Cyber Attacks On Ukraine Are Increasing

Uploaded on 2022-05-02 in FREE TO VIEW

Russia’s war on Ukraine is being fought not only with conventional weapons but online as cyber warfare plays an increasingly major role in the invasion. Ukraine has been under steady Russian cyber attack for the past eight years, and the attacks have tripled since the invasion when compared with the same period last year.

It was feared that Russian cyber attacks would involve the takeover and shutting down of crucial services such as Ukraine’s electrical grid or communications services.

While that has not quite happened, experts say cyber attacks are being used for espionage. Since just before the invasion, there has been at least six separate Russia-aligned nation-state actors launch more than 237 operations against Ukraine, including destructive attacks that are ongoing and threaten civilian welfare. 

The destructive attacks have also been accompanied by broad espionage and intelligence activities. 

The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership.  Cyber experts say the analysis suggests hidden depths to Russia’s cyber operations in Ukraine because although it has the capability to launch more damaging cyberattacks, it has chosen to inflict less harmful ones for the moment. 

Cyber attacks against Ukraine are currently being used to strategically to support ground campaigns, with five state-sponsored advanced persistent threat (APT) groups behind attacks. 

According to the Computer Emergency Response Team of Ukraine (CERT-UA), the country has recorded 802 cyberattacks since Russia invaded the country earlier this year. That compares to just 362 documented attacks during the same time last year, CERT-UA said. According to research published by Microsoft, the APTs involved in the campaigns are state-sponsored by Russia. Separate reports published recently also shed new light on the wave of cyber attacks against Ukrainian digital assets by APTs with ties to Russia.

Microsoft researchers believe Russia-aligned threat actors have attempted to carry out dozens of cyber espionage attacks against Ukrainian targets. Moreover, Russia is believed to be using cyber attacks in a type of “hybrid war”, according to a blog by Tom Burt, corporate vice president of Customer Security and Trust at Microsoft. That correlates  “with its kinetic military operations targeting services and institutions crucial for civilians,” he said. “The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership.” 

CERT-UA  has analysed the impact of the cyber attacks that  hampered the country in the lead up to and during the war.  They have recorded 802 cyber attacks in the first quarter of 2022 alone, more than double the number for the same period last year, which was 362. 

Carrying out those attacks are primarily five known Russia or Belarus-sponsored APTs, CERT-UA said. Specifically, those groups are: Armageddon/Garmaredon, UNC1151, Fancy Bear/APT28, AgentTesla/XLoader and Pandora hVNC/GrimPlant/GraphSteel.

Hybrid War

Russia appears to have been preparing for the land conflict with Ukraine in cyberspace about a year before the war began, or since March 2021, according to CERT-UA.  In the lead up to the ground conflict and the subsequent invasion, threat groups with known or suspected ties Russia “continuously developed and used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of two to three incidents a week,” researchers found.  From February 23 to April 8, we saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organisations in Ukraine.” 

Even before that, in January, Microsoft identified a Master Boot Record (MBR) wiper attack that it named WhisperGate targeting Ukraine to permanently disrupt organisations across the country and paint it as a failed state. 

Wipers are the most destructive of malware types because they permanently delete and destroy data and/or systems, causing great financial and reputational damage to victims. It’s possible to break down a typical wiper according to three targets: files (data), the boot section of the operating system of machines, and backups of system and data. Most wipers target all three.

From late February to mid-March, there were more wiper attacks using malware called HermeticWiper, IsaacWiper and CaddyWiper targeted organisations in the Ukraine as Russia commenced its physical invasion.

Infrastructure Attacks

According to Microsoft, more than 40 percent of the destructive attacks against Ukraine were aimed at organisations in critical infrastructure sectors that could have negative second-order effects on the government, military, economy and the country’s people. Moreover, 32 percent of destructive incidents affected Ukrainian government organisations at the national, regional and city levels. 

“Acknowledging that there is ongoing activity that we cannot see, we estimate there have been at least eight destructive malware families deployed on Ukrainian networks, including one tailored to industrial control systems (ICS),” according to Microsoft. “If threat actors can maintain the current pace of development and deployment, we anticipate more destructive malware will be discovered as the conflict continues.”

The CERT UA report includes a specific timeline of attacks and the malware used in the earliest weeks of the attack to support Russia’s military activities. In addition to the wipers previously mentioned, other malware deployed in the attacks includes: FoxBlade, DesertBlade, FiberLake, SonicVote and Industroyer2.

Repeat Offenders

Research from Recorded Future has examined specific threat actor affiliations and typical ways of working

  • Armageddon/Garmaredon is an aggressive threat actor that’s been targeting Ukraine since 2014 and is backed by the Russian Federal Security Service (FSB). During the Russian war on Ukraine the group has used phishing attacks to distribute malware, most recently new variants of the “Backdoor.Pterodo” malware payload, according to researchers.
  • UNC1151 is a Belarus-aligned hacking group who has been active since 2016 and has previously targeted government agencies and private organisations in Ukraine, Lithuania, Latvia, Poland and Germany, as well as attacked Belarusian dissidents and journalists, researchers said, using a report by Mandiant.

Since Russia attacked Ukraine UNC1151 the group has been linked to the defacement of multiple Ukrainian government websites as well as spear-phishing campaigns targeting the email and facebook accounts of Ukrainian military personnel to spread malware.

  • Fancy Bear/APT 28 is a well-known and prolific actor active since 2017 and backed by Russia’s military intelligence service (GRU). The politically motivated group has been linked to activity aiming to influence elections in the EU and USA.  On the day Russia attacked Ukraine, Fancy Bear gained access to US satellite communications provider Viasat’s KA-SAT network in Ukraine, leaving many Ukrainians without Internet access and thus communication capability at the critical time when attacks began, researchers said.

Russian threat actors have used the AgentTesla and XLoader malwares since at least 2014 and 2020. During Russia’s invasion of Ukraine, one malicious email campaign targeting Ukrainian state organisations used XLoader as its payload, while a phishing campaign targeting Ukrainian citizens spread AgentTesla malware, according the Recorded Future's researchers. 

In two separate malicious phishing campaigns in March, they were used against Ukrainian targets to steal sensitive information from government officials, among others, they said.

Ever since Ukraine fell victim to two separate destructive cyber attacks in 2015 and 2017 that targeted its power grid and key institutions, Kyiv has made significant investments to improve its cyber security, furthermore, Ukraine has benefited from substantial assistance, both financial and technical, from the US and the EU.

Ukraine Communications Ministry:     Microsoft:    Euronews:    Threatpost:    Threatpost:    ABC:   

The Record:     Mandiant:       The Hill:  

You Might Also Read: 

The Ukraine War - By Satellite, Internet & Phone:

 

« Three Vital Concerns For Companies Running Hybrid Cloud Environments
Government Cloud On-Ramping »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Octopus Cybercrime Community

Octopus Cybercrime Community

The Octopus Community is a platform for information sharing and cooperation on cybercrime and electronic evidence.

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

Keyfactor

Keyfactor

Keyfactor is a leader in cloud-first PKI as-a-Service and crypto-agility solutions. Our Crypto-Agility Platform seamlessly orchestrates every key and certificate across the enterprise.

FFRI Security

FFRI Security

FFRI is committed to research and development of preventing the most advanced cyber-attacks and breaches.

CSIRT-IE

CSIRT-IE

CSIRT-IE is the body within the NCSC that provides assistance to constituents in responding to cyber security incidents at a national level for Ireland.

Consortium for Information & Software Quality (CISQ)

Consortium for Information & Software Quality (CISQ)

The mission of CISQ is to develop international standards for software quality and to promote the development and sustainment of secure, reliable, and trustworthy software.

World Congress on Industrial Control Systems Security (WCICSS)

World Congress on Industrial Control Systems Security (WCICSS)

The World Congress on Industrial Control Systems Security (WCICSS) is focused on emerging trends in protection of industrial control systems.

Abion

Abion

At Abion (formerly BRANDIT), we empower your business by providing comprehensive brand protection and web security services.

IP Twins

IP Twins

IP Twins offer a wide range of services related to domain names and online brand protection.

Security Alliance

Security Alliance

Security Alliance provide bespoke cyber intelligence consulting and research services.

Broadcom

Broadcom

Broadcom is a global technology leader that designs, develops and supplies a broad range of semiconductor and infrastructure software solutions.

LiveAction

LiveAction

LiveAction provides end-to-end visibility of network and application performance from a single pane of glass.

ACI Learning

ACI Learning

ACI Learning - Training tomorrow’s industry leaders with formats for all types of learners in Audit, Cybersecurity, and IT.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

CyberUp

CyberUp

CyberUp is a nonprofit organization created to strengthen the cybersecurity workforce. We help employers reimagine how they grow and scale their cybersecurity workforce.

Beetles Cyber Security

Beetles Cyber Security

Beetles is a crowdsourced penetration testing platform designed to build a trusted, hacker-centric approach to protectan organization’s digital attack surface.