Eastern Europe Hit by Massive Russia and China-backed Cyberattacks, Including Strong Propaganda on Social Networks, Analysis Suggests

Investigations
13.06.2020

This spring, an array of European countries faced a massive cyberattack campaign, with nearly 80 critical infrastructure institutions in Eastern and Central Europe affected. The attacks reportedly were in favor of Russia’s and China’s interests in Europe.

A credential dump related to the attacks was discovered by a researcher from Trend Micro, a cybersecurity and defense company, who wanted to remain anonymous. After discovering the credential dump cleaned with almost 8 million lines of email/password combinations and analyzing it, they shared their findings with forklog.media.

The malicious schemes deployed by the threat actors included a botnet operation, identity spoofing, using phishing infrastructure, as well as espionage.

The Cyberattack Affected Governmental Organizations

The researcher analyzed the leak mainly for the Czech Republic, concluding that the attack affected the country’s government, the Parliament, a power plant, several technical universities, the operator of all the dams on the Vltava river, and local public media like the Czech Television.

Following the discovery, the researcher informed the Czech Security Information Service and the National Cyber Security Center (NUKIB), which confirmed that 79 critical entities had been affected by the attack. The agencies reportedly took quick actions in response to the incident. Describing the method the researcher used to discover the attack, they said:

“I take the data, create an edgelist, and turn it into the directed multigraph. Then I run various calculations using the SNA/CNA methods. This helps to understand the hidden dynamics in the dataset. By doing so, I detected statistically significant communities that supported the hypothesis about bots/cybercrime and about the real origin of these credentials. This analytical approach is based on graph theorem and helps to process data with more contextual information. From the outside, it looks like regular statistics, which it in fact is, but the inner dynamics are different. Even the database architecture has to be different than regular SQL DB.”

The Stolen Credentials Statistics

Out of the analyzed data, some of the passwords were dated 2011, but there was also a portion of new passwords and mail combinations created at the end of 2019. Among usual usernames and passwords, there were also rather exotic usernames, passwords, or not so usual usernames or passwords used with a number of different email domain providers.

Top usernames exposed in the attack

Top usernames exposed in the attack

The findings further revealed the top 20 email providers affected by the cyberattack, with gmail.com, hotmail.com, yahoo.com, and aol.com taking the lead.

Top 20 email providers exposed to the attack

Top 20 email providers exposed to the attack

Top first-level domains exposed to the attack

Top first-level domains exposed to the attack

“In case of email reoccurrence in the dataset, there are several possible hypotheses. Either the email was used more times with different passwords, or it posed significant importance for the attackers so that they put all known existing credentials versions of the victim, or possibly the user was hacked multiple times and therefore more of his passwords have leaked. However, in case of high numbers like ~20+, chances are that the attackers simply put all available relevant password versions for the victim email into the list to be sure to succeed,” the report further read.

Bot statistics

Bot statistics

According to the researcher, if the password is used with a higher number of usernames and/or if the username is used with a higher number of domains and has the password which is also reused frequently, it is considered suspicious.

No Direct Attribution Is Possible, But…

Although the researcher said that no direct attribution is possible in regard to what group of people/entities stand behind the attack, they said that the file had been found in “Russian” darknet waters.

“By the time of finding, governments, hospitals, power plants, and other crucial parts of infrastructure were targeted with a cyber attack, accompanied by strong propaganda on social networks. The circumstances, therefore, suggest a nation state-sponsored threat actor. This hypothesis can be stated with a high level of confidence,” they added.

They, however, noted that it can be that somebody only wanted the attack to be attributed to Russia and China and therefore chose timing and targets suggesting the origin of the attacks.

Just recently, a hacking group linked with the Russian government has reportedly carried out a series of attacks on energy, water, and power sectors of Germany. German authorities tend to believe that the efforts to compromise the country’s critical infrastructure were taken by the Berserk Bear hacking group.

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter

<

Related posts

Tags: , , ,