Inside the Latest Espionage Campaign of Nebulous Mantis

Summary:
Nebulous Mantis, also known as Cuba, STORM-0978, Tropical Scorpius, and UNC2596, is a Russian-speaking cyber espionage group active since mid-2019. The group primarily targets critical infrastructure, government agencies, political leaders, and NATO-related defense organizations, driven by geopolitical motives. Their primary tactic for initial access involves utilizing spear-phishing emails with weaponized document links to deploy the RomCom remote access trojan (RAT) for espionage, lateral movement, and data theft. Since mid-2022, RomCom has been their RAT of choice, also employed for their ransomware attacks.

Nebulous Mantis utilizes advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications, while consistently evolving their infrastructure using bulletproof hosting services like LuxHost and AEZA. Notably, an individual identified as LARVA-290 plays a critical IT admin role in their operations, procuring intrusion servers for Nebulous Mantis campaigns. Following data exfiltration, the group has deployed various ransomware strains, starting with Cuba in January 2020, followed by Industrial Spy after March 2022, and currently Team Underground since July 2023, continuing to leak victim data on the latter's Data Leak Site from their ongoing attacks. Nebulous Mantis demonstrates a sophisticated, multi-phase attack methodology, blending social engineering with technical innovation. Their consistent targeting and advanced techniques position them as a potentially state-sponsored or highly-resourced threat group.

Security Officer Comments:
The activities of Nebulous Mantis underscore the persistent and evolving threat posed by state-sponsored or highly resourced cyber espionage groups. Their focus on critical infrastructure and NATO-related entities strongly suggests a geopolitical agenda, aligning with the interests of Russian-speaking actors. The group's reliance on the sophisticated RomCom RAT, coupled with their adept use of spear-phishing and advanced evasion techniques to minimize their digital footprint like LOTL and encrypted C2, highlights a high level of technical proficiency. The consistent utilization of bulletproof hosting services and the monthly rotation of domains demonstrate a deliberate effort to complicate attribution and evade detection with persistent access. The identification of LARVA-290 as a key individual managing critical infrastructure for both espionage and ransomware operations provides valuable insight into their team's internal structure and operational capabilities. The shift in their post-exploitation activities to include ransomware deployment, evolving from Cuba to Industrial Spy and now Team Underground as ransomware continues to advance in capability, indicates a potential dual objective of espionage and financial gain or data cover-up. The fact that compromised victims are being shared on Team Underground's Data Leak Site further emphasizes the potential for significant disruption and reputational damage. It's likely this group intends to squeeze every dime and piece of sensitive information out of their targets. Organizations, particularly those within critical infrastructure and government sectors, must remain vigilant and implement robust security controls, including advanced threat detection, employee training against sophisticated phishing attacks, and proactive monitoring for LOTL activities to effectively mitigate this threat.

Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline:
 Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.

Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.

Link(s):
https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis/