Going from IOCs to Behaviors: Threat Hunting for the Actor Behind CYBERCOM's Recent Ukraine Report

Beyond the Beep: Turning Cybercom IOCs into Smarter Threat Hunts

Security alerts and lists of Indicators of Compromise (IOCs) are a common starting point for many cybersecurity teams. Recently, a report from Cybercom provided a list of IOCs—an IP address, a few domains, and a handful of file hashes. While this information is valuable, relying solely on these static indicators for threat hunting can leave organizations vulnerable.

Let’s explore how to elevate your threat hunting program by transforming these IOCs into more dynamic, behavior-focused searches.

The Pitfalls of Chasing Ghosts: Why IOC Sweeps Aren’t Enough

A typical first step upon receiving IOCs is to conduct an “indicator sweep”—checking your environment for those exact IPs, domains, or file hashes. However, this approach has significant limitations:

• Narrow Scope: If an attacker uses even slightly different malware, a new IP address, or a different domain for their campaign against your organization, a simple IOC sweep will likely miss them. You’re only catching the exact instance.
• Campaign Specificity: Malware and infrastructure are often generated or configured per campaign. If your organization wasn’t part of the specific campaign that these IOCs were derived from, you might not find any matches, creating a false sense of security.
• Attacker Agility: Sophisticated threat actors, like some Advanced Persistent Threat (APT) groups, manage vast infrastructures. We’ve seen groups control hundreds of domains, numerous IP addresses, and deploy many malware samples, even if they’re variations of just a few core toolkits. They might hardcode callback addresses or victim-specific details into malware, meaning the generic IOCs won’t flag an attack tailored to your environment.

Statistically, just running through a list of known bad indicators puts you at a disadvantage. So, how do we move beyond this reactive posture?

From Static Clues to Active Pursuit: The Behavioral Shift

The key is to use IOCs as a launchpad for deeper investigation, aiming to understand the behaviors and TTPs (Tactics, Techniques, and Procedures) of the actors behind them. We can start by asking three critical questions about the provided IOCs:

1. What known malware samples have been linked to these IOCs previously?
2. What other infrastructure (IPs, domains) has been associated with them?
3. Are there any known threat groups or overlapping campaigns connected to these indicators?

Answering these questions can rapidly expand your hunt from a simple checklist to a robust, behavior-driven investigation.

Case Study: Unpacking an IP Address

Let’s take one IP address from the Cybercom report: 195.154.255.211. A quick check in a threat intelligence platform like VirusTotal reveals a significant history. This particular IP has been heavily associated with a group known as InvisiMole since at least 2019.

This immediately gives us a potential lead. While we can’t definitively say the IP still belongs to InvisiMole in the context of the new Cybercom report, the historical link is a strong starting point for forming a hunting hypothesis: “What if the activity Cybercom flagged is related to InvisiMole or actors using similar TTPs?”

Further digging in VirusTotal might show malware samples associated with this IP, such as RC2FM, a known piece of InvisiMole’s toolkit. We might also uncover domains previously resolved by this IP, like statad.de, which has been identified in the past as an InvisiMole command-and-control (C2) domain. Suddenly, a single IP address has opened a door to a wealth of potential behavioral indicators.

Getting to Know the Adversary: InvisiMole

Understanding the potential actor is crucial. According to extensive research by ESET (who first detailed the group in 2018, though they’ve been active since at least 2013), InvisiMole is a sophisticated cyber espionage group primarily targeting entities in Russia and Ukraine. After a brief hiatus, they re-emerged in 2019, focusing on military and government targets in Eastern Ukraine.

Their operational toolkit is a mix of custom-built malware (like the RC2FM and RC2CL backdoors, which MITRE ATT&CK refers to as the “InvisiMole” toolset) and publicly available exploits or techniques. They’ve been known to use:

• Exploits like EternalBlue (MS17-010) and BlueKeep (CVE-2019-0708)
• Living-off-the-Land Binaries (LOLBins) and other legitimate tools for malicious purposes.

Importantly, ESET also found evidence of collaboration between InvisiMole and another group known as Gamaredon (also tracked as PrimitiveBear or Shuckworm). This connection becomes vital as we expand our hunt. The Ukrainian government has also pointed to InvisiMole’s ties with Russian state-sponsored actors, adding another layer of context.

How an Actor Profile Supercharges Your Hunt

Knowing who might be behind an indicator helps us move beyond that specific IP or hash. The detailed reports from ESET and the MITRE ATT&CK framework’s documentation on InvisiMole provide a treasure trove of behavioral clues:

• Specific Tool Behaviors: The MITRE ATT&CK page for the InvisiMole toolkit lists registry keys modified, specific files dropped, network communication patterns, and other features of their malware. These are all huntable artifacts.
• Known TTPs: We can look for evidence of their use of specific exploits (like EternalBlue) or their techniques for lateral movement and persistence.
• Associated Infrastructure: While the initial IOC list was small, threat intelligence platforms like AlienVault OTX often have pulses containing many more domains, IPs, and hashes historically linked to InvisiMole.
• YARA Rules: For detecting malware families like RC2FM, pre-existing YARA rules (such as those available on Malpedia) can be deployed to scan files on disk or network traffic captures, potentially identifying variants not on the original IOC list.

By forming the hypothesis that InvisiMole (or a similar actor) might be involved, we can proactively search for these more nuanced behaviors rather than just the initial, limited set of IOCs.

Expanding the Web: Considering Affiliates like Gamaredon

The plot thickens when we consider InvisiMole’s reported collaboration with Gamaredon. ESET’s research shows instances where InvisiMole’s malware was delivered using Gamaredon’s implants. Unit 42 (Palo Alto Networks) and Ukraine’s SBU have linked Gamaredon to the Russian FSB.

This association allows us to create a second hypothesis: “If InvisiMole is involved, their collaborators like Gamaredon might also be active, or their TTPs might be in use.”

Even if InvisiMole isn’t directly responsible for the activity Cybercom highlighted, hunting for Gamaredon’s TTPs could still be fruitful. Gamaredon might be providing initial access or other support to various groups. Fortunately, Gamaredon also has a well-documented presence on MITRE ATT&CK, providing another list of behaviors, registry keys, and techniques to search for.

From IOCs to Intelligent Hunting: Key Takeaways

The journey from a simple IP address to a comprehensive behavioral hunt involves several key shifts in thinking:

1. Acknowledge IOC Limitations: Recognize that attackers use a high volume of varied indicators for the same capabilities. Sweeping for a small list of IOCs is likely to miss most activity.
2. Leverage Threat Intelligence: Use tools like VirusTotal and reports from security researchers (ESET, Mandiant, etc.) to enrich initial IOCs and identify potential actors, their tools, and broader infrastructure. Mandiant, for instance, tracks related activity under different cluster names, offering additional avenues for research.
3. Form Hunting Hypotheses: Attribution doesn’t have to be definitive for threat hunting. The goal is to identify malicious behavior. Hypotheses like “This IP might be InvisiMole” or “Gamaredon TTPs might be present” allow you to focus your search.
4. Focus on TTPs: Use frameworks like MITRE ATT&CK to understand how these groups operate. Look for characteristic registry changes, file drops, network C2 patterns, scheduled tasks, and specific exploitation techniques.
5. Evolve with the Adversary: Threat actor capabilities change. While there are often commonalities in their tradecraft over time, stay updated on their latest tools and techniques.

By adopting this approach, your threat hunting program can move beyond simply reacting to lists and start proactively identifying malicious activity based on a deeper understanding of adversary behaviors. The goal isn’t just to find the needle in the haystack that Cybercom pointed out but to understand how such needles are made and where else they might be hiding.

Start building these hypotheses, dive into the rich resources available, and transform your threat hunting from a checklist exercise into a dynamic and effective defense strategy.