As we continue to monitor the situation between Russia and Ukraine – and the potential for global cybersecurity impacts – we realize that our customers and other business and industry stakeholders may be interested in additional information and context to help them understand the landscape. An important part of the equation we are studying is the activity of cyber threat actors.
In an effort to help our clients know what to look for in their environments and anticipate potential attacks, this post provides guidance on the top 5 Russian threat actors and their known tactics and techniques, based on information from the Threat Library within Threat Command.
The following threat actors are identified by our Threat Intelligence Research team as the most likely (i.e., highest risk) to carry out cyberattacks against European and US companies.
1. The UAC-0056 threat group (AKA TA471, SaintBear, and Lorec53)
The UAC-0056 threat group has been active since at least March 2021. The group was observed attacking government and critical infrastructure organizations in Georgia and Ukraine. UAC-0056’s targets are aligned with the interests of the Russian government, although it is unknown whether it is state-sponsored.
The threat actors gain initial access via the sending of spear phishing email messages that contain either Word documents (with malicious macro or JavaScript codes) or PDF files (with links leading to the download of ZIP archives embedded with malicious LNK files). These are used to install and execute first-stage malware loaders that fetch other malicious payloads, such as the OutSteel document stealer and the SaintBot loader. The latter is used to download even more payloads by injecting them into spawned processes or loading them into memory.
UAC-0056 hosts its malicious payloa ..
Support the originator by clicking the read the rest link below.
