Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures

Russian government-affiliated actors launched coordinated cyber-attacks against Ukrainian government and military targets before and during the attack and seizure of Ukrainian ships and sailors on November 25, a private intelligence firm announced recently. 

The attacks appeared to be aimed at stealing information that would have been relevant to planning the operation, according to Stealthcare, a cyber threat intelligence group. If so, the revelation challenges Russia’s already widely-disputed claim that Ukraine initiated the crisis.

Russia has a long history of timing cyber-attacks to offensive operations, going back to Georgia in 2008. Russian cyber-attacks have featured heavily in the Ukraine conflict, most significantly knocking out power on Christmas Eve 2015 for thousands of Ukrainians.

This autumn, Stealthcare first observed a Russian state-baked entity known as the Carbanak group develop a new phishing campaign, using deceptive emails to convince targets to click links and download malware around Oct. 25. 

The targets were government agencies in Ukraine and across Eastern Europe, according to CEO Jeremy Samide. Attached to the emails were PDFs with links and other pieces of code that, when executed, would allow the attacker to steal or exfiltrate data and gain control over important computer functions. 

While Samide said he couldn’t say which government entities were targeted, because of sensitivities surrounding the target, he said they would have had information related to Ukrainian foreign and naval affairs, information that would have been very useful if you wanted to engineer a maritime crisis. 

Samide says there is “no doubt” that this was a Kremlin-led reconnaissance effort to prepare for the Kerch Strait crisis.

A separate Russian actor tied to the Russian FSB, called the Gamaredon Group, targeted Ukrainian government agencies with a backdoor attack called Pterodo, tailored to Windows, a few days before Nov. 20, when Stealthcare first reported seeing it.

On Nov. 26, just Russia seized Ukrainian vessels and imprisoned Ukrainian sailors, Stealthcare observed a second, coordinated attack by the Carbanak group aimed at key Ukrainian government and military targets. The malware linked to the phishing attack would have allowed for the theft of data or emails.

The spyware war has since heated up on both sides. Earlier this December, Stealthcare observed a new phishing scam aimed at Russian entities involving fake PDF documents loaded with malware. 

“It’s not clear as to what targets it actually hit,” said Samide, who couldn’t yet name the source, but some of the documents “appear to be masquerading as health documents from Moscow based hospitals,” he said.

“We now know that the latest attack retaliating against Russia is a highly targeted attack against their FSBI ‘Polyclinic No.2,’ which is affiliated to the Presidential Administration of Russia.  Most notably, the lure document used in the attack exploits the latest Flash zero-day vulnerability,” he told Defense One in an email. 

“The threat actor exhibits the tactics, techniques and procedures (TTPs) of an Advanced Persistent Threat (APT) actor. The document that is being delivered shows a questionnaire for staff of the Moscow-based hospital, but it secretly executes malicious code in the background.”

Russian cyber offensive operations are a growing concern for US policymakers, particularly Democratic Sen. Mark Warner from Virginia, ranking member of the Senate intelligence committee. 

“Countries like Russia are increasingly merging cyber-attacks with traditional information operations,” he said at the Center for New American Security, in Washington on Friday 7th December. 

“This emerging brand of hybrid, cyber warfare exploits our greatest strengths our openness and the free flow of ideas. Unfortunately, we just aren’t waking up to that fact.” 

Defense One:

You Might Also Read:

Russia And Ukraine’s Crisis Could Escalate Beyond Cyberwar

« Hackers Are Targeting Young Video Gamers
Social Media Outpaces Print Newspapers In The US »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

High-Tech Bridge

High-Tech Bridge

High-Tech Bridge SA is a Swiss MSSP provider offering security auditing, source code review and computer forensics.

Centripetal Networks

Centripetal Networks

Centripetal Networks was founded with one vision - to protect networks from advanced threats by simplifying intelligence-driven security.

SecurePay

SecurePay

SecurePay is Australia's premier payment gateway, with a range of secure online payment solutions for online retailers, SMEs and enterprise businesses.

Smoothwall

Smoothwall

Smoothwall develop intelligent web filtering, Monitoring and security solutions designed to protect users worldwide.

SaltStack

SaltStack

SaltStack develops award-winning intelligent IT automation software. We help businesses more efficiently secure and manage all aspects of their digital infrastructure.

ECOLUX

ECOLUX

ECOLUX is a professional IoT security service company committed to developing world-leading “IoT Lifecycle Security” technologies and products.

White & Black

White & Black

White & Black are specialist corporate & technology lawyers based in London & Oxford.

Secure Blockchain Technologies (SBT)

Secure Blockchain Technologies (SBT)

SBT is a team of Enterprise IT Security Professionals weaving security and Blockchain Technology into our customer’s operational fabric.

Guidehouse

Guidehouse

Guidehouse is a leading global provider of consulting services to the public and commercial markets with broad capabilities in management, technology, and risk consulting.

Baxter Clewis Consulting

Baxter Clewis Consulting

Baxter Clewis are cyber security and compliance experts. We provide Security Consulting, IT Assurance, and Technical Security services.

AdEPT Technology Group

AdEPT Technology Group

AdEPT are a managed services and telecommunications provider offering award-winning, proven and uncomplicated technical solutions for over 12,000 organisations across the UK.

National Security Services Group (NSSG)

National Security Services Group (NSSG)

National Security Services Group (NSSG) is Oman's leading and only proprietary Cybersecurity consultancy firm and Managed Security Services Provider.

SeeMetrics

SeeMetrics

SeeMetrics is an automated cybersecurity performance management platform that integrates security data and business objectives into a simple interface.

Lineaje

Lineaje

Lineaje solves critical Software Supply Chain security problems faced by every organization that builds, uses or sells software.

Technation

Technation

Technation proudly represents the Canadian technology companies that are furthering our nation and the world into the future through innovation, creativity and ingenuity.

Darwinium

Darwinium

Darwinium is a Cyberfraud Prevention Platform that provides scalable customer journey protection without complexity.