With geopolitical tensions at an all-time high, the ongoing crisis has spawned a series of targeted cyberattacks between the two countries and the rest of the world. Security researchers at Cyble Research Labs have compiled a list of critical incidents in the escalating Russia-Ukraine conflict. Following are some of the emerging cyber threats affecting both nations.
In a joint advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation warned organizations about two destructive malware types attacking Ukrainian organizations. The first one, WhisperGate Wiper, was identified by Microsoft in January of 2022. Refer to Cyble Research Lab’s analysis of the malware for more details. In February, researchers at ESET, a Slovakia-based internet security company, found a new wiper malware variant going by the names HermeticWizard, HermeticWiper, and HermeticRansom. The Hermetic malware family was discovered shortly after Russia attacked Ukraine on February 24, 2022. The digital certificate used by the malware is issued to Hermetica Digital Limited, as shown below in Figure1.
HermeticWizard is a dropper containing three different files embedded into its resource section. The first embedded file is the HermeticWiper executable. The remaining two are Dynamic Link Library (DLL) files used for spreading the wiper malware. The HermeticWizard malware strain spreads with the help of Windows Management Instrumentation (WMI) and Server Message Block (SMB) and is executed with the help of rundll32.exe/regsvr32.exe. The malware drops and runs the HermeticWiper on the victim machine upon successful infection.
The main objective of HermeticWiper is to make the victim system inaccessible by overwriting the Master Boot Record (MBR). Our analysis showed that the HermeticWiper has compressed driver files embedded in the resource section.
Based on the Operating System version, one of the above drivers is decompressed and installed in the machine by the malware before the system reboots. The driver is then deployed in the compromised machine to interact with the file system without using Windows API and successfully corrupting the physical drive. In this attack, the attackers were seen to be abusing a benign driver file, empntdrv.sys.
Finally, the malware enumerates the physical drive from 0-100 and corrupts the MBR for every physical drive it encounters. The figure below shows the boot manager screen after corrupting the MBR.
HermeticRansom is written in the Go Language, and it has been reported that the HermeticRansom and HermeticWiper campaigns commenced in Ukraine at about the same time. Researchers at ESET mentioned that the HermeticRansom is used to hide the execution of the HermeticWiper in the targeted system. Upon successful execution, the ransom note shown below is displayed to victims.
IsaacWiper is another wiper malware observed in the Ukrainian government network that wipes out the MBR. It can either be a DLL or an EXE file dropped and executed in the %programdata% or system32 location. The IsaacWiper file was compiled on October 19, 2021, indicating that the malware may have been used in earlier attacks. Similar to the HermeticWiper, the IssacWiper enumerates the physical drive and wipes out the MBR to make the system inaccessible.
Mass Phishing Attacks
On February 25, 2022, the Twitter account, State Service Communications and Information Protection of Ukraine (SSSCIP) warned of a mass phishing attack targeting Ukrainians through emails containing attachments of uncertain nature. A screenshot of the Phishing email was also shared by the SSSCIP, as shown in Figure 5.
In another event, the CERT-UA shared a Facebook post informing about mass phishing emails targeting the private accounts of Ukrainian military personnel and related individuals.
The phishing emails were observed to contain a macro-embedded malicious excel file in the attachment. Upon execution, the macro code downloads a MSI package from the command-and-control (C2) server and executes it. The final MSI installer payload exfiltrates system data to the C2 server and executes commands received from the C2 server.
In addition to the disruptive cyberattacks against organizations in Ukraine, the country’s cyber operations are also being targeted by the Russian Advanced Persistent Threat (APT) group, Sandworm. The group has been active since May 2017 and can be attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.
The Sandworm APT group has been using the VPNFilter framework to carry out operations against the Ukrainian targets. This framework exploits network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices.
In a recent advisory, CISA warned about a new malware named Cyclops Blink added to the arsenal by the Sandworm APT group. It leverages a modular malware framework for targeting network devices. Though the primary target of the Cyclops Blink has been WatchGuard Devices, we believe that the Sandworm group has the ability to compile the malware for targeting other devices as well.
DDoS Attacks on Russian State and Private Websites
Researchers at Cyble identified a website offering a range of tools and techniques to perform DDoS attacks against Russian websites. The website appears to be driven by the ongoing geopolitical tension and also encourages mass reporting of pro-Russian social media accounts.
The website provides python scripts to perform DDoS attacks on target websites using Windows, Linux, and MacOS platforms. Users can modify the script to change the targets, thereby enabling these scripts to be used against other targets in the future. Figure 6 shows the homepage of the website.
Amid the intensifying tensions, another hacktivist group named GhostSec (Ghost Security), declared its support to Ukraine and announced that it had flooded Russian military websites with DDoS attacks.
Industrial Control Systems Attacks
The Industrial Control Systems (ICS) of both Russia and Ukraine are being heavily targeted by cyberattacks, as each country attempts to cripple the industrial cyberinfrastructure of the other.
Supervisory Control and Data Acquisition (SCADA) is the largest subgroup of ICS. SCADA systems are the central systems that help in monitoring and operating plant operations. A single successful cyberattack on SCADA can bring operations of the plant to a standstill. As SCADA is mostly deployed inside industrial environments, a malfunction in this system can also result in tremendous damage, ranging from the loss of life to physical damage to the plant.
On March 2, the hacktivist group, Anonymous, claimed to have compromised the Dubna Bypass Module to gain access to the monitoring system of a nuclear reactor managed by the Joint Institute for Nuclear Research (JINR) Russia.
There is little doubt that sophisticated cyber weapons are key tools in the arsenal of a modern military. Nation-states and sympathetic hacktivists are targeting government assets, critical infrastructure, and private sector organizations. Operational technologies, Banking, financial services and insurance (BFSI), and media sectors are highly lucrative targets for attackers. With Russia and Ukraine being targeted by a barrage of cyberattacks, it has become even more evident that targeted cyber warfare will only continue to be deployed as the global tensions continue to intensify.
Our researchers are continuously gathering more information on the latest cyberattacks, and we will keep updating this space as and when we have more information.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Resource Development||T1588.002 |
|Obtain Capabilities: Tool |
Obtain Capabilities: Code Signing Certificates
|Initial Access||T1078.002 |
|Valid Accounts: Domain Accounts |
Command and Scripting Interpreter: Windows Command
|Native API |
System Services: Service Execution
Windows Management Instrumentation
|Discovery||T1018||Remote System Discovery|
|Lateral Movement||T1021.002 |
|Remote Services: SMB/Windows Admin Shares |
Remote Services: Distributed Component Object Model
|Disk Wipe: Disk Structure Wipe |
Disk Wipe: Disk Content Wipe
Endpoint Denial of Service: Service Exhaustion Flood
Indicators Of Compromise (IOCs)
|RemCom remote access tool|
|100.43.220[.]234||IPv4 address||Sandworm C2 server IP address|
|96.80.68[.]193||IPv4 address||Sandworm C2 server IP address|
|188.152.254[.]170||IPv4 address||Sandworm C2 server IP address|
|208.81.37[.]50||IPv4 address||Sandworm C2 server IP address|
|70.62.153[.]174||IPv4 address||Sandworm C2 server IP address|
|2.230.110[.]137||IPv4 address||Sandworm C2 server IP address|
|90.63.245[.]175||IPv4 address||Sandworm C2 server IP address|
|212.103.208[.]182||IPv4 address||Sandworm C2 server IP address|
|50.255.126[.]65||IPv4 address||Sandworm C2 server IP address|
|78.134.89[.]167||IPv4 address||Sandworm C2 server IP address|
|81.4.177[.]118||IPv4 address||Sandworm C2 server IP address|
|24.199.247[.]222||IPv4 address||Sandworm C2 server IP address|
|37.99.163[.]162||IPv4 address||Sandworm C2 server IP address|
|37.71.147[.]186||IPv4 address||Sandworm C2 server IP address|
|105.159.248[.]137||IPv4 address||Sandworm C2 server IP address|
|80.155.38[.]210||IPv4 address||Sandworm C2 server IP address|
|217.57.80[.]18||IPv4 address||Sandworm C2 server IP address|
|151.0.169[.]250||IPv4 address||Sandworm C2 server IP address|
|212.202.147[.]10||IPv4 address||Sandworm C2 server IP address|
|212.234.179[.]113||IPv4 address||Sandworm C2 server IP address|
|185.82.169[.]99||IPv4 address||Sandworm C2 server IP address|
|93.51.177[.]66||IPv4 address||Sandworm C2 server IP address|
|80.15.113[.]188||IPv4 address||Sandworm C2 server IP address|
|80.153.75[.]103||IPv4 address||Sandworm C2 server IP address|
|109.192.30[.]125||IPv4 address||Sandworm C2 server IP address|
- Keep the operating system and installed software in the system and server updated.
- Minimize network exposure for all serial devices using network segmentation and the placement of serial devices behind network firewalls to ensure that they are not accessible via the Internet.
- Conduct regular backup practices and maintain backups offline or in a separate network.
- Use security solutions available for Linux and IoT devices.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Create and save your passwords with password managers.
- Change all internet-connected devices’ default passwords.