In this report there is an analysis about the current geopolitical relationship between Russia and Africa. Furthermore, it shows several malicious campaigns presumably attributed to Russia with diplomatic, energetic and defense targets.
Geopolitical Russian influence over Africa:
Africa has been an historical geostrategic target for most relevant countries with a significant power in the order of the world. Recently, China has become one of the most popular actors which are influencing geopolitically in Africa. However, there is another relevant actor which step by step is having more influence in Africa, Russia. In olden times, when the USSR was quite active, its geostrategic strategy was in Africa. Most of the governments of these countries, after obtaining their independence, they received diplomatic or military support from the USSR: Uganda, Guinea-Bissau, Mozambique, Angola, Egypt, Somalia, Ethiopia, Benin, and Democratic Republic of Congo ([1]).
Since President Vladimir Putin was appointed President of Russia, the diplomatic, military and economic interactions with African countries have grown by approximately 185%. Russia has different kinds of interests, one of the most important is the energy resources in Africa including oil, gas and nuclear resources ([2]).
Furthermore, Russia has an important influence in Africa through its softpower and hardpower as well. The strategy of Russia in Africa since 31st of December 2015 is to develop the trading, economic and military cooperation in each country that Russia has interests in. ([4])
The most influenced locations in Africa by Kremlin are shown below, divided per fields ([3]):
There are three main Russian geostrategic plans in Africa:
Diplomatic:
For Russia it is highly important to get an extensive diplomatic influence over Africa, as in the voting process in the General Assembly of the United Nations to approve or reject international questions. It is important to consider that 54 African countries represent 1/3 of the full representation in the United Nations ([4]). Russia would put under pressure several African countries in these international approbations in the United Nations.
In the last 5 years, the Trump Administration reduced its diplomatic presence in Africa and Russia has taken advantage of the new geopolitical situation developing new diplomatic relationships.
The following chart shows the diplomatic activity between Russia and several African countries ([5]):
| Country | President | Date |
| South Africa | J. Zuma | 2015 |
| Zimbawe | R. Mugabe | 2015 |
| Sudan | O. Al Bashir | 2015-2017-2018 |
| Guinea | A. Condé | 2016-2017 |
| African Republic | F. Archange | 2018 |
| Rwanda | P. Kagame | 2018 |
| Gabon | B. Ondimba | 2018 |
| Senegal | M. sall | 2018 |
| Zimbawe | E. Mnangagwa | 2019 |
| Angola | J. Lourenço | 2018-2019 |
| Congo | S. Nguesso | 2019 |
| Mozambique | F. Nyusi | 2019 |
Energetic:
Moreover, Russia has achieved energy and mineral trading agreements with several African governments. Also, their energy agreements will be followed by military forces to ensure their secure and proper energy exploitation process. The main Russian industries tend to apply a dominance in the African market.
Rosneft, the most relevant Russian energy organization is spreading its influence around Africa. In 2018, this organization got 21 licenses to operate in Equatorial Guinea, Libya, Mozambique, Nigeria, South of Sudan and Uganda ([7]). However, as the Rosneft annual report shows, the only official project of Rosneft is located in Mozambique.
Rosatom is another important energy (nuclear) organization from Russia. This organization has already signed memorandums with 14 African countries, looking to cooperate in several fields like medicine, agriculture, and hydroelectricity. As an example, in South Africa, Rosatom got an agreement to build power reactors for $ 76 billion ([7]). This agreement between the organization and the government provoked an important confrontation with activists and opponents. Furthermore, Rosatom offers grants to African students to study in Russia, trying to build up a soft power influence in the African continent.
The energy organization Lukoil has several important projects in Nigeria, Cameroon and Ghana ([8]). Gazprom, one of the most powerful energy organizations in Russia has relevant energy projects in Senegal, Mozambique, Tanzania and Nigeria ([9]).
The energy exploitation strategy of Russia makes an important geopolitical influence on each country with its presence, as it guarantees more development in multiple fields.
Militarist:
Russia developed several defense agreements with African countries to have military bases around Africa. Once they are based in this locations, Russia could execute a geostrategic surveillance to some important maritime routes and energy resource areas to keep their interests saved. Moreover, being a country’s main supplier of weapons grants an important geopolitical influence in the area. The following chart shows the millions spent by each country on Russian weapons.
| 2014 | 2015 | 2016 | 2017 | 2018 | 2009-2018 | 2009-2013 | 2014-2018 | |
| Angola | 27 | 98 | 63 | 63 | 251 | 00 | 251 | |
| Burkina Faso | 14 | 15 | 1 | 14 | ||||
| Camerún | 27 | 11 | 45 | 77 | 38 | |||
| Chad | 77 | 77 | 00 | |||||
| RDC | 77 | 14 | 77 | 77 | ||||
| G. Ecuatorial | 77 | 77 | 00 | 77 | ||||
| Etiopía | 54 | 54 | 00 | |||||
| Ghana | 41 | 41 | 00 | |||||
| Guinea | 1 | 1 | 00 | |||||
| Kenia | 20 | 20 | 00 | |||||
| Mali | 23 | 23 | 00 | 23 | ||||
| Nigeria | 58 | 87 | 24 | 24 | 192 | 00 | 192 | |
| Ruanda | 14 | 27 | 41 | 00 | 41 | |||
| Sudáfrica | 50 | 50 | 00 | 50 | ||||
| Sudán del Sur | 18 | 44 | 82 | 60 | 22 | |||
| Sudán | 51 | 51 | 24 | 349 | 224 | 125 | ||
| Uganda | 629 | 629 | 00 | |||||
| Zambia | 14 | 14 | 00 | 14 | ||||
| Total | 156 | 224 | 164 | 134 | 108 | 1835 | 1051 | 784 |
According to the research of the Stockholm International Peace Research Institute ([10]), Russia has provided weapons to 18 African countries. The most relevant advantages of the Russian weapons are their cheap price and reliability. Russia has supplied weapons to countries with no human rights guarantees, as Nigeria, Sudan or Zimbabwe.
Russia not only tries to develop their military industry, the Kremlin also tries to develop their influence structure in most of Africa through dependency on weapons.
APT groups which target diplomatic, defense and energy organizations:
As it has been showed in the report, the defense, diplomatic, energy and mineral sectors are highly relevant for Russia in its own influence to Africa. There are several APT groups presumably attributed to Russia, as APT28, APT29, Turla or Energetic Bear which target organizations from those fields.
The following part shows some examples of malicious campaigns from threat groups presumably attributed to Russia targeting the fields mentioned before:
APT28 campaign against the diplomatic and defense sector:
The Threat group APT28 in 2018 carried out an important cyberattack on an important number of Ministers of Foreign Affairs around the world. The target of that malicious campaign was the Foreign affairs organizations and the Defense industry ([11]).
As it is shown in the following image, the phishing email identified tried to supplant the Jane’s 360 organization and the attached malicious doc was an infected excel document with the title “event calendar”. Jane’s 360 is an important company that supplies intelligence, defense and international relations information. Consequently, the targets were professionals from those fields.
The most important aim of the title document is to catch the attention of potential victims and persuade them to download the malicious document. The Microsoft Excel XLS document has the script with the malicious macro ([11]).
Energy Bear Campaign against energy organizations:
The APT Iron Liberty group, also known as TG-4192, Energetic Bear, Dragonfly and Crouching Yeti, has been identified since 2010. It is an APT group particular interest in energy organizations and critical infrastructure. It is a group presumably attributed to the Russian government ([15]).
Before 2014, Iron Liberty used the malware Sysmain, Havex and XFrost, currently it is known as Karagany ([13]). During the campaigns analyzed in 2014, the targets were Norwegian energy companies, specifically from the oil and gas sector. This group, also used to carry out similar cyber-attacks on organizations in the energy sector in the United States, the United Kingdom and Canada ([14]). The main objective of Iron Liberty is to collect intelligence from energy organizations worldwide, this classified information can give advantage to the decision making procedure of the Russian government.
The “tools” used by Iron Liberty with the karagany malware during 2018 contains links and similarities that had been used by the Iron Lyric group, also known as Teamspy.
IRON LIBERTY delivers MCMD manually by either of these two mechanisms ([14]):
• As an add-on downloaded through Karagany malware
• By installing using Active Directory (AD) credentials through Microsoft PS Excec.
Below is an example Spear Phishing’s content used by Iron Liberty. As you can see, it is a job offer within the energy field ([13]):
The job offer is highly similar to a real one and it is located in Dounrey (Scotland). It is very feasible that it was a real offer in the DSLR Dounreay organization.
The chronology of the different identified campaigns of Iron Liberty ([13]) is shown below:
As it has been showed in the chronology, Iron Liberty group targets organizations from the energy, defense and critical infrastructure sectors.
In addition, Karagany malware is designed to disturb the forensic analysis process. This malware removes files in order to difficult the identification of the same group. C2 servers for MCMD malware include a self-destruct script that attempts to erase the evidence of the compromised system tool.
Various investigations have identified the following add-ons with the karagany malware ([12]):
• Listrix – file enumeration and directory listing
• IKLG – keylogger
• ScreenUtil – screenshot
• MCMD – interactive command shell module
• SysInfo – enumeration of system information
• Browser data viewer: data theft and browser credentials
• LogKatz: custom Mimikatz script for credential theft
Russia is carrying out a strategy of influence in the whole of Africa. This influence is based on the diplomatic, energy and defense power applied by Russia. It is important to consider that, as it is shown in the report, presumably, Russia has several threat actors from APT groups, with enough capabilities and background to attack specific organizations which belong to these fields. The threat actor’s main goal would be to collect classified information to keep increasing its geopolitical control in Africa. The European and North American organizations linked to Foreign Affairs, Defense and Energy Ministries or organizations with interests in Africa would be an important target for this APT groups.
IOCs
| SHA256 |
| ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8 |
| 12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8 |
| cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7 |
| 23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701 |
| Domains |
| Cdnverify[.]net |
| Email Subject |
| Upcoming Defense events February 2018 |
| Filename |
| Upcoming Events February 2018.xls |
| domain satanal.info |
| domain tureg.info |
| hostname ecco0.b13x.org |
| hostname kanri.rbridal.net |
| hostname ecco0.b13x.org |
| hostname kanri.rbridal.net |
| URL hxxps://ecco0.b13x.org/ajax/base/include/list.php |
| URL hxxps://kanri.rbridal.net/json/renew.php |
| URL hxxps://kanri.rbridal.net/json/renew.php |
| URL hxxps://kanri.rbridal.net/json/renew.php |
| URL hxxps://smarttoys.com.ua/bitrix/services/ajax/refresh/refresh.php |
| URL hxxps://vr-bangers.com/wp-content/cache/keep-alive/alive.php |
| SHA256 00a1b9fd9af9c5e366ef19908f028e9cca0462ec16adab9763e8c8b017b0f6bc |
| SHA256 172be9ebd26946bdfe19150e304c8abd59d43a7bf92afa270f028c9a4a29fd99 |
| SHA1 18a4ab7f7783c06d6fd782908f8495e7c1ea15fa |
References:
[1] Qz. Russia is expanding its strategic influence in Africa. https://qz.com/africa/1546037/russia-is-expanding-its-strategic-influence-in-africa/
[2] ISSAFRICA. Russia and Africa meet again. https://issafrica.org/iss-today/russia-and-africa-meet-again
[3] Bloomberg. Putin’s chef. https://www.bloomberg.com/news/features/2018-11-20/putin-chef-yevgeny-prigozhin-is-now-meddling-in-africa
[4]IEEE.http://www.ieee.es/Galerias/fichero/docs_marco/2019/DIEEEM10_2019JUAMOR_Rusiafrica.pdf
[5] Carnegie endowment, Late to party Russia’s return to Africa. https://carnegieendowment.org/2019/10/16/late-to-party-russia-s-return-to-africa-pub-80056
[6] France 24 https://www.france24.com/en/20191018-oil-diamonds-and-nuclear-power-russia-eyes-africa-business
[7] Carnegie endowment https://carnegieendowment.org/2019/10/16/late-to-party-russia-s-return-to-africa-pub-80056
[8] Lukoil. http://www.lukoil.com/Business/Upstream/Overseas
[9] Africa Oil Power. https://africaoilandpower.com/wp-content/uploads/2018/09/AOP-2018-Gazprom.pdf
[10] Stockholm International Peace Research Institute, https://www.sipri.org/databases
[11] Unit 42. Palo Alto. https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/
[12] Secureworks. Updated karagany malware targets energy sector. https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector
[13] Secureworks. Resurgent Iron Liberty targeting energy sector. https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector
[14] Secureworks. MCMD malware analysis. https://www.secureworks.com/research/mcmd-malware-analysis
[15] Brica. Dragonfly targets ICS system using man on the middle site attacks additional IOCs. https://brica.de/alerts/alert/public/1268842/dragonfly-targets-ics-systems-using-man-on-the-site-attacks-additional-iocs/
Leave a Reply