Full Report
Kaspersky Lab experts believe that the same threat actor is behind ExPetr and Bad Rabbit
Analysis Summary
Based on the provided context regarding Kaspersky Lab’s research into the link between the **ExPetr** (NotPetya) and **Bad Rabbit** campaigns, here is the structured threat actor summary.
# Threat Actor: TeleBots / Sandworm (Associated with ExPetr & Bad Rabbit)
## Attribution & Identity
* **Actor Identification:** Kaspersky Lab attribution links the creator of **ExPetr** (also known as NotPetya) and **Bad Rabbit** to the same threat group.
* **Known Aliases:** TeleBots, Sandworm (widely identified by the industry as the parent group).
* **Associated Groups:** Often linked to APT28 (Fancy Bear) or the Russian GRU (Unit 74455) by international intelligence agencies, though Kaspersky focuses on the link between the two specific malware codebases.
## Activity Summary
* **ExPetr Campaign (June 2017):** A massive global outbreak disguised as ransomware but functioning as a wiper. Initially spread via a hijacked update mechanism for the MeDoc accounting software in Ukraine.
* **Bad Rabbit Campaign (October 2017):** A targeted ransomware attack that hit several large organizations in Russia and Eastern Europe. Unlike ExPetr, it was distributed via drive-by downloads on compromised media/news websites.
## Tactics, Techniques & Procedures
* **Distribution:** Use of compromised news/media websites to serve a fake Adobe Flash player installer (Drive-by Download).
* **Lateral Movement:**
* Hardcoded credentials list (Brute Force/Credential Stuffing).
* Use of **EternalRomance** and **EternalBlue** exploits (SMB vulnerabilities).
* Use of **Mimikatz** (and similar custom tools) to extract clear-text passwords from memory.
* **Execution:** Use of legitimate tools like **Windows Management Instrumentation (WMI)** and **PsExec** for remote execution on local networks.
* **Payload Mechanism:** Overwriting the Master Boot Record (MBR) and encrypting files using DiskCryptor.
## Targeting
* **Sectors:** Media and news outlets, transportation hubs (airports, metros), government agencies, and critical infrastructure.
* **Geography:** Primarily Russia and Ukraine; also affected organizations in Turkey, Germany, and Poland.
* **Victims:**
* **Bad Rabbit:** Interfax news agency, Fontanka.ru, Kiev Metro, Odessa International Airport.
* **ExPetr:** MeDoc users, Maersk, Merck, FedEx (TNT Express).
## Tools & Infrastructure
* **Malware Families:**
* BadRabbit (Disk-encrypting ransomware).
* ExPetr/NotPetya (Wiper disguised as ransomware).
* DiskCryptor (Legitimate open-source tool repurposed for the payload).
* **Infrastructure:**
* **Compromised Sites:** `185[.]25[.]203[.]244` (used to host the fake Flash installer).
* **C2/Distribution Domain:** `caforssztxq62sh7[.]onion` (Bad Rabbit payment site).
* **Defanged URL:** `hxxp://1dnscontrol[.]com/flash_install.php`
## Implications
* **Strategic Intent:** The transition from the highly destructive ExPetr wiper to the Bad Rabbit ransomware suggests a shift in focus toward more targeted operations or a desire to gain financial profit alongside disruption.
* **Threat Assessment:** This actor demonstrates a high level of technical sophistication, utilizing zero-day exploits (or recycled NSA exploits) and supply chain compromise to achieve massive impact in short timeframes.
## Mitigations
* **Network Segmentation:** Isolate critical systems and ICS environments to prevent lateral movement via SMB.
* **Software Restrictions:** Disable WMI and PsExec if not strictly necessary for administrative tasks.
* **Patch Management:** Ensure MS17-010 (EternalBlue/EternalRomance) patches are applied to all Windows systems.
* **Endpoint Security:** Use robust endpoint protection that can detect unauthorized MBR modification and block the execution of unsigned scripts/tools (like Mimikatz).
* **User Training:** Educate users against downloading and installing software/Flash updates from third-party websites.