With geopolitical tensions at an all-time high, the ongoing crisis has spawned a series of targeted cyberattacks between the two countries and the rest of the world. Security researchers at Cyble Research Labs have compiled a list of critical incidents in the escalating Russia-Ukraine conflict. Following are some of the emerging cyber threats affecting both nations.
Hermetic Malware
In a joint advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation warned organizations about two destructive malware types attacking Ukrainian organizations. The first one, WhisperGate Wiper, was identified by Microsoft in January of 2022. Refer to Cyble Research Lab’s analysis of the malware for more details. In February, researchers at ESET, a Slovakia-based internet security company, found a new wiper malware variant going by the names HermeticWizard, HermeticWiper, and HermeticRansom. The Hermetic malware family was discovered shortly after Russia attacked Ukraine on February 24, 2022. The digital certificate used by the malware is issued to Hermetica Digital Limited, as shown below in Figure1.
HermeticWizard
HermeticWizard is a dropper containing three different files embedded into its resource section. The first embedded file is the HermeticWiper executable. The remaining two are Dynamic Link Library (DLL) files used for spreading the wiper malware. The HermeticWizard malware strain spreads with the help of Windows Management Instrumentation (WMI) and Server Message Block (SMB) and is executed with the help of rundll32.exe/regsvr32.exe. The malware drops and runs the HermeticWiper on the victim machine upon successful infection.
HermeticWiper
The main objective of HermeticWiper is to make the victim system inaccessible by overwriting the Master Boot Record (MBR). Our analysis showed that the HermeticWiper has compressed driver files embedded in the resource section.
Based on the Operating System version, one of the above drivers is decompressed and installed in the machine by the malware before the system reboots. The driver is then deployed in the compromised machine to interact with the file system without using Windows API and successfully corrupting the physical drive. In this attack, the attackers were seen to be abusing a benign driver file, empntdrv.sys.
Finally, the malware enumerates the physical drive from 0-100 and corrupts the MBR for every physical drive it encounters. The figure below shows the boot manager screen after corrupting the MBR.
HermeticRansom
HermeticRansom is written in the Go Language, and it has been reported that the HermeticRansom and HermeticWiper campaigns commenced in Ukraine at about the same time. Researchers at ESET mentioned that the HermeticRansom is used to hide the execution of the HermeticWiper in the targeted system. Upon successful execution, the ransom note shown below is displayed to victims.
IsaacWiper
IsaacWiper is another wiper malware observed in the Ukrainian government network that wipes out the MBR. It can either be a DLL or an EXE file dropped and executed in the %programdata% or system32 location. The IsaacWiper file was compiled on October 19, 2021, indicating that the malware may have been used in earlier attacks. Similar to the HermeticWiper, the IssacWiper enumerates the physical drive and wipes out the MBR to make the system inaccessible.
Mass Phishing Attacks
On February 25, 2022, the Twitter account, State Service Communications and Information Protection of Ukraine (SSSCIP) warned of a mass phishing attack targeting Ukrainians through emails containing attachments of uncertain nature. A screenshot of the Phishing email was also shared by the SSSCIP, as shown in Figure 5.
In another event, the CERT-UA shared a Facebook post informing about mass phishing emails targeting the private accounts of Ukrainian military personnel and related individuals.
The phishing emails were observed to contain a macro-embedded malicious excel file in the attachment. Upon execution, the macro code downloads a MSI package from the command-and-control (C2) server and executes it. The final MSI installer payload exfiltrates system data to the C2 server and executes commands received from the C2 server.
Sandworm APT
In addition to the disruptive cyberattacks against organizations in Ukraine, the country’s cyber operations are also being targeted by the Russian Advanced Persistent Threat (APT) group, Sandworm. The group has been active since May 2017 and can be attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.
The Sandworm APT group has been using the VPNFilter framework to carry out operations against the Ukrainian targets. This framework exploits network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices.
In a recent advisory, CISA warned about a new malware named Cyclops Blink added to the arsenal by the Sandworm APT group. It leverages a modular malware framework for targeting network devices. Though the primary target of the Cyclops Blink has been WatchGuard Devices, we believe that the Sandworm group has the ability to compile the malware for targeting other devices as well.
DDoS Attacks on Russian State and Private Websites
Researchers at Cyble identified a website offering a range of tools and techniques to perform DDoS attacks against Russian websites. The website appears to be driven by the ongoing geopolitical tension and also encourages mass reporting of pro-Russian social media accounts.
The website provides python scripts to perform DDoS attacks on target websites using Windows, Linux, and MacOS platforms. Users can modify the script to change the targets, thereby enabling these scripts to be used against other targets in the future. Figure 6 shows the homepage of the website.
Amid the intensifying tensions, another hacktivist group named GhostSec (Ghost Security), declared its support to Ukraine and announced that it had flooded Russian military websites with DDoS attacks.
Industrial Control Systems Attacks
The Industrial Control Systems (ICS) of both Russia and Ukraine are being heavily targeted by cyberattacks, as each country attempts to cripple the industrial cyberinfrastructure of the other.
Supervisory Control and Data Acquisition (SCADA) is the largest subgroup of ICS. SCADA systems are the central systems that help in monitoring and operating plant operations. A single successful cyberattack on SCADA can bring operations of the plant to a standstill. As SCADA is mostly deployed inside industrial environments, a malfunction in this system can also result in tremendous damage, ranging from the loss of life to physical damage to the plant.
On March 2, the hacktivist group, Anonymous, claimed to have compromised the Dubna Bypass Module to gain access to the monitoring system of a nuclear reactor managed by the Joint Institute for Nuclear Research (JINR) Russia.
Conclusion
There is little doubt that sophisticated cyber weapons are key tools in the arsenal of a modern military. Nation-states and sympathetic hacktivists are targeting government assets, critical infrastructure, and private sector organizations. Operational technologies, Banking, financial services and insurance (BFSI), and media sectors are highly lucrative targets for attackers. With Russia and Ukraine being targeted by a barrage of cyberattacks, it has become even more evident that targeted cyber warfare will only continue to be deployed as the global tensions continue to intensify.
Our researchers are continuously gathering more information on the latest cyberattacks, and we will keep updating this space as and when we have more information.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Resource Development | T1588.002 T1588.003 | Obtain Capabilities: Tool Obtain Capabilities: Code Signing Certificates |
| Initial Access | T1078.002 T1059.003 | Valid Accounts: Domain Accounts Command and Scripting Interpreter: Windows Command |
| Execution | T1106 T1569.002 T1047 | Native API System Services: Service Execution Windows Management Instrumentation |
| Discovery | T1018 | Remote System Discovery |
| Lateral Movement | T1021.002 T1021.003 | Remote Services: SMB/Windows Admin Shares Remote Services: Distributed Component Object Model |
| Impact | T1561.002 T1561.001 T1485 T1499.002 | Disk Wipe: Disk Structure Wipe Disk Wipe: Disk Content Wipe Data Destruction Endpoint Denial of Service: Service Exhaustion Flood |
Indicators Of Compromise (IOCs)
| Indicators | Indicator type | Description |
| 84ba0197920fd3e2b7dfa719fee09d2f 912342f1c840a42f6b74132f8a7c4ffe7d40fb77 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da | MD5 SHA1 SHA256 | HermeticWiper |
| 382fc1a3c5225fceb672eea13f572a38 d9a3596af0463797df4ff25b7999184946e3bfa2 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf | MD5 SHA1 SHA256 | HermeticWiper |
| decc2726599edcae8d1d1d0ca99d83a6 0d8cc992f279ec45e8b8dfd05a700ff1f0437f29 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 | MD5 SHA1 SHA256 | HermeticWiper |
| 3f4a16b29f2f0532b7ce3e7656799125 61b25d11392172e587d8da3045812a66c3385451 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 | MD5 SHA1 SHA256 | HermeticWiper |
| 5d1122d01501e65a718e565178b301a8 5ba988916d175d5887fb200b8c15a7e76e1fbd20 4aa186b5fdcc8248a9672bf21241f77dd395872ec4876c90af5d27ae565e4cb7 | MD5 SHA1 SHA256 | HermeticWiper |
| f1a33b2be4c6215a1c39b45e391a3e85 9518e4ae0862ae871cf9fb634b50b07c66a2c379 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 | MD5 SHA1 SHA256 | HermeticWiper |
| D5d2c4ac6c724cd63b69ca054713e278 F32d791ec9e6385a91b45942c230f52aff1626df 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 | MD5 SHA1 SHA256 | HermeticRansom |
| ecce8845921a91854ab34bff2623151e 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 | MD5 SHA1 SHA256 | IsaacWiper |
| 6c10466ad7c153e7f949fa3c6600b6ac 5d009f79383a81622eefd8b183efb23fbf96a62f 7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0 | MD5 SHA1 SHA256 | IsaacWiper |
| 6983f7001de10f4d19fc2d794c3eb534 23873bf2670cf64c2440058130548d4e4da412dd 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71 | MD5 SHA1 SHA256 | RemCom remote access tool |
| 100.43.220[.]234 | IPv4 address | Sandworm C2 server IP address |
| 96.80.68[.]193 | IPv4 address | Sandworm C2 server IP address |
| 188.152.254[.]170 | IPv4 address | Sandworm C2 server IP address |
| 208.81.37[.]50 | IPv4 address | Sandworm C2 server IP address |
| 70.62.153[.]174 | IPv4 address | Sandworm C2 server IP address |
| 2.230.110[.]137 | IPv4 address | Sandworm C2 server IP address |
| 90.63.245[.]175 | IPv4 address | Sandworm C2 server IP address |
| 212.103.208[.]182 | IPv4 address | Sandworm C2 server IP address |
| 50.255.126[.]65 | IPv4 address | Sandworm C2 server IP address |
| 78.134.89[.]167 | IPv4 address | Sandworm C2 server IP address |
| 81.4.177[.]118 | IPv4 address | Sandworm C2 server IP address |
| 24.199.247[.]222 | IPv4 address | Sandworm C2 server IP address |
| 37.99.163[.]162 | IPv4 address | Sandworm C2 server IP address |
| 37.71.147[.]186 | IPv4 address | Sandworm C2 server IP address |
| 105.159.248[.]137 | IPv4 address | Sandworm C2 server IP address |
| 80.155.38[.]210 | IPv4 address | Sandworm C2 server IP address |
| 217.57.80[.]18 | IPv4 address | Sandworm C2 server IP address |
| 151.0.169[.]250 | IPv4 address | Sandworm C2 server IP address |
| 212.202.147[.]10 | IPv4 address | Sandworm C2 server IP address |
| 212.234.179[.]113 | IPv4 address | Sandworm C2 server IP address |
| 185.82.169[.]99 | IPv4 address | Sandworm C2 server IP address |
| 93.51.177[.]66 | IPv4 address | Sandworm C2 server IP address |
| 80.15.113[.]188 | IPv4 address | Sandworm C2 server IP address |
| 80.153.75[.]103 | IPv4 address | Sandworm C2 server IP address |
| 109.192.30[.]125 | IPv4 address | Sandworm C2 server IP address |
Our Recommendations
- Keep the operating system and installed software in the system and server updated.
- Minimize network exposure for all serial devices using network segmentation and the placement of serial devices behind network firewalls to ensure that they are not accessible via the Internet.
- Conduct regular backup practices and maintain backups offline or in a separate network.
- Use security solutions available for Linux and IoT devices.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Create and save your passwords with password managers.
- Change all internet-connected devices’ default passwords.
