HHS Gives Data on Advanced Persistent Threat Groups Associated with the Russian Intelligence Services

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released a threat summary giving details on the Russian Intelligence Services cyber organizations that present a danger to companies in the U.S.A., such as the healthcare and public health (HPH) industry.

The threat summary gives details on 4 major advanced persistent threat actors that perform questionable cyber activities and surveillance inside the Russian Intelligence Services. These APT actors were connected to the Foreign Intelligence Service (SVR), the Federal Security Service (FSB), and the Main Intelligence Directorate of the General Staff of the Armed Forces (GRU). The FSB is the same as the Federal Bureau of Investigation in America and is mainly focused on domestic and foreign intelligence from Russia’s near overseas. The SVR is the same as the Central Intelligence Agency (CIA) in the U.S. and gathers foreign intelligence from military, economic, strategic, scientific, and technical targets. The GRU is the same as the Defense Intelligence Agency (DIA) and gathers foreign intelligence associated with military concerns by means of espionage and is additionally in charge of performing detrimental cyberattacks.

Turla

Turla, also known as Iron Hunter/Venomous Bear/Waterbug/KRYPTON, works under the guidance of the FSB and has mainly attacked sectors like educational, energy, military, government, telecoms, research, pharmaceutical firms, and foreign embassies since 2004. The group is recognized to employ malware and advanced backdoors and is mainly targeted on diplomatic surveillance activities in previous Eastern Bloc nations, though was in charge of the attack on United States Central Command in 2008, G20 participants in 2017, and the computer network of the German government in 2018.

APT29

APT29, also known as YTTRIUM, Iron Hemlock, Cozy Bear, and The Dukes, works under the guidance of the SVR and generally attacks the educational, energy, economic, government, medical care, media, pharmaceutical, and technological innovation sectors and think tanks. The APT actor continues to be active since 2008 and employs a variety of backdoors and malware variants. The APR actor generally attacks European and NATO nations and is recognized to perform spear-phishing campaigns to get quiet, long-term access to attack systems, and is particularly persistent and concentrated on particular targets. The APT actor takes data, however, doesn’t leak that data. APT29 is recognized to be associated with the 2015 Pentagon attack, the 2020 SolarWinds Orion attack, and targeted COVID-19 vaccine researchers at the time of the pandemic.

APT28

APT28, also known as STRONTIUM, Sofacy, Fancy Bear, Iron Twilight, works under the guidance of the GRU since 2004. APT28 attacks the government,
aerospace, defense, energy, medical care, military, and media sectors and dissidents. The group utilizes a number of malware, a downloader for following-stage infections, and gathers system data and metadata to differentiate actual environments from sandboxes.

APT28 mainly attacks NATO nations and is recognized to employ password spraying, distinctive malware, phishing and credential collection, and is likely to carry out noisy instead of quiet attacks. The attacker steals and leaks data to advance Russia’s political pursuits. The group was associated with the 2016 World Anti-Doping Agency attack, the 2016 cyberattack and leaking of information from the U.S. Democratic National Committee as well as the Clinton Campaign, and the 2016 German elections and 2017 French Elections.

Sandworm

Sandworm, also known as Voodoo Bear, IRIDIUM, Telebots, ELECTRUM, and Iron Viking, works under the guidance of the GRU since 2007. Sandworm primarily attacks the government and energy industries and is the most harmful of all ‘Bear’ threat groups. Sandworm attacks ICS and computer networks for detrimental reasons, for example performing wiper malware attacks, particularly in Ukraine. The group seems not bothered with 2nd and 3rd order consequences of attacks, like those of NotPetya, and employs malware like BlackEnergy, GCat, BadRabbit, GreyEnergy, KillDisk, Industroyer, and NotPetya.

Sandworm was responsible for the many attacks on the Ukrainian authorities and critical facilities in 2015-2016 and 2022, cyber attacks on Georgian web pages prior to the 2008 Russian Invasion, and the 2017 NotPetya attacks.

Mitigations

The tactics, techniques, procedures, and malware employed by all these groups are varied, however, many mitigations could be enforced to enhance resilience and prohibit the primary attack vectors. These are explained in the HC3 report including upgrading software, patching immediately, using MFA, segmenting systems, and going over CVEs for all public-facing networks.