{"id":106281,"date":"2022-02-04T10:00:00","date_gmt":"2022-02-04T18:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=106281"},"modified":"2023-10-12T08:11:10","modified_gmt":"2023-10-12T15:11:10","slug":"actinium-targets-ukrainian-organizations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/02\/04\/actinium-targets-ukrainian-organizations\/","title":{"rendered":"ACTINIUM targets Ukrainian organizations"},"content":{"rendered":"\n
\n

April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. ACTINIUM <\/strong>is now tracked as Aqua Blizzard <\/strong>and DEV-0586 <\/strong>is now tracked as Cadet Blizzard<\/strong>.<\/p>\n\n\n\n

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n<\/blockquote>\n\n\n\n

The Microsoft Threat Intelligence Center (MSTIC) is sharing information on a threat group named ACTINIUM, which has been operational for almost a decade and has consistently pursued access to organizations in Ukraine or entities related to Ukrainian affairs. MSTIC previously tracked ACTINIUM activity as DEV-0157, and this group is also referred to publicly as Gamaredon. <\/p>\n\n\n\n

NOTE: <\/strong>This blog is available in Ukrainian on the Microsoft CEE Multi-Country News Center to help organizations in Ukraine implement protections against this activity: \u0410\u041a\u0422\u0418\u041d\u0406\u0419(ACTINIUM) \u0430\u0442\u0430\u043a\u0443\u0454 \u0443\u043a\u0440\u0430\u0457\u043d\u0441\u044c\u043a\u0456 \u043e\u0440\u0433\u0430\u043d\u0456\u0437\u0430\u0446\u0456\u0457<\/a>.<\/em><\/p>\n\n\n\n

In the last six months, MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations. MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage. The Ukrainian government has publicly attributed this group<\/a> to the Russian Federal Security Service (FSB).<\/p>\n\n\n\n

Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis. As with any observed nation-state actor activity, Microsoft directly notifies customers of online services that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft has shared this information with Ukrainian authorities.<\/p>\n\n\n\n

ACTINIUM represents a unique set of activities separate from the destructive malware attacks by DEV-0586 described in an earlier blog post<\/a>. As of this writing, MSTIC has not found any indicators correlating these two actors or their operations. The observed ACTINIUM activities detailed in this blog have been limited only to organizations within Ukraine. We have not seen this actor using any unpatched vulnerabilities in Microsoft products or services.<\/p>\n\n\n\n

Given the geopolitical situation and the scale of observed activity, MSTIC is prioritizing sharing our knowledge of ACTINIUM tactics, techniques, and procedures (TTPs), along with a significant number of indicators of compromise (IOCs) from our extensive analysis. Our goal is to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts.<\/p>\n\n\n\n

Activity description<\/h2>\n\n\n\n

Microsoft has observed a repeated set of techniques and procedures throughout operations by ACTINIUM, with several significant elements that we believe are important to understanding these activities. It\u2019s important to note that ACTINIUM\u2019s tactics are constantly evolving; the activities described in this blog are some of the most consistent and notable observations by Microsoft, but these are not all-encompassing of actor TTPs.<\/p>\n\n\n\n

Phishing using remote templates<\/h3>\n\n\n\n

One of the access vectors most used by ACTINIUM is spear-phishing emails with malicious macro attachments that employ remote templates. Remote template injection refers to the method of causing a document to load a remote document template that contains the malicious code, in this case, macros. Delivery using remote template injection ensures that malicious content is only loaded when required (for example, when the user opens the document). This helps attackers to evade static detections, for example, by systems that scan attachments for malicious content. Having the malicious macro hosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading detection by preventing automated systems from obtaining and analyzing the malicious component.<\/p>\n\n\n\n

MSTIC has observed a range of email phishing lures used by ACTINIUM, including those that impersonate and masquerade as legitimate organizations, using benign attachments to establish trust and familiarity with the target.<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"Screenshot
This phishing email from ACTINIUM uses the sender domain who-int[.]info to masquerade as the legitimate who.int domain, assessed to be impersonating the World Health Organization <\/em><\/figcaption><\/figure>\n\n\n\n

Within the body of phishing messages, ACTINIUM has been observed to insert web bugs, which are small external image references that enable the actor to track when a message has been opened and rendered. These web bugs are not malicious by themselves but may indicate that the email is intended for malicious use. Here\u2019s an example of a web bug used by ACTINIUM:<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"Screenshot<\/figure>\n\n\n\n

ACTINIUM\u2019s lure documents appear to be legitimate and vary in style and content. For example, the lure document below included a remote template at the following URL: hxxp:\/\/usa-national[.]info\/USA\/sensible[.]dot. While a domain was used in this instance, links with static IP addresses have also been used.<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"Screenshot
This URL and the related lure .dot document from ACTINIUM is responsible for loading the malicious remote template. This document uses text from a legitimate who.int situational COVID-19 update report published on July 27, 2021.<\/em><\/figcaption><\/figure>\n\n\n\n

ACTINIUM phishing attachments contain a first-stage payload that downloads and executes further payloads. There may be multiple subsequent \u201cstaging\u201d scripts before a more fully-featured malicious capability is deployed to a compromised device. It\u2019s unclear why there are often multiple stages; one hypothesis is that these staging VBScripts are easier to modify to incorporate new obfuscation or command-and-control (C2) changes. It\u2019s also possible that ACTINIUM deploys these scripts to provide some assurance that detection systems are less likely to detect their main capabilities. These initial staging capabilities vary; examples include heavily obfuscated VBScripts, obfuscated PowerShell commands, self-extracting archives, LNK files, or a combination of these. ACTINIUM frequently relies on scheduled tasks in these scripts to maintain persistence. More information on some of the capabilities analyzed by MSTIC is included in the \u201cMalware and capabilities\u201d section.<\/p>\n\n\n\n

ACTINIUM operational infrastructure and wordlists<\/h3>\n\n\n\n

MSTIC assesses that ACTINIUM maintains a large quantity and degree of variation of its operational infrastructure to evade detection. ACTINIUM\u2019s operational infrastructure consists of many domains and hosts to facilitate payload staging and C2. In a single 30-day snapshot, MSTIC saw ACTINIUM utilizing over 25 new unique domains and over 80 unique IP addresses, demonstrating that they frequently modify or alter their infrastructure.<\/p>\n\n\n\n

ACTINIUM domain name DNS records frequently change, perhaps not frequently enough to be considered \u201cfast-flux\u201d, but most DNS records for the domains change once a day on average. More than 70% of the recent 200+ ACTINIUM IP addresses are owned by ASN 197695 \u2013 REG.RU. Most ACTINIUM domains are also registered through the same owning company registrar (REG.RU). It is unclear why ACTINIUM appears to favor these legitimate providers.  <\/p>\n\n\n\n

Malware authored by ACTINIUM often utilizes randomized subdomains for C2. These subdomains have included the use of an apparent English wordlist in their generation procedure, making the domains appear more legitimate while frustrating network defense tools that may rely on domain name blocks. A list of the most common words MSTIC has observed is included in the IOCs below. Within the last 30 days, MSTIC has observed randomized schemes being used increasingly for subdomain patterns instead of wordlists, indicating a possible shift in methodology. One example of this randomization is the effect of their PowerShell stager using the Get-Random<\/em> cmdlet:’<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"Screenshot<\/figure>\n\n\n\n

Examples of ACTINIUM subdomains encompassing both wordlists and randomized subdomains include:<\/p>\n\n\n\n