.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Russia
IRON RITUAL
Summary
IRON RITUAL was responsible for a highly targeted espionage campaign in 2020 targeting organizations in the government, political and research verticals, and their supply chain organizations including cybersecurity vendors and technology providers. CTU researchers assess with moderate confidence that IRON RITUAL operates on behalf of the Russian intelligence services, and specifically the SVR, Russia's foreign intelligence service. CTU researchers assess that there are potential overlaps with IRON HEMLOCK, but the high levels of operations security and the customized nature of IRON RITUAL intrusions mean that CTU researchers are unable to confirm this overlap. Given their capability and sophistication, it is unlikely that IRON RITUAL's intrusions will leave sufficient artifacts to allow researchers to associate their activities with previous or future Russian cyber espionage operations.
IRON RITUAL has used a wide range of tactics for initial access and persistence, including compromise of on-premises environments; the sophisticated attack against the IT management software vendor SolarWinds, to distribute trojanized SolarWinds Orion Platform updates; and the compromise of cloud applications to establish 'backdoor' access into cloud tenants. Unconfirmed reporting has also linked IRON RITUAL to remote exploitation of software vulnerabilities against technology vendor VMWare. The group has used malware including the SUNBURST (also known as Solorigate) backdoor and in-memory Cobalt Strike delivered using the TEARDROP and RAINDROP loaders.
Having gained initial access, IRON RITUAL has employed a variety of techniques to bypass authentication controls, including the compromise of global administrator account credentials, stealing SAML token-signing certificates or other secret key material, adding new credentials and modified permissions to cloud applications, and targeting identity provider and multi-factor authentication providers, for example through enrolling additional devices. CTU researchers assess with high confidence that IRON RITUAL's intent is long term, covert access to networks of interest for the purposes of espionage and data theft.
IRON RITUAL has used a wide range of tactics for initial access and persistence, including compromise of on-premises environments; the sophisticated attack against the IT management software vendor SolarWinds, to distribute trojanized SolarWinds Orion Platform updates; and the compromise of cloud applications to establish 'backdoor' access into cloud tenants. Unconfirmed reporting has also linked IRON RITUAL to remote exploitation of software vulnerabilities against technology vendor VMWare. The group has used malware including the SUNBURST (also known as Solorigate) backdoor and in-memory Cobalt Strike delivered using the TEARDROP and RAINDROP loaders.
Having gained initial access, IRON RITUAL has employed a variety of techniques to bypass authentication controls, including the compromise of global administrator account credentials, stealing SAML token-signing certificates or other secret key material, adding new credentials and modified permissions to cloud applications, and targeting identity provider and multi-factor authentication providers, for example through enrolling additional devices. CTU researchers assess with high confidence that IRON RITUAL's intent is long term, covert access to networks of interest for the purposes of espionage and data theft.
Contact us
Contact us directly whether your organization needs immediate assistance or
you want to discuss your incident readiness, response, and testing needs.