How the All-Russian Student Cyberbattle Went in Moscow at Positive Hack Days 2

At Positive Hack Days 2, the Positive Technologies and Innostage teams jointly organized one of the coolest information security competitions right now — the All-Russian Student Cyber ​​Battle (VSKB for their own). In this article, we will tell you how the attackers and defenders prepared, how the cyber battle itself took place, and what everyone involved came out of it with.

The student cyber battle differs from most CTF championships in that the task of the attacking teams is to carry out a full cycle of cyber attack and implement an unacceptable event, and the task of the defending teams is to detect and unravel the entire chain of the attack.

Reds on the range: Standoff 365 infrastructure and Positive Technologies intro

The main innovation at the student cyber battle this year was the participation of red (attacking) teams, as well as an infrastructure that was as close as possible to that which the best white hackers explored at the cyber battle Standoff 13. Behind these innovations was the Positive Technologies team – experts from Standoff and the Positive Education direction.

All student teams acted side by side as participants in the main cyber battle: they shared common spaces, were able to communicate and learn from each other.

In total, more than 50 universities applied for the selection events of the VSKB red teams, including such universities as Bauman Moscow State Technical University, HSE University, ITMO University, RTU MIREA, etc. The selection of participants took place over the course of a month at the online testing ground Standoff 365 – a platform for professional security researchers, among whom are active pentesters of leading teams of information security companies in Russia.

To pass the selection, applicants had to score a certain number of points by completing tasks on the online training ground. During the process, participants used real attack techniques, and also got acquainted with the cyber battle format, communicated with colleagues, interacted with the organizers and technical support. As a result, the finals included a baker's dozen: the 13 best teams based on the results of the selection became participants of VSKB.

As in real conditions, the research teams analyzed the infrastructure of the testing ground without any additional input. At the same time, the experts used the traditional Standoff “intro” format: Positive Technologies team leaders participating in organizing cyber battles conducted a demo, explained the rules, features, high-level structure of the battle infrastructure, and answered questions.

“Many students are familiar with the CTF format. To immerse themselves in our context, communication was conducted with the captains of each university team, problematic and unclear points were clarified, guides and information materials about the Standoff infrastructure and the cyber battle format were sent. We tried to make the “entry” into the cyber battle as easy and understandable for students as possible,” says Community manager of Standoff 365 Karina Zaitseva.

The top three winners among the red teams at the VSKB were as follows:

• Team8 (Krasnodar Higher Military School named after General of the Army S. M. Shtemenko)

• N0N@me13 (Academy of the Federal Security Service of Russia)

• LaCringe (Far Eastern Federal University)

Preparing the Blues: Innostage Mentoring and Cyberpolygon

Despite a fairly large baggage of theoretical knowledge, students of information security fields often lack specialized practice. Compared to the previous VSKB in Kazan, at Kazan Digital Week, we at Innostage strengthened the process of preparing teams: for a month and a half, we held meetings and training sessions with future participants of the cyber battle from the defenders' side.

From over 50 applications from all over Russia, we selected 8 teams to participate in VSKB: the experts relied on the participants' CVs and experience. The training course consisted of 9 blocks: 6 theoretical and 3 practical. The topics included familiarization with information security tools, information security management systems, network anomaly detection, firewall web application, and others.

The training took place at the Innostage cyber training ground, a practical platform where students had the opportunity to apply the knowledge they had acquired in real conditions. For training, Innostage uses real analytical content, where you can analyze the directions and techniques of attackers.

Daniil Romanovsky, leading information security analyst, mentor of the Innostage team:

“Even the most advanced students have almost no practical knowledge. They may know about the latest technologies, but they do not have the opportunity to independently study the interfaces of these tools, to figure out what and where to enter. This can also slow down the speed of incident investigation and response. Therefore, training at a cyber training ground gives the opportunity to touch real tools to those who do not have access to them otherwise.”

The mentors were constantly in touch: they held webinars where they discussed the main questions from the teams, and they hosted a chat where you could quickly get advice.

In addition to knowledge, mentors also developed the soft skills of their mentees during training. For competitions such as cyber battle, teamwork, clear communication and the ability to set priorities are important. Test tasks helped to pump up these skills, which had a positive effect on the success of the teams. Students who were not embarrassed to ask a stupid question showed the best results in the end of the preparation and the battle itself.

Battle progression: interesting attack chains

In 2024, the All-Russian Student Cyberbattle was held on a digital model of the infrastructure of the OffEnergo facility, which is engaged in the generation of electricity, its distribution and sale. The company's work is supported by an administrative department that ensures document flow, and a research center that is actively engaged in scientific activities, development and implementation of new technologies for electricity generation.

At the VSKB testing ground, 5 unacceptable events (AE) were planned:

• New Power Generation Technology Leaks

• Leakage of counterparty data

• Leakage of personal customer data

• Capture of the information portal

• Spread of ransomware virus.

The red teams had implemented all the illegal events, so the blue teams had enough work.

Let's look at two interesting chains of unacceptable events.

Capture of the information portal

Actions of the Attackers.

1. Attackers from IP address 10.117.2.53 uploaded the file fdhugfjhgdjhfgd.php to the www.student.stf portal using the PUT method of the HTTP protocol. This was their initial access.

2. The attackers send their commands using the POST method when accessing the uploaded file via the feature variable. The command itself is located in the request body and looks like this: cmd=ls&cwd=%2Fvar%2Fwww%2Fhtml%2Fuploads. At the same time, the SIEM observes the launch of the command /bin/sh -c ls /var/www/html/uploads on behalf of the www-data UZ, which allows the defenders to conclude that the attackers' web shell is successfully operating.

3. The attackers conducted local reconnaissance, checked directories and launched the wget utility, which was used to download the X5coXCyREV2a file from a public file-sharing service – this is how the attackers downloaded the next stage of the malware.

4. The file has been renamed to stf_malware_battle_7_a57682d420.bin

5. After which, using the standard chmod 777 command, the attackers gave the file execution rights.

6. The file was then renamed to stf_malware and launched from the /tmp/ folder, allowing the attackers to completely compromise the machine.

Actions of the Defenders.

1. We analyzed traffic in WAFe and found PUT and POST requests to the portal.

2. We analyzed the data in the SIEM system: we tracked the work from the host under the “www-data” account: renaming a file, granting execution rights and launching a file.

The investigation time for the incident by the Blues is one and a half hours.

Leakage of personal customer data

Actions of the Attackers.

1. The attackers “broke the perimeter” using social engineering. They sent a phishing email with a malicious attachment and took over host 10.147.0.133 (bbradford.student.stf)

2. The attachment from the email was opened – a malicious Word document. From it, the powershell.exe command shell was launched along the chain of processes, containing the Attackers' beacon

3. They then increased their privileges using a utility from the “potato” line. In particular, GodPotato was exploited.

4. Using traffic tunneling (pivoting), after entering the company's network on host bbradford, the attackers penetrated the company's portal using SQL injection, as if from host bbradford, and took away the clients' personal data.

Actions of the Defenders.

1. We analyzed the data in the SIEM system and found a suspicious chain of processes from the infected document: winword, which launches rundll32, followed by powershell. Looks like macros are running.

2. We discovered the operation of the GodPotato utility.

3. We decided to look at network activity from the bbradford host in PT NAD, saw a large amount of HTTP traffic and decided to study it in PT AF. The firewall in turn saw SQL injections to the portal portal.student.stf, which the Defenders also saw.

The Blues' investigation time for the incident is two hours.

Who is behind this: students, mentors and organizers about VSKB

This year, the student cyber battle fully justified its title as all-Russian: the finalist teams represented a wide variety of cities, their geography covered almost all time zones of the country: Moscow, St. Petersburg, Yaroslavl, Murmansk, Krasnodar, Nizhny Novgorod, Kazan, Magnitogorsk, Omsk, Tyumen, Orenburg, Blagoveshchensk, Vladivostok.

There were also interesting cases among the teams themselves: for example, the red team Gone with the wind from the Kazan National Research Technical University previously played on the blue side. This year, their colleagues, the BLUE WATER team from the Kazan Federal University, became rivals. Moreover, students from one university became rivals for each other – teams from FEFU and RTU MIREA were on both sides of the battle.

Cyberbattle is a great boost for a student’s career in information security. The practical experience gained at the competition immediately increases the value in the eyes of the employer, and sometimes provides a place in leading information security companies.

Nina Shipkova, Head of Department, Innostage Cybersecurity Academy:

“VSKB is about rapid development, continuity, and acquiring mentoring and coaching skills. A cool case illustrating this approach: students who completed training in the Interuniversity SOC project in Kazan became participants in the first VSKB, then passed an interview and became analysts at the Innostage SOC CyberART Cyber ​​Threat Counteraction Center, and then became mentors for VSKB defender teams at PHD 2. The guys are involved and strive to independently influence the industry and education – this charges us and motivates us to do even more.”

Oleg Ignatov, Head of University Relations Department, Positive Technologies:

Recruiting teams in a relatively short time was a challenging task for the Positive Education team. Since the student cyber battle is a new project, we had to conduct a lot of explanatory work with universities. We negotiated with 70 universities and colleges at the same time. We received a good response from the academic community, teachers responded actively and quickly realized that this was an excellent opportunity for universities and students themselves to measure the level of their practical competencies and understand how ready they were for real tasks. This was also an impetus for creating their own laboratories and training grounds for the community and specialists within universities. Of course, this is an opportunity to understand your weak points and see what you need to work on, gain skills. Victories in such competitions in one way or another show the expertise of each individual university, a criterion that is always closely monitored by businesses as employers.

The All-Russian Student Cyberbattle is an event that unites students in IB all over Russia, providing them with new opportunities. In September, we will once again gather the blue and red on the cyber ground: VSKB will return to Kazan for Kazan Digital Week. We are waiting for the team and are already preparing the tests – stay tuned for announcements.