The Belarusian Cyber Partisans have shared documents related to another hack, and explained that Curated Intel member, SttyK, would “understand some of the methods used.”
Written by @BushidoToken and edited by @SteveD3
In public media reports, it has been stated that the rail service’s website issued a warning to passengers that some e-ticket systems were unavailable (source: rw[.]by), seemingly confirming the Cyber-Partisans’ claims that they targeted network assets in order to disrupt operations. The Belarusian government has not commented on the incident.
On Tuesday 24 January, Curated Intelligence member @SttyK obtained documents from Cyber-Partisans, which the group claimed would help SttyK “understand some of the methods used” during the attack. Initially SttyK reached out to the group seeking access to the malware used in the attack, which would have then been studied. However, the group declined to share the code, but noted they would “gladly do that once the authoritarian regime in Belarus is gone.”
Based on public reporting and previous interviews, the Belarusian Cyber-Partisans are "a group of 15 self taught hacktivists who claim to have assistance and support from disaffected Belarusian security forces" (source: CyberScoop). The group has been closely associated with a series of government website defacement operations. Last August, the group spoke to Patrick Howell O’Neill at Technology Review, in a rather informative interview, should anyone want some additional background.
As mentioned, SttyK reached out to the group in order to obtain malware samples for study. Instead, what the group responded with were a series of documents. These documents represent a report based on an investigation into an attack on 14 March 2021, which concluded on 8 April of the same year.
Editor Note: One of the first questions asked internally by Curated Intelligence members was “why?”. Why are they sharing such details, and what do they have to gain by exposing a previously released incident report? There are a number of answers to that question, but the key answer is exposure. As is the case with articles in major publications, blogs such as this one give hacktivists attention to their cause. So then the question becomes, is the information they shared with us of importance to the public (yes, it is). Thus giving them attention is worth the trade-off in our opinions, and serves our goal of informing the public.
The Stolen Incident Response Report:
The report was first mentioned in a YouTube video on the Cyber-Partisans’ own YouTube Channel in November 2021 (see here)
The investigation and report began on 25 March 2021 and was done by VirusBlokAda (the antivirus firm that also first discovered Stuxnet)
The incident report costed 2530.00 BYN (worth an estimated $1,000 USD)
In the report, the initial date of compromise was discovered to be 14 March 2021
According to the report, the victim was the Academy of Public Administration under the President of the Republic of Belarus
Fig. 8 - Screenshot of the report mentioning the use of 3proxy[.]ru3proxy - https://3proxy.org/
Summary of Attack:
Initial access via BlueKeep RCE (CVE-2019-0708) in RDP in a Windows Server 2008 R2 system
Used the 3proxy[.]ru service to launch attacks from a VPS
Use of Mimikatz to dump LSASS (SYSTEM level privileges are required however, how they obtained these is currently unclear)
Nmap to identify systems (used Nmap to identify systems with Port 3389 open)
Used RDP to move laterally
Eventually landed on the victim's Domain Controller
Configured TCP port forwarding to open Port 3389 to the internet for persistent access
Deleted data (such as employee records) from live and backup systems
- mstcpsvc32 %COMSPEC% /Q /c echo net user aaiadmin /domain ^> \\127.0.0.1\ADMIN$\hibfile.sys 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
- 3389 (RDP) -> Port 9000
- 3389 (RDP) -> Port 9001
- 4899 (RAdmin) -> Port 9002
- 3389 (RDP) -> Port 9003
- They used the default user aaiadmin