually of the GRU’s data confrontation over time, has been its emphasis on the information-psychological results from its cyber operations, which we decide has pushed its overarching focus of its disruptive operations on Ukrainian authorities and civilian vital infrastructure.
The Playbook in Follow: UNC3810’s Data Confrontation
UNC3810 is without doubt one of the major menace teams that Mandiant has noticed executing the GRU’s disruptive playbook in apply. UNC3810 has carried out espionage and disruptive operations towards Ukrainian entities for the reason that onset of Russia’s invasion, in addition to credential theft operations towards all kinds of world private and non-private trade organizations. Although UNC3810 has balanced competing priorities of espionage and disruption over the course of the conflict, this case focuses on the group’s disruptive operations.
Residing on the Edge
Russian wartime cyber campaigns in Ukraine have relied on the GRU’s skill to steadiness priorities for espionage and disruption, thus closely counting on “living on the edge” of goal networks by way of edge infrastructure. Edge infrastructure is any infrastructure dealing with the general public web, together with firewalls, mail servers, and routers that can be utilized flexibly for quite a lot of operational targets. Edge infrastructure compromise has usually occurred within the early levels of the assault lifecycle, but in addition takes place later, similar to within the case of compromise of inside routers.
In our case research operation, UNC3810 first gained preliminary entry to the goal surroundings in late July 2022, doubtless by way of a VPN compromise. After gaining preliminary entry from the sting, UNC3810 accessed a number of Linux servers and dropped webshell backdoors to ascertain redundant factors of entry and additional their entry to the sufferer’s community.
Residing off the Land
To maneuver off the sting and deeper into goal networks, GRU operations have relied upon residing off the land ways, exploiting instruments already obtainable within the sufferer surroundings similar to working system elements and put in software program. Generally used UNC3810 post-compromise utilities embody PowerShell, wmiexec, PortProxy, Impacket, and Chisel.
On this particular case, upon establishing a foothold on the Linux servers with an unknown webshell, the operators then tried to execute GOGETTER, a customized TCP tunneling device written in Go. UNC3810 timestomped the binary to match modification dates of equally named binaries in the identical listing, an try to masquerade as professional software program. UNC3810 then executed GOGETTER as a scheduled service with a systemd service script.
- /usr/bin/system-sockets
- GOGETTER
- Executed by systemd service
Moreover, UNC3810 doubtless tried to switch packet filtering guidelines, as seen by the try at executing iptables-restore. Nonetheless, the actors misspelled the command as “iptables-restor” a number of instances. The mixture of those instruments gave the actors persistent entry and alternative for lateral motion throughout the community surroundings over a 3 month interval.
Going for the GPO
GRU operators handle to persist, escalate privileges, and deploy wipers by means of TANKTRAP, a script used to create Group Coverage Objects (GPOs) to deploy a disruptive payload. GPOs outline the settings for the Energetic Listing surroundings, which makes GPO abuse notably highly effective. Although GPO addition and/or modification of default GPOs usually requires the actor to have the best degree of permissions, it could permit an actor to obtain further recordsdata and create companies and scheduled duties which shall be executed throughout all Energetic Listing domain-linked programs.
Within the case of UNC3810’s October intrusion, the actor modified default GPOs to deploy CADDYWIPER on all programs joined to the Energetic Listing domains of the goal community. To take action, UNC3810 doubtless leveraged TANKTRAP, a modified PowerShell utility discovered on Github known as PowerGPOAbuse. TANKTRAP is a staple within the GRU’s disruptive playbook, and has been utilized by UNC3810 to ship and execute quite a lot of completely different disruptive instruments throughout its operations by way of GPO.
Upon execution, TANKTRAP creates two group coverage choice recordsdata:
- Information.xml
- Retrieves CADDYWIPER from the area controller
- Scheduledtasks.xml
- Creates a scheduled activity to execute CADDYWIPER
UNC3810 modified GPOs to launch a scheduled activity throughout the area which might execute CADDYWIPER for a disruptive impact.
Disrupt and Deny
GRU operations on a focused host machine often finish with the deployment of wipers or different disruptive tooling. These disruptive operations maintain the potential to trigger instant influence to focused organizations and generally erase proof of attacker presence.
CADDYWIPER is a wiper that Mandiant first recognized and reported on in March 2022, and has turn into the GRU’s most often deployed disruptive device in Ukraine that we have now noticed. The malware enumerates the file system’s bodily drives and overwrites each file content material and partitions with null bytes. CADDYWIPER has additionally notably been deployed alongside different disruptive instruments, similar to INDUSTROYER.V2, indicating the wiper’s perceived versatility to its operators.
Mandiant and others, together with Microsoft, ESET, and CERT UA, have recognized a number of variants of CADDYWIPER over time, together with x64, x86, and shellcode variants. The GRU has repeatedly refined CADDYWIPER since its first use in March 2022, iteratively making the wiper extra light-weight and versatile, although we proceed to see operator error within the malware’s deployment. Although these adjustments might have been needed tactical evolutions to keep away from detection and containment by antivirus merchandise, it’s doable they replicate non-tactical issues as nicely, similar to useful resource and personnel shortfalls, extra direct entry to CADDYWIPER’s codebase (as evidenced by compile instances near operational use), or top-down pressures to hurry up operations.
On 3 October 2022 at 07:34 UTC, UNC3810 staged the preliminary CADDYWIPER pattern.
- Caclcly.exe
- CADDYWIPER x64 variant
- Compile time: 2022/09/18 10:17:23
A neighborhood antivirus consumer blocked the preliminary execution of CADDYWIPER throughout this operation, after which UNC3810 re-compiled and dropped a x32 CADDYWIPER variant to the goal community, however didn’t configure any GPO to execute the variant by way of scheduled activity. The attacker moreover tried to exclude the file from antivirus scans. Mandiant assesses the x32 variant was doubtless efficiently executed.
- Caclclx.exe
- CADDYWIPER x32 variant
- Compile time: 2022/10/03 10:01:48
As a consequence of incompatible GPO configuration settings with the goal system’s OS variations and the truth that the preliminary CADDYWIPER variant was solely compiled to run on x64 working programs, the influence of this disruptive operation was extraordinarily restricted. An apparent lack of preparation and reconnaissance on the goal programs mixed with proactive decisions made by community defenders prevented UNC3810 from creating a major disruptive influence on this operation.
Telegraphing “Success”
Disruptive operations hardly ever make headlines by themselves as a result of their results will not be seen to the general public, except sufferer organizations select to publicize the assault. To beat this dilemma, the GRU has used a sequence of Telegram channels assuming hacktivist identities to assert accountability for cyber assaults and leak stolen paperwork or different proofs from their victims. We assess this tactic is nearly definitely an try to prime the data house with narratives of standard assist for Russia’s conflict and to generate second-order psychological results from the GRU’s community assaults. Observe-on affect efforts are likely to exaggerate the success of the previous cyber elements and are carried out regardless of the cyber operation’s precise influence. Telegram has been the first platform for these efforts, as channels on the social media platform have turn into the go-to supply for unfiltered footage and updates from the conflict.
Within the closing stage of the playbook, knowledge from the sufferer of UNC3810’s wiper assault was staged and marketed on Telegram by “CyberArmyofRussia_Reborn”, a self-proclaimed hacktivist persona that claimed accountability for the wiper assault. Nonetheless, technical artifacts from the UNC3810’s intrusion point out that the “CyberArmyofRussia_Reborn” persona severely exaggerated the success of the wiper assault. As a consequence of a sequence of operator errors, UNC3810 was unable to finish the wiper assault earlier than the Telegram put up boasting of the disrupted community. As an alternative, the Telegram put up preceded CADDYWIPER’s execution by 35 minutes, undermining CyberArmyofRussia_Reborn’s repeated claims of independence from the GRU. Based mostly on the shut sequencing between the wiper deployment and Telegram posts, Mandiant assesses with excessive confidence that UNC3810 and Cyber Military of Russia engaged in ahead operational planning to orchestrate the cyber and knowledge operations elements of the operation.
Repeat Offenders: Previous is Prologue for Russia’s Disruptive Playbook
The person elements of the GRU’s wartime playbook have clear roots in its historic patterns of data confrontation. The part TTPs, such because the focusing on of edge infrastructure, limiting the general footprint on sufferer networks and hosts by means of residing off the land strategies, disruptive instruments disguised as ransomware, and the growing use of middleman or disposable tooling, have turn into elementary elements of GRU cyber operations over time. What’s completely different is the full-scale integration of those capabilities right into a unified, repeatable playbook that has doubtless been tailor-made to be used in Russia’s invasion of Ukraine.
A Shift to “Pure” Disruptive Instruments
Following within the footsteps of its historic harmful campaigns, Russia has continued to function a spread of disruptive malware variants to incorporate wipers, ransomware, and industrial management system (ICS) particular capabilities. Whereas the overall intent behind these instruments — to irreversibly destroy knowledge and disrupt the power of goal programs to operate as meant — is analogous, the design of the disruptive malware the GRU has chosen to make use of through the conflict is substantively completely different.
Since Russia’s invasion, the GRU has overwhelmingly opted to deploy what we name “pure” disruptive instruments. This class of disruptive tooling is light-weight in design and primed for instant use, containing solely the capabilities required to disrupt or deny entry to the goal system. The generic design has made them disposable and functionally interchangeable, permitting the GRU to combine new or modified instruments into the broader playbook in a plug-and-play trend to be deployed by way of GPOs. As an added operational profit, disruptive tooling of this nature is freestanding, permitting operators to keep up minimal presence within the sufferer community and conceal the chosen malware variant till moments earlier than its use.
This choice contrasts considerably with the GRU’s historic choice for “multifunctional” disruptive instruments which were extra complicated, multi-stage or modular in design, and have contained added capabilities to hold out additional targets similar to system reconnaissance, data theft, propagation to further programs, or distant command and management. This class of disruptive device is nearly definitely extra time and useful resource intensive to tailor and preposition, and at increased threat of detection, doubtless limiting the general pace and scale at which they might have been used to attain operational targets.
Inside this strategy, the GRU has additionally continued to make use of disruptive tooling disguised as ransomware, together with commercially sourced ransomware variants. Utilizing ransomware extremely doubtless serves the twin goal of briefly misdirecting attribution efforts and amplifying the psychological facet of the operation, both by means of the ransom notes itself or by way of darkish internet boards or leak websites the place feigned extortion makes an attempt are sometimes carried out. By incorporating commercially obtainable ransomware and wipers derived from frequent software program and utilities, we imagine that the GRU has doubtless been capable of extra quickly replenish its arsenal with new, undetected disruptive instruments than it may have by creating them in-house.
Integrating Hacktivist Identities Into Disruptive Operations
The GRU’s previous tendency to take advantage of the identities and symbols of noteworthy political actors and hacktivist identities has taken a central function in its disruptive playbook. Extending again to at the very least 2014 and its authentic invasion of Ukraine, Mandiant has tracked what we assess as personas linked to GRU intrusion units falsely assuming the identities of nameless political and hacktivist teams in an effort to misdirect attribution and generate second-order psychological results from their cyber operations.
- CyberBerkut: Between 2014 and 2018, the GRU assumed the identification of Ukraine’s dissolved particular police drive “Berkut” (Беркут) to conduct focused leaks, web site defacements, and distributed denial of service (DDoS) assaults towards Ukrainian and NATO authorities and army organizations. Notably, the group tried to crowdsource assist for DDoS assaults by calling for supporters to voluntarily set up malware on their machines that may help CyberBerkut’s DDoS exercise.
- CyberCaliphate: In 2015, the GRU used the CyberCaliphate persona (mirroring the pre-existing on-line persona utilized by the terrorist group ISIS) as a false entrance to assert accountability for the community disruption of TV5Monde and a sequence of social media account compromises, web site defacements, and leaks focusing on Western media and army organizations.
- Yemeni Cyber Military: In 2015, the GRU doubtless co-opted the identification of a pre-existing nameless hacktivist group “Yemen Cyber Military” (the GRU fork being distinct in its use of “Yemeni”). The persona claimed to be a grassroots youth group chargeable for stealing a cache of stolen paperwork allegedly given to WikiLeaks in response to Saudi Arabia’s function in Yemen’s civil conflict.
- Guccifer 2.0: In 2016, the GRU referenced the identification of the jailed Romanian hacker “Guccifer” to leak stolen and cast paperwork from the Democratic Nationwide Committee (DNC) as a part of efforts to affect the 2016 U.S. presidential election.
- AnPoland: In 2016, the GRU leaked stolen paperwork and carried out web site defacements and DDoS assaults towards the World Anti-Doping Company (WADA) and the Courtroom of Arbitration for Sport (CAS) below the false auspices of the hacktivist group Nameless Poland, mimicking the actual hacktivist group Nameless.
- Fancy Bears’ Hack Crew: Between 2016 and 2018, the GRU used a false hacktivist persona to conduct a sustained affect marketing campaign towards organizations related to the Olympic Video games and different sporting our bodies, together with WADA once more.
Because the 2022 Ukraine invasion, Russia has additional prolonged this strategy, integrating equally themed self-proclaimed hacktivist teams into its disruptive playbook. Overlaps in ways embody the continued appropriation of noteworthy hacktivist identities, crowdsourcing of operational assist, and soliciting protection that would amplify consciousness of operations and their perceived influence by means of exaggerated claims of influence. What’s newer is the central function of Telegram, which has emerged as a vital supply of sensemaking, war-related data operations, and a key recruitment platform for volunteer cyber “armies” within the battle. Notably, Mandiant has noticed every of the GRU’s 4 wartime personas leak knowledge from victims who have been additionally affected by wiper assaults. In a number of incidents, the usage of disruptive instruments and knowledge leaks have occurred inside a brief window of time, indicating superior planning for the inclusion of the IO elements in these disruptive campaigns.
- CyberArmyofRussia_Reborn: Starting in March 2022, the Cyber Military of Russia persona, claiming to be a grassroots “Individuals’s CyberArmy”, has been used to solicit protection of harmful malware operations the place CADDYWIPER was deployed, distribute instruments and crowdsource DDoS assaults, leak stolen knowledge, and to amplify accounts spreading propaganda relating to Russia’s battlefield progress.
- XakNet Crew: XakNet’s Telegram channel was additionally created in March 2022, claiming direct lineage to a gaggle by the identical identify that focused Georgian entities through the Russia-Georgia Battle of 2008. The group carries out a spectrum of comparable actions to Cyber Military of Russia, together with soliciting protection of community assaults, crowdsourced DDoS assaults, leaks of stolen knowledge, and amplification of different pro-Russian Telegram accounts.
- Infoccentr: Once more in March 2022, a Telegram channel “Infoccentr” was created that has engaged in the identical spectrum of actions to incorporate crowdsourced DDoS assaults, leaks of stolen knowledge, and drawing consideration to victims of CADDYWIPER operations.
- Free Civilian: Beginning in February 2022, a self proclaimed pro-Russian hacktivist persona “Free Civilian” claimed accountability for a sequence of presidency web site defacements and marketed stolen paperwork on the market, utilizing similar defacement photos from the January PAYWIPE and SHADYLOOK wiper marketing campaign. The persona resurfaced on Telegram on the anniversary of the invasion to assert further defacements and leak alleged stolen paperwork.
Conclusions
The GRU’s disruptive operations in Ukraine have revealed a sequence of tactical decisions Russia’s army has made to attain its wartime data confrontation targets. These diversifications have assisted the GRU to steadiness completely different strategic priorities for espionage and assault and to combine its cyber and knowledge operation capabilities right into a unified, repeatable playbook that might be used throughout a number of distinct Russian menace clusters.
Lots of the elements of the GRU’s disruptive playbook will not be new. They’ve been traditionally utilized in other ways. However in Ukraine, they’ve been uniquely mixed and tailor-made to satisfy the necessities of working at scale in a fast-paced and extremely contested wartime surroundings whereas avoiding detection. As this playbook has virtually definitely been purpose-built for Russia’s invasion, we decide that these particular tactical diversifications could also be mirrored in future crises and battle eventualities the place necessities to assist excessive volumes of disruptive cyber operations are additionally current.
You will need to word that this playbook will not be wholly distinctive to Russia’s conflict in Ukraine. Financially-motivated ransomware operations additionally observe an analogous playbook, abusing vulnerabilities in edge infrastructure for preliminary entry, residing off the land, and modifying GPOs to unfold and execute their malware. We imagine that the convergent use of those ways is probably going pushed by a standard want to scale back the breakout time from preliminary entry to malware supply and to maximise the disruptive impact in a goal surroundings. Consequently, preparations to observe, detect, and reply to the TTPs utilized in Russia’s wartime cyber playbook can have transferable advantages for defending towards tradecraft generally utilized by ransomware teams as nicely.