Trojanized Advertisements: Russian Hackers' New MoveMichael Sikorski of Unit 42 on the New Frontiers in Cyberespionage
Malicious actors often devise ingenuous ways to infiltrate networks. Michael Sikorski, CTO and vice president of engineering at Unit 42 at Palo Alto Networks, shed light on an unconventional tactic deployed by Russian hackers: the Trojanization of legitimate advertisements.
The technique, Sikorski said, involves exploiting seemingly innocuous advertisements as vehicles for malware dissemination. Russian hackers intercepted an advertisement by a Polish diplomat who attempted to sell his BMW car amid the conflict with Ukraine. The hackers repurposed the advertisement with embedded malware. This tactic, Sikorski said, underscores Russia's strategy to establish covert hooks within foreign systems.
By compromising embassies and diplomatic missions, attackers can lay the groundwork for more sophisticated attacks, potentially influencing policy decisions. What sets this incident apart is the innovative use of a genuine document as the carrier for malware, signifying a concerning escalation in cyberespionage tactics.
"The same attack group that was responsible for SolarWinds - we tracked them as Cloaked Ursa - obtained that document and recirculated it to missions and embassies all around Ukraine," he said. "And when Russia got ahold of it, they even lowered the price and embedded malware in it and recirculated it. It shows how much access they have to networks there that they were able to get access to that."
In this video interview with Information Security Media Group at Black Hat USA 2023, Sikorski discussed:
- AI's role in social engineering and business email compromise;
- The future landscape of adversarial AI;
- The use of telemetry data to help identify state activity.
Sikorski is an industry expert in reverse engineering. He has more than 20 years of experience working on high-profile incidents and leading R&D teams and previously worked at Mandiant and the NSA.