Serhiy Demedyuk, head of the Ukrainian state cyber police, stated that a number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread. Those campaigns intended to compromise financial information and other sensitive data.
“During these attacks, we repeatedly detected more powerful, quiet attacks that were aimed at obtaining financial and confidential information,” Demedyuk told the Reuters Cyber Security Summit in Kiev earlier this week.
Demedyuk described the campaign as a hybrid attack, with the Bad Rabbit ransomware serving as an obvious and intrusive attack while a second, hidden attack is carried out without as much attention—but with just as devastating results, if not more so.
Bad Rabbit began spreading late last month and quickly infected a number of major organizations including Russian media companies and critical infrastructure including Kiev Metro—the main mode of public transport in Ukraine’s capital city—and the Odessa International Airport.
The attack was believed to have spread through drive-by attacks, which appear to have been set up on a number of Russian news and media websites and used social engineering to trick users into downloading an "Adobe Flash" installer. When users clicked to install the update, their machine was compromised by Bad Rabbit.
Ransom was not the ultimate goal?
The revelation made by Ukrainian cyber police suggest the ransom was not the ultimate goal for Bad Rabbit. Investigators currently believe that the perpetrator of Bad Rabbit and of the secondary phishing campaign are the same, with the goal of the secondary attack to gain undetected access well after the ransomware campaign stopped spreading.
In that way, it is similar to the NotPetya attack that spread earlier this year and also heavily targeted organizations in Ukraine. That attack, in which users appeared to have been infected with ransomware, was actually a wiper which bricks the system completely.
Hackers have continued to use backdoors that allow for ongoing access into an affected system to carry out attacks long after the spread of Petya ended.
The hidden motive is simply to distract cyber defenders
“As cyber criminals get smarter and more sophisticated, it is important to remember that attacks are not always what they seem on the surface," Ben Johnson, co-founder and chief technology officer of Obsidian Security, told International Business Times. "Everything a hacker does is built with an objective in mind, so sometimes the objective is to deceive or confuse defenders. For example, it may seem the goal of ransomware is to be detected in order to make money. But this shows that often times, the hidden motive is simply to distract cyber defenders while criminals launch quieter, more targeted attacks to accomplish their real goals.”
The former computer scientist for the United States National Security Agency said, "This may take the form of a phishing campaign, or deploying some other nastier payload, but sophisticated actors are initially after one thing—access. High profile attacks like this can be the perfect cover for obtaining access, and maintaining it long term.”
It's unlikely a coincidence that Bad Rabbit and NotPetya both used ransomware as a cover for a secondary attack. Both used a similar propagation method and some security experts have suggested the attacks could have been carried out by the same group as they share similar code - meaning the Russian GRU, which is six times larger than the FSB (the new name for the old KGB).
Free Phishing Security Test
Did you know that 91% of successful data breaches started with a spear-phishing attack?
Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our new, improved free test.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: