Cyble-Ongoing-Cyber-Warfare-Russia-Ukraine-Conflict

Ongoing Cyberwarfare

Extensive Cyberattacks Amidst the Russia-Ukraine Military Action

Executive summary

Cyble Research Labs has been investigating a series of massive cyber-attacks were launched against Ukrainian banks and government websites as part of an ongoing geopolitical crisis that emerged between Ukraine and Russia, culminating in an outright military conflict between the countries on February 24, 2022. United States entities also suffered critical attacks against several government entities after the Biden administration stated its intent to take reciprocal actions against the Russian military invasion.

Massive Cyberattacks against Ukrainian and U.S. Assets

On Feb. 23, 2022, the State Special Communications Service of Ukraine announced a massive DDoS attack targeting several government and banking institutions (Ref. Чергова кібератака на сайти державних органів та банки).

Open sources revealed that the Ukraine-wide computer network was attacked by a new set of malware dubbed HermeticaWiper that intends to corrupt the Master Boot Records (MBR) and wipe the data of the infected systems. (Ref. #ESETResearch discovered a new data wiper malware used in Ukraine today. Twitter).

Security researchers anticipate that the data wiper malware has similar malicious behavior to the WhisperGate data wiper malware, which targeted Ukrainian organizations in January 2022 disguised as ransomware (Ref. Destructive malware targeting Ukrainian organizations – Microsoft Security Blog). While it is likely that Russia backed the attack, we did not find any conclusive findings that could definitively reveal the involved Threat Actors.

Involvement of the Russian government

It is inconclusive at the moment to suggest that a single group behind the scattered attacks targeting Ukraine and the U.S. However, several sources have ascertained that the Russian government certainly backed attacks.

  • One such report was published on the U.K. government’s website based on the technical analysis performed by their National Cyber Security Centre, stating the involvement of Russia’s Main Intelligence Directorate (GRU) behind the cyber security attack starting this. (Ref. U.K. assesses Russian involvement in cyberattacks on Ukraine).
  • Another detailed investigative journal report published after joint research by “The Insider” and “Bellingcat” also suggested that Russia’s GRU used various fake government websites to spread malicious payloads targeting Ukrainian networks.

According to the report, the APT28 group (aka Fancy Bear) operated by the GRU used several websites disguised as websites belonging to the President of Ukraine and used it as their Command-and-Control (C&C) center to infect a substantial number of Ukrainian citizens.

Researchers believe that the other attacks could have originated from the same C&C center (Ref.: 1.Атака клонов. ГРУ начало масштабную кибератаку на Украину: вирусы распространяются через поддельные правительственные сайты, 2.Attack on Ukrainian Government Websites Linked to Russian GRU Hackers – bellingcat ). The following screenshot shows one of the fake websites was hosted at stun[.]site:

Figure 1 – One of the fake websites used in spreading the malicious infection

Threat activities observed in the underground forums

Cyble Research Labs has observed a rapid increase in cyber threat activities in underground forums targeting Ukrainian and U.S. organizations. Notable threat activities possibly backed by Russian state/non-state actors followed:

On February 19, 2022, the actor Carzita posted a thread at the Raidforums announcing their plans to launch defacement attacks on February 22, 2022, against the Ukrainian infrastructure, including banks, defense and government websites, using their dedicated infrastructure. It was the first of the many notable forum threads which explicitly announced to target Ukrainian infrastructure. The actor Carzita’s historical activities suggested their alleged involvement in the defacements of several corporate websites.


Figure 2 – Forum thread captured by the Cyble database posted by the actor Carzita at the Raidforums on Feb. 19, 2022

On February 24, 2022, the Threat Actor NetSec (aka Scarfac33), highly active at Raidforums.com, posted a thread instigating cyber-attacks against the United States. NetSec claimed to have compromised an enterprise software program managed and developed by the U.S. Army’s Program Executive Office Enterprise Information Systems (PEO EIS) at eis.army.mil.

                             Figure 3 – Actor NetSec’s post on Raidforums from Feb. 24, 2022                                                         

The actor then allegedly obtained the source code using the compromised access and identified a 0-day vulnerability targeting various U.S. defense websites, including Defense Technical Information Center (DTIC) at the dtic.mil website and U.S. Army Special Operations Command at the soc.mil website. The actor released sample datasets containing email and encrypted passwords belonging to individuals commissioned at the impacted defense organizations as proof of their claims. It is worth noting that the actor NetSec has an established history of activities offering compromised accesses and databases.

The actor NetSec, in four separate forum threads from February 22 – February 23, claimed compromise of U.S. Army Special Operations Command (USSOCOM) at the ​​soc.mil website, U.S. Central Command (CENTCOM) at the centcom.mil website, and U.S. Strategic Command (USSTRATCOM) at the stratcom.mil website. The actor released compromised datasets of email and encrypted passwords allegedly exfiltrated from the impacted organizations and has repeatedly announced their intent to release more in the future.

On February 25, 2022, the actor leaked datasets released a compromised dataset of email and encrypted passwords allegedly belonging to the U.S.-based defense technology company Lockheed Martin Corporation at the lockheedmartin.com website. The actor also boasted expansion of their cyberattacks against private defense industries

Figure 4 – Actor NetSec’s on Raidforums from February 25, 2022

While we were researching to understand the actor’s association with Russia, on February 25, 2022, the actor released a dataset of email and encrypted passwords allegedly belonging to Russia’s federal intelligence agency, Federal Security Service (FSB), at the fsb[.]ru. The alleged intent was to warn the Russian state/non-state actors that the actor was likely trying to collaborate to sell the data.

At this moment, we cannot comment on the actor’s inclination towards Russia. But all signs so far indicate that NetSec is a potentially database broker attempting to monetize their access amidst the ongoing crisis.

Figure 5 – Actor NetSec’s on Raidforums from February 25, 2022

We have observed the subject actor targeting U.S. military infrastructure in the past. One of the actor’s posts from August 12, 2021, where it claimed access to an undisclosed website allegedly belonging to the U.S. Army. The screenshots posted by the actor as proof of claim suggested the unidentified website stored a massive database of transnational criminal actors. Regardless, the impacted organization remains unidentified at this point. The threat actor also sought suggestions from the forum members to leak the allegedly exfiltrated database using compromised access.

Figure 6 – Screenshots posted by the actor NetSec on the Raidforums in the post from August 12, 2021

On February 24, 2022, the threat actor DataFor at the Xss.is leaked a dataset allegedly consisting of 90k Personally Identifiable Information (PII) records belonging to an undisclosed U.S. intelligence agency. A rapid analysis revealed the dataset was the collection of PII records from the individuals belonging to several U.S law enforcement agencies, including the Federal Bureau of Investigation (FBI). A quick analysis of the dataset suggests the data possibly originated from a website that handled training registration data for multiple U.S. law enforcement agencies. However, we could not provide any confirmation on the source of data.

Figure 7 – Threat Actor DataFor’s post on Xss cybercrime forum from February 24, 2022

Conclusion

Based on our research, it is plausible to assume that the attacks could be reliably linked to Russian state/non-state actors with the intent to impact Ukraine’s ability to respond to the ongoing Russian military action. However, the Russian government has denied any involvement in the attacks, maintaining plausible deniability.

Indicators of Compromise:

The following are widely used malware indicators on Cyberattacks against Ukraine

HermeticaWiper indicators:

IndicatorsIndicator TypeDescription
382fc1a3c5225fceb672eea13f572a38, D9a3596af0463797df4ff25b7999184946e3bfa2, 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bfFile hashes (MD5, SHA1, SHA256)HermeticaWiper dropper
Decc2726599edcae8d1d1d0ca99d83a6, 0d8cc992f279ec45e8b8dfd05a700ff1f0437f29, 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767File hashes (MD5, SHA1, SHA256)    HermeticaWiper dropper
84ba0197920fd3e2b7dfa719fee09d2f, 912342f1c840a42f6b74132f8a7c4ffe7d40fb77, 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21daFile hashes (MD5, SHA1, SHA256)  HermeticaWiper dropper
84ba0197920fd3e2b7dfa719fee09d2f, 912342f1c840a42f6b74132f8a7c4ffe7d40fb77, 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21daFile hashes (MD5, SHA1, SHA256)  HermeticaWiper dropper  
95.101.28.0/23 Autonomous System Number 20940 Autonomous System Label Akamai International B.V. Regional Internet Registry RIPE NCC Country  GB Continent EU  IP address  Communicating IP (Susp- better to monitor)  

WhisperGate Wiper:

IndicatorsIndicator TypeDescription
0e085a1d8aa8a4a3ed1cd9949f7100a3, be37ed968a0dca38f872dbb0239c6f3a3b9321bc, 22f1d202cd3c902a5d813b0be8a3bc3e61af31a3dcd799e6a63139d6ea888382File hashes (MD5, SHA1, SHA256)  WhisperGate Wiper bundle
f49c0774f1ec84f33db771801eea1edf, f1848b3c4fceb3cb38cce30c23b40a19acc793e7, b50fb20396458aec55216cc9f5212162b3459bc769a38e050d4d8c22649888aeFile hashes (MD5, SHA1, SHA256)  WhisperGate Wiper Dropper
5d5c99a08a7d927346ca2dafa7973fc1, 189166d382c73c242ba45889d57980548d4ba37e, a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92File hashes (MD5, SHA1, SHA256)  WhisperGate Wiper Dropper  
b470903ecb076607dcd2b86a1ba9f94b, ba6a2e5a5f7578429e86b262c2a370d6bac86b21, 8d71d6e45183bc1390f0621e79a7ec1f1f664a252af7cfde2458de3b1c1a4f8eFile hashes (MD5, SHA1, SHA256)  WhisperGate Wiper Payload(\Device\Harddisk0\DR0)  

Recommendations

  • Keep the operating system and installed software in the system and server updated.
  • Minimize network exposure for all serial devices using network segmentation and the placement of serial devices behind network firewalls to ensure that they are not accessible via the Internet.
  • Conduct regular backup practices and maintain backups offline or in a separate network.
  • Use security solutions available for Linux and IoT devices
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Create and save your passwords with password managers.
  • Change all internet-connected devices’ default passwords.
Scroll to Top