Extensive Cyberattacks Amidst the Russia-Ukraine Military Action
Executive summary
Cyble Research Labs has been investigating a series of massive cyber-attacks were launched against Ukrainian banks and government websites as part of an ongoing geopolitical crisis that emerged between Ukraine and Russia, culminating in an outright military conflict between the countries on February 24, 2022. United States entities also suffered critical attacks against several government entities after the Biden administration stated its intent to take reciprocal actions against the Russian military invasion.
Massive Cyberattacks against Ukrainian and U.S. Assets
On Feb. 23, 2022, the State Special Communications Service of Ukraine announced a massive DDoS attack targeting several government and banking institutions (Ref. Чергова кібератака на сайти державних органів та банки).
Open sources revealed that the Ukraine-wide computer network was attacked by a new set of malware dubbed HermeticaWiper that intends to corrupt the Master Boot Records (MBR) and wipe the data of the infected systems. (Ref. #ESETResearch discovered a new data wiper malware used in Ukraine today. Twitter).
Security researchers anticipate that the data wiper malware has similar malicious behavior to the WhisperGate data wiper malware, which targeted Ukrainian organizations in January 2022 disguised as ransomware (Ref. Destructive malware targeting Ukrainian organizations – Microsoft Security Blog). While it is likely that Russia backed the attack, we did not find any conclusive findings that could definitively reveal the involved Threat Actors.
Involvement of the Russian government
It is inconclusive at the moment to suggest that a single group behind the scattered attacks targeting Ukraine and the U.S. However, several sources have ascertained that the Russian government certainly backed attacks.
- One such report was published on the U.K. government’s website based on the technical analysis performed by their National Cyber Security Centre, stating the involvement of Russia’s Main Intelligence Directorate (GRU) behind the cyber security attack starting this. (Ref. U.K. assesses Russian involvement in cyberattacks on Ukraine).
- Another detailed investigative journal report published after joint research by “The Insider” and “Bellingcat” also suggested that Russia’s GRU used various fake government websites to spread malicious payloads targeting Ukrainian networks.
According to the report, the APT28 group (aka Fancy Bear) operated by the GRU used several websites disguised as websites belonging to the President of Ukraine and used it as their Command-and-Control (C&C) center to infect a substantial number of Ukrainian citizens.
Researchers believe that the other attacks could have originated from the same C&C center (Ref.: 1.Атака клонов. ГРУ начало масштабную кибератаку на Украину: вирусы распространяются через поддельные правительственные сайты, 2.Attack on Ukrainian Government Websites Linked to Russian GRU Hackers – bellingcat ). The following screenshot shows one of the fake websites was hosted at stun[.]site:
Threat activities observed in the underground forums
Cyble Research Labs has observed a rapid increase in cyber threat activities in underground forums targeting Ukrainian and U.S. organizations. Notable threat activities possibly backed by Russian state/non-state actors followed:
On February 19, 2022, the actor Carzita posted a thread at the Raidforums announcing their plans to launch defacement attacks on February 22, 2022, against the Ukrainian infrastructure, including banks, defense and government websites, using their dedicated infrastructure. It was the first of the many notable forum threads which explicitly announced to target Ukrainian infrastructure. The actor Carzita’s historical activities suggested their alleged involvement in the defacements of several corporate websites.
Figure 2 – Forum thread captured by the Cyble database posted by the actor Carzita at the Raidforums on Feb. 19, 2022
On February 24, 2022, the Threat Actor NetSec (aka Scarfac33), highly active at Raidforums.com, posted a thread instigating cyber-attacks against the United States. NetSec claimed to have compromised an enterprise software program managed and developed by the U.S. Army’s Program Executive Office Enterprise Information Systems (PEO EIS) at eis.army.mil.
The actor then allegedly obtained the source code using the compromised access and identified a 0-day vulnerability targeting various U.S. defense websites, including Defense Technical Information Center (DTIC) at the dtic.mil website and U.S. Army Special Operations Command at the soc.mil website. The actor released sample datasets containing email and encrypted passwords belonging to individuals commissioned at the impacted defense organizations as proof of their claims. It is worth noting that the actor NetSec has an established history of activities offering compromised accesses and databases.
The actor NetSec, in four separate forum threads from February 22 – February 23, claimed compromise of U.S. Army Special Operations Command (USSOCOM) at the soc.mil website, U.S. Central Command (CENTCOM) at the centcom.mil website, and U.S. Strategic Command (USSTRATCOM) at the stratcom.mil website. The actor released compromised datasets of email and encrypted passwords allegedly exfiltrated from the impacted organizations and has repeatedly announced their intent to release more in the future.
On February 25, 2022, the actor leaked datasets released a compromised dataset of email and encrypted passwords allegedly belonging to the U.S.-based defense technology company Lockheed Martin Corporation at the lockheedmartin.com website. The actor also boasted expansion of their cyberattacks against private defense industries
While we were researching to understand the actor’s association with Russia, on February 25, 2022, the actor released a dataset of email and encrypted passwords allegedly belonging to Russia’s federal intelligence agency, Federal Security Service (FSB), at the fsb[.]ru. The alleged intent was to warn the Russian state/non-state actors that the actor was likely trying to collaborate to sell the data.
At this moment, we cannot comment on the actor’s inclination towards Russia. But all signs so far indicate that NetSec is a potentially database broker attempting to monetize their access amidst the ongoing crisis.
We have observed the subject actor targeting U.S. military infrastructure in the past. One of the actor’s posts from August 12, 2021, where it claimed access to an undisclosed website allegedly belonging to the U.S. Army. The screenshots posted by the actor as proof of claim suggested the unidentified website stored a massive database of transnational criminal actors. Regardless, the impacted organization remains unidentified at this point. The threat actor also sought suggestions from the forum members to leak the allegedly exfiltrated database using compromised access.
On February 24, 2022, the threat actor DataFor at the Xss.is leaked a dataset allegedly consisting of 90k Personally Identifiable Information (PII) records belonging to an undisclosed U.S. intelligence agency. A rapid analysis revealed the dataset was the collection of PII records from the individuals belonging to several U.S law enforcement agencies, including the Federal Bureau of Investigation (FBI). A quick analysis of the dataset suggests the data possibly originated from a website that handled training registration data for multiple U.S. law enforcement agencies. However, we could not provide any confirmation on the source of data.
Conclusion
Based on our research, it is plausible to assume that the attacks could be reliably linked to Russian state/non-state actors with the intent to impact Ukraine’s ability to respond to the ongoing Russian military action. However, the Russian government has denied any involvement in the attacks, maintaining plausible deniability.
Indicators of Compromise:
The following are widely used malware indicators on Cyberattacks against Ukraine
HermeticaWiper indicators:
| Indicators | Indicator Type | Description |
| 382fc1a3c5225fceb672eea13f572a38, D9a3596af0463797df4ff25b7999184946e3bfa2, 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf | File hashes (MD5, SHA1, SHA256) | HermeticaWiper dropper |
| Decc2726599edcae8d1d1d0ca99d83a6, 0d8cc992f279ec45e8b8dfd05a700ff1f0437f29, 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 | File hashes (MD5, SHA1, SHA256) | HermeticaWiper dropper |
| 84ba0197920fd3e2b7dfa719fee09d2f, 912342f1c840a42f6b74132f8a7c4ffe7d40fb77, 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da | File hashes (MD5, SHA1, SHA256) | HermeticaWiper dropper |
| 84ba0197920fd3e2b7dfa719fee09d2f, 912342f1c840a42f6b74132f8a7c4ffe7d40fb77, 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da | File hashes (MD5, SHA1, SHA256) | HermeticaWiper dropper |
| 95.101.28.0/23 Autonomous System Number 20940 Autonomous System Label Akamai International B.V. Regional Internet Registry RIPE NCC Country GB Continent EU | IP address | Communicating IP (Susp- better to monitor) |
WhisperGate Wiper:
| Indicators | Indicator Type | Description |
| 0e085a1d8aa8a4a3ed1cd9949f7100a3, be37ed968a0dca38f872dbb0239c6f3a3b9321bc, 22f1d202cd3c902a5d813b0be8a3bc3e61af31a3dcd799e6a63139d6ea888382 | File hashes (MD5, SHA1, SHA256) | WhisperGate Wiper bundle |
| f49c0774f1ec84f33db771801eea1edf, f1848b3c4fceb3cb38cce30c23b40a19acc793e7, b50fb20396458aec55216cc9f5212162b3459bc769a38e050d4d8c22649888ae | File hashes (MD5, SHA1, SHA256) | WhisperGate Wiper Dropper |
| 5d5c99a08a7d927346ca2dafa7973fc1, 189166d382c73c242ba45889d57980548d4ba37e, a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 | File hashes (MD5, SHA1, SHA256) | WhisperGate Wiper Dropper |
| b470903ecb076607dcd2b86a1ba9f94b, ba6a2e5a5f7578429e86b262c2a370d6bac86b21, 8d71d6e45183bc1390f0621e79a7ec1f1f664a252af7cfde2458de3b1c1a4f8e | File hashes (MD5, SHA1, SHA256) | WhisperGate Wiper Payload(\Device\Harddisk0\DR0) |
Recommendations
- Keep the operating system and installed software in the system and server updated.
- Minimize network exposure for all serial devices using network segmentation and the placement of serial devices behind network firewalls to ensure that they are not accessible via the Internet.
- Conduct regular backup practices and maintain backups offline or in a separate network.
- Use security solutions available for Linux and IoT devices
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Create and save your passwords with password managers.
- Change all internet-connected devices’ default passwords.
