Augur Predicts and Blocks Key IP in Ukrainian Spear Phishing Campaign
We always like to share when research from a respected third party on a high-profile threat confirms an Augur prediction to help underline the power and value of having proactive, predictive intelligence as part of your threat intel coverage. In this post, we’ll take a look at some interesting Mandiant research into spear phishing campaigns targeting Ukraine and drill down on a critical IP associated with the attacks that Augur predicted in time for the threat vector to be blocked before attacks kicked off.
Belarus and Russia Target Ukraine
Recently, threat intel power house Mandiant published a blog post highlighting spear phishing campaigns targeting Ukraine being carried out by government-related threat actors from Belarus and Russia (of course, no government ever confirms these types of activities). The campaigns were sophisticated and had a striking commonality in terms of the types of lures being used. The attacks leveraged CTAs related to urgent war-related issues like evacuation plans and sheltering instructions to entice users to open documents and deploy remote access software. You can read more about the attacks in Mandiant’s in-depth and informative post here.
194[.]31[.]98[.]124 at the Heart of the Attacks
In Q1 2022, Augur predicted all IPs in the 194[.]31[.]98[.]0/24 CIDR to be malicious with an importance score of 80 (high), and on March 29, the first activity was detected on 194[.]31[.]98[.]124. The research from Mandiant shows that this IP (194[.]31[.]98[.]124) was central to the campaign, as it was used for:
- Command and control
- to deliver an oracle-java.exe to download a GrimPlant backdoor
- to deliver a Microsoft Cortana .exe to download GraphSteel
A Highly Malicious CIDR
Almost immediately after the Augur prediction, other IPs within this CIDR began to be confirmed by third-party security companies as malicious. By the end of March, all 256 IPs in the CIDR had been confirmed malicious, often by multiple sources with attack identifiers, including: mushtik (IoT botnet), nancore_rat (RAT), cobaltstrike (RAT) and graphsteel (infosteeler).
It goes without saying that if you have not already blocked all IPs in this CIDR, you should do so today.
When Augur makes a prediction, it uses ML and AI to attribute that prediction to an existing threat group profile or create a new profile when it detects novel activity. In this case, the CIDR is attributed to Augur threat group profile-151677, which includes Operation Ghostwriter (aka UNC1151 and UNC115) and Saintbear (AKA UAC-0056, UNC2589, TA471, and Nascent Ursa). These attributions align with the conclusions the Mandiant research teams reached.
The Power of Augur Predictions
Most threat intel is reactive by nature. When an IOC is detected, it’s reported and then blocked. In the time between first detection and reporting, most organizations are at risk from that IOC. Augur’s predictive threat intelligence addresses this vulnerability by detecting the setup of cyber criminal infrastructure long before attacks are launched. Its predictions are at the CIDR level, meaning that an Augur prediction includes all the IPs included in a new registration. So instead of blocking a single IP after the first attack is detected, Augur allows you to block all the IPs in the CIDR with a high degree of certitude – giving you advanced protection against all activities coming from that cybercriminal infrastructure and reducing overall risk. Augur also attributes infrastructure to threat actor profiles, allowing threat hunters to understand if a single group is specifically targeting their organization. To put the power of Augur predictive intelligence and automated enforcement to work for you and to get access to valuable enrichment information available through the Augur Dashboard, email us at firstname.lastname@example.org.
Find Out More
Curious to see how Augur works and how Augur’s predictive intelligence can improve your zero-day protection and overall security posture? You can learn more about how Augur works and how it solves real-world security problems.