 Hello, everyone. Today I'm going to talk about Russian cyber threats in the pandemic era, how actually Russia sees the partner global COVID-19 pandemic as an opportunity to launch it multifaceted, multi-direction on information warfare strategy against prospective enemies, how they used their APT groups, criminal groups to attack healthcare organization, research institutes and hospitals. In the United States and in European countries. So, before I talk about the hacking and actual disruption, I would like to give you a kind of an overview, how Russia sees information warfare strategy, which kind of agencies are in charge. And actually, what is their doctrine of information warfare and how actually they're using APT groups and criminal syndicates to achieve their mission. Let me just give you a kind of an overview how Russian information warfare doctrine works. It is kind of an integrated system of system that works together. Everything is one under one umbrella, whether it is an intelligence counterintelligence masking something attacking computer and an enemy's computer networks and software application. So, now, kind of a few years ago, 2018, artificial intelligence elements was added to its information warfare doctrine. It actually contains two elements. Using artificial intelligence technology in military field and in not military field, for example, using AI technology to advance their military capabilities and using AI technology to advance their capability in the medical field, biotechnology field, manufacturing and energy field. So, they actually see artificial intelligence as an emerging tool to secure their strategic interest inside the country and outside the country. Some historical background, how actually information warfare doctrine was formed. Just I'm going to give you a short overview of the doctrinal and strategic thinking actually is rooted in the teaching of the Russian, of the Marshall of the Soviet Union, Nikolai O'Garco, in what he referred to as the military technical revolution. And a brief statement of his thesis is that computers with accuracy and miniaturization were about to transform the modern battlefield and that's Americans are ahead in this respect and we really have to do something about it because we're falling behind. Another also events affected the formation of the Russian information warfare doctrine and its subset of cyber warfare. They declared the first and second Gulf War as a war on technical military technical revolution. And then fast forward there was the Alps since year and in this year's theories actually developed theories rather than building machines, writing softwares and running operations and fast forward there were a couple of other events, but a couple of years ago, Chief of the General Staff Karen Chief of the General Staff, Valery Gerasimov published article in one of the military newspapers that actually was dubbed as a military as the Gerasimov doctrine in the western press but actually he's saying that in a matter of months perfectly thriving states can be turned into a web of chaos. So they see information warfare and it's some sort of cyber warfare to achieve their objective in a various direction, whether it's a political direction or or the in the military direction or in any other other field. So, let me just give you a couple of kind of an example and how which which are major players in this respect, which organizations are having major having upper hands actually in information warfare and in subset of cyber warfare and also small historical overview about this after in actually in 2003. When, since putting came to power in a couple of years. He actually disbanded the fobs a federal agency for government communication and information. This agency was in charge of the military intelligence code code cracking. Security, technical intelligence, counterintelligence, and once it was disbanded. So some of its functions went to those organizations, federal protective service fso federal security service fsb and that the car there is a Ministry of internal affairs of Russia svr foreign intelligence and gru Russian military intelligence, what is also very important here that's what large portion of the fax that that was left after the organization was renamed the special communication and information services was folded into the FSB. So, all of those organization have their part in information warfare doctrine, what is also very important here that's the leading role in this respect has a Russian military gru and the Russian federal security service fsb. There is a kind of a you know structure Jerry's research what how actually Jerry's research, research institutes and units are participating in an information warfare cyber warfare efforts. Let me just give you kind of an overview about those MD, the central research institutes and units. So Defense Ministry's 45th Center. Central Research Institute is a military unit five four seven two six those units actually are in charge of the fighting, finding intelligence about the military potentials of the foreign countries and other unit here is the Center is the M. O. D. Centers, Ministry of Defense Center for a special studies those Center, they are the hiring students from engineering schools they are in charge of the in charge of the analyzing exploiting finding one of the longer built is in a computer system by the way where is also very important as a beginning said it back off who was actually was expelled from Netherlands in 2018. He, because he was trying to hack into the OPC w OPC doubly organization for prohibition and chemical weapons it's a UN chemical watchdog organization we were about to craft the report about the poisoning substance that was used against the double agent the Sergei Chris Cripple and her daughter Julia as well as where we were about to craft report on on the substance chemical substance that was used in the war with Syria. So we actually wanted to find out what this report was about before it's released. Another also major player is M. O. D. division, 12 B division that is in charge of the cyber operation and psychological operation. And just talk a little bit about the 18 central research incident and its unit 111345. Those folks are in charge of the signals intelligence. They are also in charge of development of Alice devices get a system or electromagnetic system. So, and what is also very important that's 85 Central Research Institute it's unit 26165 main center for special technology, and it's unit seven four four five those two units are the major biggest repository of a hacker talents, and those units together all of them together actually formed a PT 28. This is that must persistent threat group. There is also known as a fancy beer and has has also other other names. And they are using of course the hacker is all forces to for their hacking activities. I'm going to talk a little bit later about the good need and the technopolize era, what kind of laboratories they have including the biotech labs and what kind of projects actually they're implementing. So, another also kind of the development that's happened in the Russian military is that's very in 2017 they officially announced about the formation of the military scientific units, also called cold information warfare troops and what is also important that's the Minister of show ago. Ministry of Defense of Russia officially made a statement about about the formation of this units, and he made openly said that those units not only will be in charge of the securing command and control and communication of the Russian military, or a building developing software for the National Defense Control Center there is the high supreme body that's responsible for my defense ministries supervision and management but the those guys also will be in charge of the psychological operation that's once again in illustrates how actually Russia sees this information warfare doctrine the concept of the security concept of the compartmentalization and the idea of the cyber is a separate domain I mean doesn't exist in the Russian concept. What is also very important that's so new warriors of this military scientific units, about the 1000 personnel personnel incorporated those units. So they are the engineers they're cryptographers that they are a signalers they're linguists they are doctors, they're scientists. So, let me just move a little bit. I had not just talk about the technopolis era technopolis era was opened in 2018 and, according to the official sources, they want to make it for the operational by the end of 2020 era stands as a little Russian armies, and they are actually to move these military scientific units to 12 of those units that was created in 2018 all on the permanent basis at technopolis era. It is also believed that those military scientific units are the arms of the GRU Russian military intelligence intelligence. So eight major directions that's way are working information telecommunication super computers information the cybersecurity technical visions energy technology and nanotechnologies nanomaterials but what is also very important they're putting a lot of efforts financial resources and human resources into the field of by engineering by synthetic biosensor technologies. What is also one of the major mission of the technopolis era is actually finding information about other countries. What are the country actually countries are doing and just respect in this eight field in this direction. So, another, let me just talk a little bit about the, about the kind of, who is, who is coordinating the technopolis era, I mean, officially is coordinated by GUNID, or this is the general directorate for research and development and technical support of advanced technologies. They are cooperating with the defense relating enterprises and over 200 scientific organizations universities Russian Academy of Science, have agreement with the technopolis era, some of those, and many actually not some quite over 4045 scientific organization and defense related enterprises they have a permanent representation at the technopolis era. Let me just talk about a little bit about the labs they have 18 labs there and they're working actually about. I'm going to talk about the projects in tech in terms of the field of biotech. They are working in a 3d bio printing lab growing learning tissues and bone tissues. They are working on the machine learning technologies in the healthcare for the diagnosing and treatment of illness, tele surgeries, working on the medical robotics and multimedia image communication in silicone clinical trials and drug testing is one of their major direction, using computer models and simulation to develop and assess drugs and devices. It is also very important that they are putting a lot of efforts on the portable biological reconnaissance devices. This is working a lot of efforts about the biosensor device designed to detect pathogens of dangerous infections diseases and viruses. And one of the major direction of the technopolis era is the biological intelligence they are developing devices biosensor devices. And they are also putting a lot of efforts about the biological intelligence actually they are concerned about the research activities by conducting by foreign research institutions, because they kind of a feel that there needs on appropriate reconnaissance in this respect, according to the statement of various government officials in Russia. The kind of, you know, the hallmark stealing the intellectual properties from that was the signature of the Chinese APD groups, and now we'll see that this will be incorporated by the Russian APD groups and we see already some science actually in this respect. So, a kind of interesting information is kind of a breaking news, just recently, a few days ago, the Russian Ministry of Defense actually made a statement where it's also, you know, very important to underline here is that together with the Gamalai Scientific Research Institute of epidemiology and microbial allergy they said that they successfully can completed the trial of the COVID-19 COVID-19 vaccine. And, by the way, the first minister of the Deputy Minister of the Defense made a statement about this that vaccine is actually ready and ready for distribution. Interesting information. Let me just talk a little bit about the, about the FSB's role in this respect in the field of the information warfare and its subset of the cyber warfare. There are a lot of scientific and technical centers here in the units, but I'm going to, you know, talk about two major units that are in charge of the cyber operation. One is the unit of 7-1-1-3-3-0-7-6-4-8-2-9. They are under second directorate and 16 directorate. So, those two centers are in charge, these units are in charge of the cyber, they have a very high cyber intelligence capabilities and they're in charge of offensive information operation outside of Russia. So, and inside of Russia. So, a unit or 18 information center also in charge of the SWARM system. Let me just give you kind of a overview about the SWARM system. SWARM is a system operating investigative measures. It's kind of a surveillance system that's now all the ISPs are required legally to install the system. This is a very sophisticated system that captures all the digital and mobile communication and captures online communication, full recording of conversation, and as well as the content of email text and the communication. So, for online communication, for example, it taps to the network of the internet service providers through a rerouting devices called black boxes and high speed communication lines. And by the way, it has a real time monitoring capabilities. So, here is a couple of example of what kind of the project they are implementing on which I'm going to talk on my next slides. They're also actually in charge of the Hacker Resolve Forces. So, imagine that having Resolve Forces that you don't pay anything you don't train, they train themselves, they pay themselves, and they do business for the, for the intelligence services in Russia. There is a SWARM APD 29 group also, Hacking Group, Nation Sponsored Group. There is, has also different names, COSY 2, can be needed, et cetera, et cetera. Let me just talk about this project that's, they, that's the Sylvik, the people of power, Russian intelligence services are in charge. For example, this the contracting organizations that were outsourced by, by the security services in Russia were hacked a couple of years ago. And the last year as well, and all those projects actually they revealed on the net. One is a Nautilus project that was about to collect information on social media about users. And now there is an Nautilus S that was about the de-anonymizing toward traffic using rogue torques. So, servers, by the way, a couple of years ago, I mean, one or two years ago, 25 those kind of rogue servers was identified and 18 of which actually were located in Russia. They are also using the so-called scientific institute think tanks for their project. One of the, one of the think tank, pretty well known think tank in Russia is called Qantas FSB think tank, and they also were in charge of the developing software to detect protest mode among the population. Just a year ago, there was another leak that's they were that was exposed that's FSB IT botnet project called the front on and so like document actually showed that so the procurement order actually was placed by the FSB unit six so four eight to nine. So, and let me just give you kind of a quick overview about the growing complexity of outsourcing and why the Russia use very sophisticated outsourcing strategy because it's a very profound attribution, and it's also very cost effective for them. And so let me just see, but give me give you the whole scenario how it works the idea actually comes from the government. And so, then the government actually is in charge from the beginning of the whole commanding control process. The project manager is assigned and product management does the compartmentalization process. So tasks are broken into pieces and so then people in the middle, they are also outsourcing hackers from other countries. They are also subcontracting those hackers from, you know, Ukraine from United States from China, and from other other countries so people here. Third parties they actually don't know from their original order actually comes and my money changes hands and this is how the whole operation does. So right now who is behind this or that project it's very, very hard to, to just solve the attribution problem actually in this respect. So, what we saw during this pandemic time the Kremlin information warfare was used with full its capacity they use the cyber elements the user disinformation elements. And they use all the components of the information warfare. So, they spread the malicious content malicious information, they use the conditional media outlets they use their scientists they use trolls. They used the channels non conditional channels for example to to spread this information. Not only in English on in Russian but in various languages. And by the way, when I just did research about this, the views and shares of those information it was into hundreds of 1000 and into millions, but it's nothing new. So, this kind of spreading false narratives I mean it's a, it's all techniques this Russian military, and not only Russian military FSB in general intelligence organizations were using in the past. For example, in the 1950s of the Soviet military intelligence, and then invented created this woke fake reports that the US use biological weapons in career, supposedly dropping the bombs with insects and dreads. So, it's effective of color and plague, as well as for example in the later 1980s so it's by spread false narratives that's AIDS epidemic started from the experiments at a secret military biological lab in the US. So, I think the false narratives about scientific institutions and labs in other countries supposedly they are creating biological weapons, or something like this. So, in the March and April, there was a couple of reports published in disrespect how Russians were using APT groups cyber criminal syndicates to hack into the research facilities hospitals, and what kind of strategies methodologies and TTPs were very Now just recently was published UK's National Cyber Security advisory stats they openly said that APT 29 group that is associated with the FSB Russian security service that's this organization of APT is actually attempting to APT 29 is attempting to steal information or coronavirus research targeting pharmaceutical companies healthcare academic research centers. So, all aspects actually of information warfare elements was used as I mentioned that they use the conventional media anonymous outlets, or the cyber components, they tried to, they created a fake coronavirus tracking tracking a fake coronavirus application ransomware targeting the healthcare system on which I'm going to talk in detail on my next slides targeting the VPN system remote working tools and softwares. Here is actually a couple of examples. Now what kind of a fake bogus emails they are crafting mimicking that's the legit organization such as a World Health Organization CDC and other government agencies and government agencies as well. For example, cyber criminals in UK also use the SMS phishing strategy here is a screen. They're sending to the UK resident that's UK government heads you should the payment of the offer over 400 pounds to old resident and you have to just click to this link. And once you click to this link, it's actually asked you the national registration number, as well as other information banking information. The fake Android application also was created was removed from the Google play. So what actually I'm going to talk about the fake life map that resemble Johns Hopkins. The university tracking coronavirus infographic map. I'm going to talk about this in more detail in my next slides. So what we also saw during this period that's over the 1.2 million new register domains of created and over 85,000 domains were classified as risky or or malicious. Okay, here is the one of them. Criminal group called starting up to be as well as a rival. This group has a very heavy present on access as forum. There was this group launches actually the competition developing for developing exploits for zero days. Writing trip to Algorithm and route other kind of a task that's a post on this websites and they pay money. For example, the one of the competition was about 15,000 dollars. This, what is also very important that they are also in someone in February we're already discussing the methods. We live a model where an email attachments are then later was embedded into the court 19 Johns Hopkins infographic map. They also were selling the variants of models that so later was embedded into into the fake map. And for example, if you just opened it, it downloaded malicious code into your system, it collected information from the infected computer and send this information to the command and control server. By the way, this group is human operated ransomware group. What actually does it mean that's the attack doesn't happen in an automated fashion, but instead they are compromising Internet facing devices in order to establish present in a vulnerable system and later than execute a textile information and encrypt information on the victims. Data they were exploiting vulnerabilities in remote desktop, desktop protocols vulnerabilities in the in the operating sound patch operating system misconfigured servers as well as the electronic health record software. And what is also important that's for their operation they use the mini cuts mini cuts is leading exploitation tools that's actually dumps the passwords from from memory this organization of this criminal organization actually also attacks the one of the biotech company bear that is based in California. And what is also very important here that they're not only interesting in a selling the intellectual properties from the biotech companies in the United States all in European countries but also they were trying to gain some financial, they were launching cyber attacks for this financial game pure say financial games for example, they attacked the New York law firm. And this is the one of the prominent very well known law firm that has a very high level clientele and asked for ransom. So, I already said that's Russian deep web forum, dark web forum hacker forum were very busy during this time period, a lot of discussions were going on on those forums. Even selling the variants of malware's discussing the methodologies about how to embed malicious code into the email and some other and they have the coven 19 issue was very highly discussed. And all of this TTPs and methodologies on those forums, as I mentioned that some of already in one of those forums we were offering malware for sale that's later was inserted into email attachment, resembling the fake coven 19 map. So, so those dark web forum are also are a lot of other, you know, dark and hacker forums actually that's are on the root domains and the pseudomains if you don't know what is a pseudomain it's also a union domain it's actually has over 120,000 registers domains there so Yeah, a lot of a lot of interesting information could have been you could do something one can gather from those forums and it gives you kind of a good understanding what they're up to what we're planning what kind of strategies they are discussing for future attacks. So, another also group that was very active during this period was a haters group. This group is associated the way of the Russian military. The Russian military GRU with APT 28 group also called offensive the assemble would be are telling about and it has also some other names as well. So those they were using the phishing email campaign mimicking World Health Organization and the group of Ukraine, they were sending here's a, you know, example but kind of emails there they're sending to the organizations in Ukraine, and not only in Ukraine where most of this group was active in European countries in particular heavily active in Ukraine. And once you know open this file it's downloaded malicious macro code to perform the remote control. Another also group that's was very active during this time was a gamma radon this is the FSB group. They also targeted organization, you know, they targeted scientific research centers, hospitals all over the western countries. This group is associated with FSB 16th and 18th centers is the under second and 16th directorate of FSB active since 2013 attacking Ukraine since 2014. So, once you actually opened the document is started a template injection techniques for the, for loading the document templates from the Internet. And once the document was downloaded it executed that malicious macro code code which executed the VBS, VBS scripts. So here is actually IP addresses are from the Russian hosting companies. Those IP addresses that's this group is used for network destination or template injection and network destination for VBS script. So, another also organization that was cyber criminal group that was very active during this time, but that was group Russian ransomware group called MACE. The group use a variety of techniques by exploiting non vulnerabilities that was not having been patched. Remote desktop connection with a wake password. They use the malicious emails or the links. They attacked on not only the research institute scientific centers but as well as they also attacked. For example, it service providers company. That's does provide this kind of services for the healthcare industries and manufacturing. In March, they attacked a hammer Smith. Many medicines research centered in UK so this center was before involved with an Ebola solution and working with the COVID-19 vaccine so it's also very important about this ransomware group that's this group is is not kind of typical data encrypting ransomware. So it's not doesn't have in fact encrypts computers in in every computer that is in its path but also it is a destructive information and data to the attacker servers. Let me just talk a little bit about the real week. This is another Russian hacking group. This hacking group also attacked hospitals and in Europe and the United States. For example, they attacked the second largest hospital in Czech Republic in Brno. They before the pandemic actually attacked the hospitals in Alabama and they asked for the big ransom to decrypt them and unlock medical data. This ransomware is typically, you know, the attack. They actually already get into the compromise system. For example, they used in disrespect to them at all and check but the amount of them over this original actually was created for the banking trojan design to steal information and then and once the system was infecting them there. The real payload is was dropped into the system and executed and it's actually a encryption process actually started and they were asking the ransom for to decrypt the data back. So for attack factors, they are trying to find vulnerabilities into the system remote desktop protocol and police secure RDP ports. They use the phishing email sending a malicious bug with email to trick legit organizations to download the emails in most in open and download documents on from from this organization tricking actually legitimate organizations. So, and this is actually what I wanted to talk how actually Russians use the their information warfare strategy it's elements of cyber warfare during this pandemic time. Of course, I just would like to talk to you a little bit about the mitigation strategy and we also talk a lot of countermeasures. Our community, how actually what kind of steps should be taken in order to secure system to diminish risk to decrease risk in this respect of course important factor is that to assess the supply chain. That's a supply chain contamination is a big problem in this respect on patch system was exploited by those hackers. Of course, it's very important having them to implement a multifactor authentic authentication methods as well as train this stuff in this respect, but what is also very important here and in most cases nobody talks about putting them intelligence into the mitigation strategy. For example, before a pandemic, all of those Russian forums they were discussed all of those methodologies and selling them all wears on those forums I think that's observing what's going on on a dark web deep web Russian hacking forums it's, it's, it's, it must be included in a mitigation strategy because it gives you a pretty good understanding what we are up to and what we are planning in the future. Thank you very much. I hope you'll find this presentation very interesting and I'm looking forward to to Q&A section. Thank you.