Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures

Russian government-affiliated actors launched coordinated cyber-attacks against Ukrainian government and military targets before and during the attack and seizure of Ukrainian ships and sailors on November 25, a private intelligence firm announced recently. 

The attacks appeared to be aimed at stealing information that would have been relevant to planning the operation, according to Stealthcare, a cyber threat intelligence group. If so, the revelation challenges Russia’s already widely-disputed claim that Ukraine initiated the crisis.

Russia has a long history of timing cyber-attacks to offensive operations, going back to Georgia in 2008. Russian cyber-attacks have featured heavily in the Ukraine conflict, most significantly knocking out power on Christmas Eve 2015 for thousands of Ukrainians.

This autumn, Stealthcare first observed a Russian state-baked entity known as the Carbanak group develop a new phishing campaign, using deceptive emails to convince targets to click links and download malware around Oct. 25. 

The targets were government agencies in Ukraine and across Eastern Europe, according to CEO Jeremy Samide. Attached to the emails were PDFs with links and other pieces of code that, when executed, would allow the attacker to steal or exfiltrate data and gain control over important computer functions. 

While Samide said he couldn’t say which government entities were targeted, because of sensitivities surrounding the target, he said they would have had information related to Ukrainian foreign and naval affairs, information that would have been very useful if you wanted to engineer a maritime crisis. 

Samide says there is “no doubt” that this was a Kremlin-led reconnaissance effort to prepare for the Kerch Strait crisis.

A separate Russian actor tied to the Russian FSB, called the Gamaredon Group, targeted Ukrainian government agencies with a backdoor attack called Pterodo, tailored to Windows, a few days before Nov. 20, when Stealthcare first reported seeing it.

On Nov. 26, just Russia seized Ukrainian vessels and imprisoned Ukrainian sailors, Stealthcare observed a second, coordinated attack by the Carbanak group aimed at key Ukrainian government and military targets. The malware linked to the phishing attack would have allowed for the theft of data or emails.

The spyware war has since heated up on both sides. Earlier this December, Stealthcare observed a new phishing scam aimed at Russian entities involving fake PDF documents loaded with malware. 

“It’s not clear as to what targets it actually hit,” said Samide, who couldn’t yet name the source, but some of the documents “appear to be masquerading as health documents from Moscow based hospitals,” he said.

“We now know that the latest attack retaliating against Russia is a highly targeted attack against their FSBI ‘Polyclinic No.2,’ which is affiliated to the Presidential Administration of Russia.  Most notably, the lure document used in the attack exploits the latest Flash zero-day vulnerability,” he told Defense One in an email. 

“The threat actor exhibits the tactics, techniques and procedures (TTPs) of an Advanced Persistent Threat (APT) actor. The document that is being delivered shows a questionnaire for staff of the Moscow-based hospital, but it secretly executes malicious code in the background.”

Russian cyber offensive operations are a growing concern for US policymakers, particularly Democratic Sen. Mark Warner from Virginia, ranking member of the Senate intelligence committee. 

“Countries like Russia are increasingly merging cyber-attacks with traditional information operations,” he said at the Center for New American Security, in Washington on Friday 7th December. 

“This emerging brand of hybrid, cyber warfare exploits our greatest strengths our openness and the free flow of ideas. Unfortunately, we just aren’t waking up to that fact.” 

Defense One:

You Might Also Read:

Russia And Ukraine’s Crisis Could Escalate Beyond Cyberwar

« Hackers Are Targeting Young Video Gamers
Social Media Outpaces Print Newspapers In The US »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

GFI Software

GFI Software

GFI Software works with System Administrators, IT Professionals and IT Executives to ensure that their IT infrastructures are monitored, managed, secured and compliant.

High Technology Crime Investigation Association (HTCIA)

High Technology Crime Investigation Association (HTCIA)

HTCIA was formed to provide education and collaboration to our global members for the prevention and investigation of high tech crimes.

Paessler

Paessler

Paessler is a leading worldwide provider of network monitoring software.

PFP Cybersecurity

PFP Cybersecurity

PFP provides a SaaS solution for life-cycle protection based on our IoT security platform and power usage analytics.

Exatel

Exatel

Exatel is Poland’s leading provider of ICT security services.

XignSYS

XignSYS

XignSys develops innovative password-free and user-friendly Authentication solutions and electronic signature systems for B2B and B2C applications.

CERT Tonga

CERT Tonga

CERT Tonga is the national Computer Emergency Response Team for Tonga.

Yaana Technologies

Yaana Technologies

Yaana is a leading provider of intelligent compliance solutions including lawful interception, data retention & disclosure, and advanced security analytics.

FraudHunt

FraudHunt

FraudHunt protects your website from account fraud, ad fraud, fraud clicks, and malicious bots.

Fortanix

Fortanix

Fortanix Runtime Encryption keeps keys, data, and applications completely protected from external and internal threats.

Brighter AI

Brighter AI

Brighter AI empowers companies to use publicly-recorded camera data for analytics & AI while being compliant with increasing data privacy regulations worldwide.

Energia Ventures

Energia Ventures

Energia Ventures is a three-month intensive accelerator for entrepreneurs with an innovative business in the energy, smart grid, cleantech, and cybersecurity sectors.

Diateam

Diateam

Diateam is an R&D company specializing in computer security. Diateam develops highly innovative cyber range platforms and Industry-leading systems for cybersecurity training and testing labs.

Satori Cyber

Satori Cyber

The Satori Cyber Secure Data Access Cloud is the first solution on the market to offer continuous visibility and granular control for data flows across all cloud and hybrid data stores.

Privafy

Privafy

Privafy helps mobile service providers, IoT manufactures , and enterprises redefine the way they protect Data-in-Motion.

Cyber Security Services

Cyber Security Services

Cyber Security Services is a cyber security consulting firm and security operations center (SOC).