The question if Russian Hackers are involved in the attack and if yes who but sandworm?
It all started with the excellent research report on Forescout on the attacks on Denmark’s energy sector I’ve read today and an article by Ionut Arghire questioning if Russian hackers were involved in attacks on Denmark’s critical infrastructure. It is like a good spy book or a thrilling story to tell. I couldn’t stop investigating on.
As the title of the report “Clearing the Fog of War — A critical analysis of recent energy sector cyberattacks in Denmark and Ukraine” already reveals, the author Jos Wetzels tries to shed light on whether Sandworm is actually behind the attacks specifically in May 2023 and whether there are links to the Russian military. Let’s put the story in a timeline and take the artifacts to understand it technically.
Forescout also separates the two waves of attacks on critical infrastructure that were reported to SektorCERT. I think it has more to do with the kinetic circumstances with Ukraine and the reaction from hacktivists. And I will explain you why.
While reading through the technical documentation, I noticed that there are semantic references to the origin of the attackers in the infrastructure and file names. And that the point where my Saturday was occupied for research. It must be a Russian threat actor:
Putin is known for his anti-Jewish propaganda and that the Wagner Group with Nazi symbols and anti-Jewish attitudes have also attracted attention on Twitter regarding their fascistic opinion. So it’s not surprising to find a fuckjewishpeople in the path of the URL, and mipskiller also points to annihilation when a Russian threat actor is targeting Western victims. Would mean, yes it could be a Russian attack!!!
In addition, there is Mirai, a botnet malware that was also used in the hacking campaign in May against Denmark. Already in January 2023 Denmark was targed by the hacktivists NoName057.
Hacking group NoName057(16) targeted multiple Danish banks in a distributed denial-of-service attack Tuesday causing operational delays in many of the affected banks. Apparent targets included some of the largest financial institutions, including Jyske Bank and Sydbank. Arbejdernes Landsbank said its online banking system was affected. NoName057(16) on its Telegram channel claimed attacks on Sydbank, Sparekassen Sjælland-Fyn, Bankinvest, Jyskebank.
Who is NoName057
As of this writing, NoName057(16) is the most active pro-Russian DDoS group hitting Western websites. With 1174 attacks against targets in 32 Western countries, the group was responsible for 31% of all pro-Russian DDoS campaigns in the first half of 2023. Yet, what is rather unusual about NoName057(16) is its continuous effort to build an online community of comrades and the strategies they employ to do so.
NoName057(16) has come a long way since May 2022, when Western media referred to it as a “little-known hacker group.” In the past year, the group has gone from a seemingly harmless rogue operation to an organized collective of volunteer cyber partisans. With nearly 60,000 subscribers to its Telegram channel and over 15,000 subscribers to its Telegram bot, NoName057(16) appears to have been successful in building an online community. This can in part be attributed to the group’s distinct technical targeting process, that uses volunteers to download and install a bot on their devices to carry out its DDoS attacks.
NoName057 has been around since March 2022 and that’s exactly when Conti also disbanded. Of course, one could speculate now, because Conti members who have connections to the FSB and also fought in the Crimean War in 2014 could possibly be affiliates of NoName057.
Analysis of Competing Hypothesis
Therefore, my hypothesis is that the attacks could not be Sandworm but maybe NoName057. Although you can find old collections in the IOCs of the infrastructure, which indicate that the IP addresses were already used by Sandworm, but from a purely technical point of view, both semantics and the approach of the attack with DDos, brute force, the exploitation of vulnerabilities like Zyxel firewall and Mirai fit more with NoName057, the very fact that they have already attacked the Danish financial system for monetary reasons.
Unfortunately, there are no concrete indications except for Mirai that it could be the hacktivists, at least there are other C2 ports and IP addresses that can be found, last published on 11.01.2024 at MalwareBazar.
With a little bit research on C2 ports and prevalence we can write a short hunting rule for Mirai most seen ports for January 2024:
If we now look at the timeline of events and compare this with the semantics already mentioned above, then it quickly becomes clear that the attacks on critical infrastructure are to be correlated in time with diplomatic meetings around the Ukraine conflict or military aid to Ukraine.
Most recently, we find this in December 7th 2023 with an attack on the UK by NoName057 comparing it with the latest information published at the website of the Kiel Institute for World Economy.
While researching more closely, I came across the Kiel Institute for the World Economy, the statistics of the top countries that provide military support to Ukraine and was able to correlate this with NoName057 attacks.
The date of the URL in the analysis of Forescout with the semantic attack on the Jewish population with fuckjewishpeople coincides with the diplomatic meetings in Poland with Israel regarding warning systems to be deployed in Ukraine.
NoName057 seems to be proceeding systematically. Even if NoName057 use to attack the Wagner group I assume, that there is likely a chance that mercenaries of Wagner could be affiliates of NoName057, too. The Wagner Group has approached again the Russian president in September 2023 and “could be back”;
It also fits with the fact that Wagner group has a hacker elite capable of hacking satellites. Additionally there is the positive portrayal of the hacktivists NoName057, who are praised as heroes by the regime the same time Wagner “join” Russian kinetic and non-kinetic war again.
I assume that there could possibly be hackers of these mercenaries and Ransomware affiliate in Germany as well and who use the corresponding information from the Kiel Institute to take countermeasures against the “enemies”. If you compare the top military aid countries with the NoName057 DDoS attacks it’s more likely strategically than coincidental.
We should not forget that patriots within Conti, the Wagner Group and NoName057 themselves were soldiers who may have fought in Crimea in 2014 and also in the current conflict. There mindset is to fight against the West and it doesn’t make it easier when they operate as Russian’s paramilitary ecosystem.
Technical Addendum
The following current ports can be hunted specifically on Mirai:
Ports 59666 55650 55555 38241 36063 34241 24529 21425 14356 9999 9931 9701 7774 6666 6281 4426 3912 3778 1663 1420 1312 1234 1290 1024 9999 961 888 747 667 666 562 9090 45 13
The following graph show the first wave and attack with Mirai on the Danish infrastructure:
The 2nd wave you can find here
Dropper Files Graph
Latest IOC 11.01.2024
IOCs Forescout:
URL
http://145.239.54[.]169/mipskiller hxxp://91.235.234[.]81/proxy2 hxxp://45.128.232[.]143/bins/paraiso.mips hxxp://45.128.232[.]143/bins/paraiso.arm5 hxxp://45.128.232[.]143/bins/paraiso.arm6 hxxp://45.128.232[.]143/bins/paraiso.mpsl hxxp://45.128.232[.]143/bins/paraiso.x86 hxxp://45.128.232[.]143/.router/twitter
IPs
45.128.232[.]143 ; 109.207.200[.]43; 27.19.56[.]44; 77.64.229[.]43 123.26.149[.]179 ; 179.43.145[.]90 ; 193.32.162[.]159 ;109.207.200[.]42 109.207.200[.]43 ;109.207.200[.]44 ; 109.207.200[.]47 ; 185.180.199[.]41 64.112.74[.]166 ; 45.128.232[.]108 ; 193.34.212[.]225 : 84.54.51[.]106
MD5
ddf33ab2a548d8cd5eac19b7ead99f94
3c7d50169783e17c6951388c409f0ee2
d7d965dce3b520475a53918495d041ca
5b41cfbeba46bce34b90a3f3e1d7e9a1
405f380654dc6eb1d9816f89ad702c19
c89b1d07cdbe80d9c6d885b5243de139
Conclusion
My hypothesis is that NoName057 is behind the attacks on the Danish energy sector and that they may have affiliates of other criminal groups. This could be the case due to semantics and motives for critical infrastructure attacks as a response to the military, kinetic support of the affected countries in the Ukraine conflict.
In doing so, the hacktivists also try to proceed profitably in order to finance further actions themselves. It is not expected that the Russian state will prosecute or punish them, and that the group has direct contacts with Russian intelligence is approved.
It may well be that parts of the Russian criminal groups are also in Germany located and may have gone into hiding here with the help of criminals from the underground, but it just an assumption and not necessarily a fact. Just like good thriller, you never know!
