Microsoft attributes a ransomware campaign to an attacker group already believed to be responsible for a blackout in Ukraine and NotPetya.
At the Cyberwarcon conference, Microsoft spectacularly supplemented its assessment of a new kind of ransomware: “MSTIC notes that Iridium carried out the prestige campaign”. Ultimately, this means that Microsoft blames the Russian military intelligence service GRU for planning and executing a ransomware campaign that was uncovered in the fall. Should this be the case, it would be a significant change in the dangerous situation, which would also have consequences for the defenders.
Prestige is the codename for a ransomware campaign targeting Polish and Ukrainian companies that the Microsoft Threat Intelligence Center (MSTIC) first documented in October. The special thing about it: you could not be assigned to any of the well-known cybercrime gangs; the tools, techniques, and resources used just didn’t fit. But with new insights from analyzes of specific incidents, MSTIC is now leaning out the window:
“As of November 2022, MSTIC assesses that IRIDIUM very likely executed the Prestige ransomware-style attack.”
Iridium is said to be behind Prestige. Microsoft classifies this finding as quite reliable with “moderate-high confidence” and bases this on typical attribution criteria such as selection of targets, technologies used, and infrastructure.
Cyber sabotage as a profession
Iridium is Microsoft’s identifier for a group better known as Sandworm, which was previously best known for spectacular acts of sabotage: it caused the first blackout caused by hackers in Ukraine in 2015. It is also said to be behind the NotPetya malware, which has caused billions of dollars in damage worldwide. And Ukraine’s CERT reported that Sandworm had prepared another blackout for April 8, but it was detected and prevented.
The Russian military intelligence service GRU is behind Sandworm. This is what the US security authority CISA claims, among others, and the US judiciary has even initiated proceedings against six GRU employees. Many states and security companies share this assessment; the German BSI mentions them in the 2022 management report.
A game changer
If such an experienced attacker group as Sandworm capers on ransomware, the IT security situation will change significantly. So far, ransomware attacks have generally been backed by cybercrime gangs like Lockbit, which are well-organized and sometimes technically adept. But their primary interest is: they want money – and they want it as easily as possible. This means that they usually take the path of least resistance and you can stop them with comparatively simple protective measures so that they look for an easier victim.
This does not apply to state-controlled attackers such as Sandworm, so-called Advanced Persistent Threats (APT). They have almost any resources, excellent know-how, and a lot of patience at their disposal. If they have a target in their sights, then they will be able to penetrate their web. An experience of the last decades of IT security, in which all experts actually agree: In the end, break-ins through APTs cannot be prevented, but you have to try to minimize their consequences.
So far, Microsoft is still alone with this attribution. But Sandworm is being observed and analyzed by many security experts, who will hopefully soon have their say with their own independent findings. If Microsoft’s assessment is confirmed and the prestige campaign does not turn out to be an isolated case, this will have an impact on IT security and the way in which IT must be defended against attacks.