The cyberwar rages in the shadows. The modern Internet has significantly changed the threat landscape. It has created a new dimension in which countries and individuals can influence, disrupt and destroy systems critical to everyday life. From the power plant to the bank, all systems are at risk. The Orca Security Research Pod has been actively tracking and continues to track the cyberattacks that took place in the run-up to the Russian invasion of Ukraine in late February. The cyber attacks have combined multiple threat vectors including malware, distributed denial of service attacks, social engineering campaigns, and other coordinated techniques.
The Russian invasion of Ukraine physically began on February 24, 2022. However, the Russian cyber invasion of Ukraine started a long time ago, with many notable events over the years such as the annexation of Crimea, which saw many Ukrainian websites and the Mobile network has been switched off. After that, two major blackouts caused by cyberattacks in 2015 and 2016 left hundreds of thousands in the dark. The Non-Petya ransomware attack targeted the country’s financial sector on a Ukrainian national holiday, but from there it spread to many companies around the world, causing enormous financial damage.
In November 2021, tensions between Ukraine and Russia flared up again with Russian troops at the borders. At the time, Ukrainian intelligence released technical information and intelligence on the Gamaredon group, an APT group that had been attacking the Ukrainian government for years and was linked to the Russian Federal Security Service.
In January 2022 – as talks between the US, NATO and Ukraine progressed – tensions between the two countries grew. As a result, a sharp increase in cyber attacks was noticed and on January 13, a destructive malware of a special campaign was discovered for the first time. The malware, named WhisperGate, is designed to look like a ransomware attack but with no way of recovery. It overwrote the MBR component in Windows machines and downloaded another payload that removed all files from predefined paths. The files were not completely removed, which was probably intended by the attackers to cause more psychological damage.
Ongoing cyber attacks leading to invasion
On January 14, 2022, over 70 Ukrainian websites were defaced. The content of the websites was changed to three languages: Ukrainian, Russian and misspelled Polish with the same phrase “Be afraid and wait for the worst”. On February 15, 2022, a large-scale DDoS attack was observed, crippling two of Ukraine’s largest banks and several government entities. This attack has been called the largest DDoS attack ever in Ukraine.
Hermetic malware precedes February’s invasion
Two major cyber attacks took place just a day before the physical invasion. The first was a large DDoS attack that crippled many government sites and banks. During this attack, a second data-wiping malware was discovered at several Ukrainian organizations in the financial, government, aviation, and IT sectors. The malware, dubbed “Hermetic”, consisted of three different malicious programs:
- Wiper: Erases the data in the system
- Assistant: Responsible for the propagation in the network
- Ransomware: Used to obfuscate the actions of the wiper.
Isaac malware also spotted in the wild
The third wiper attack took place on the day of the invasion. Dubbed the Isaac Wiper, the malware is reportedly far less sophisticated than the previous two wiper variants used in attacks.
Social engineering campaign combined with SunSeed malware
In the past few days, Orca Security has learned of a new social engineering campaign, called Asylum Ambuscade, targeting European immigration officials. The campaign aims to collect information about refugees using the SunSeed malware discovered by ProofPoint.
Hacktivism and ongoing cyber activities
Russia is not the only country conducting cyberattacks in this conflict. Hacktivist groups use the internet and related cyber techniques to perform civil disobedience for a specific cause. Many of these groups have announced that they are now focusing their efforts on harming Russia and disrupting IT operations. For example, the hacker collective Anonymous has declared cyber war on the Russian government. Also, Ukraine’s Deputy Prime Minister tweeted that he wants to create an IT army of volunteers to defend Ukraine’s IT infrastructure.
Another interesting story happened when the Conti ransomware source code and internal chats were released after the cyber group declared its support in Russia. The Conti ransomware was one of the most impactful ransomware of 2021. This release resulted in the removal of the C&C infrastructure, which compromised the ransomware.
The cybersecurity and security research community, including the Orca Security Research Pod, continues to monitor and track cyberattacks as part of this ongoing conflict. Since Russia and its hacktivists have been credited with more sophisticated attacks in the past, more events related to this conflict could occur in the near future. As developments progress and additional groups and research work may be added, Orca Security will provide timely updates.
Data and recommendations from Orca Security
Meanwhile, many security vendors have reported a significant increase in all cyberattacks, from phishing to DDoS and more. A “leak” of this conflict has already occurred in the past (e.g. with Not-Petya) and could occur again. Orca Security has seen an increase of over 60 percent in average SSH brute force attacks per customer on cloud infrastructures in the US. This anonymized dataset from real-world cloud environments compares data from the week of February 24 and March 2 with the weeks of the previous month.
This may indicate two processes that are believed to be currently taking place in the cyber theater. First, Russian hackers are looking for machines that can be “zombified” and used for Russian DDoS attacks on Ukrainian targets. Orca have already observed such tools in the wild. For example, the Hermetic Wiper, announced by Microsoft under the name FoxBlade, is capable of turning PCs into DDoS zombies. Second, Russian hackers could try to gain a foothold in key Western facilities to carry out attacks such as data wipe or data exfiltration that would harm and embarrass Ukraine’s allies.
How can companies and institutions protect themselves?
- Reduce attack surface:Systems accessible via the Internet represent a possible target for attack. It is important to release as few systems as possible, not to grant high privileges to sensitive accounts and not to store confidential data unencrypted.
- Closing security gaps and keeping systems up to date:Unpatched machines can be exploited by a malicious actor. By keeping their systems up to date, organizations can reduce the risk of remote exploitation.
- Use MFA and complex passwords:Multi-factor authentication (MFA) makes unauthorized access more difficult. Systems with complex passwords are harder to crack.
- Use logging services:Logging services are now offered by all major cloud providers and help to keep track of account monitoring.