Increasing cyber attacks could also spread unchecked
The modern Internet has significantly changed the landscape of threats. It has created a new dimension in which countries and individuals can influence, disrupt and destroy systems that are critical to everyday life. From the power plant to the bank, all systems are at risk.
The Orca Security Research Pod has actively tracked and continues to track the cyberattacks that took place in the run-up to the Russian invasion of Ukraine at the end of February. The cyberattacks have combined several threat vectors, including malware, distributed denial-of-service attacks, social engineering campaigns, and other coordinated techniques.
Bar Kaduri, security researcher at the Orca Security Research Pod, explains:
The Russian invasion of Ukraine physically began on February 24, 2022. However, the Russian cyber invasion of Ukraine started a long time ago, with many important events over the years, such as the annexation of Crimea, which shut down many Ukrainian websites and the mobile network. After that, two major power outages caused by cyber attacks in 2015 and 2016 caused hundreds of thousands to sit in the dark. The Non-Petya ransomware attack targeted the country’s financial sector on a Ukrainian national holiday, but from there it spread to many companies around the world, leaving huge financial damage.
In November 2021, tensions between Ukraine and Russia flared up again with Russian troops on the borders. At that time, the Ukrainian intelligence service published technical information and intelligence about the Gamaredon Group, an APT group that had attacked the Ukrainian government for years and was connected with the Russian Federal Security Service.
In January 2022 – with the progress of the talks between the US, NATO and Ukraine – tensions between the two countries grew. As a result, a sharp increase in cyber attacks was noted, and on January 13, for the first time, a destructive malware of a special campaign was discovered. The malware, named WhisperGate, is designed to look like a ransomware attack but offers no way to recover. It overwrote the MBR component in Windows machines and downloaded another payload that removed all files from predefined paths. The files were not completely removed, which was probably intended by the attackers to cause rather psychological damage.
Ongoing cyberattacks that lead to invasion
On January 14, 2022, over 70 Ukrainian websites were defaced. The content of the sites was changed to three languages with the same phrase “Be afraid and wait for the worst”: Ukrainian, Russian and incorrectly written Polish. On February 15, 2022, a large-scale DDoS attack was observed, which paralyzed two of Ukraine’s largest banks and several government sites. This attack has been called the largest DDoS attack that has ever taken place in Ukraine.
Hermetic malware precedes the invasion in February
Just one day before the physical invasion, two major cyberattacks took place. The first was a major DDoS attack that crippled many government sites and banks. During this attack, a second malware for data erasure was discovered at several Ukrainian organizations in the financial, government, aviation and IT sectors. The malware called “Hermetic” consisted of three different malicious programs:
- Wiper: Deletes the data in the system
- Assistant: Responsible for the propagation in the network
- Ransomware: Used to disguise the wiper’s actions.
Isaac malware also spotted in the wild
The third Wiper attack took place on the day of the invasion. The malware, called Isaac Wiper, is reportedly far less sophisticated than the previous two variants of Wiper that were used in attacks.
Social engineering campaign combined with SunSeed malware
In recent days, Orca Security has learned about a new social engineering campaign called Asylum Ambuscade, aimed at employees of European immigration authorities. The campaign is aimed at collecting information about refugees using the malware discovered by ProofPoint called SunSeed.
Hacktivism and ongoing cyber activities
Russia is not the only country conducting cyberattacks in this conflict. Hacktivist groups use the Internet and related cyber techniques to engage in civil disobedience for a particular cause. Many of these groups have announced that they are now focusing their efforts on harming Russia and disrupting IT operations. For example, the hacker collective Anonymous has declared cyberwar to the Russian government. In addition, the Ukrainian Deputy Prime Minister tweeted that he wants to build an IT army of volunteers to defend the Ukrainian IT infrastructure.
Another interesting story occurred when the source code of the ransomware Conti and internal chats were published after the cyber group expressed its support in Russia. The Conti ransomware was one of the most effective ransomwares of 2021. This release led to the removal of the C&C infrastructure, as a result of which the ransomware was compromised.
The cybersecurity and security research community, including the Orca Security Research Pod, continues to monitor and track cyberattacks as part of this ongoing conflict. Since more complex attacks have been attributed to Russia and its hacktivists in the past, more events within the framework of this conflict may occur in the near future. As soon as the developments progress and possibly further groups and research work are added, Orca Security will inform you about this in a timely manner.
Data and recommendations from Orca Security
Meanwhile, many security vendors have reported a significant increase in all cyberattacks, from phishing to DDoS and more. A “leak” of this conflict has already occurred in the past (for example, with Not-Petya) and may occur again. Orca Security has seen an increase of over 60 percent in the average SSH brute force attacks per customer on cloud infrastructures in the United States. This anonymized dataset from real cloud environments compares data from the week of February 24 and March 2 with the weeks of the previous month.
This may indicate two events that are believed to be taking place on the cyber war scene at the moment. First, Russian hackers are looking for computers that can be “zombified” and used for Russian DDoS attacks on Ukrainian targets. Orca already observed such tools in the wild. For example, the Hermetic Wiper, which was announced by Microsoft under the name FoxBlade, is capable of turning PCs into DDoS zombies. Secondly, Russian hackers could try to gain a foothold in key Western facilities to carry out attacks such as data erasure or data exfiltration that would harm and embarrass Ukraine’s allies.
How can companies and institutions protect themselves?
- Reduce attack surface: Installations accessible via the Internet represent a possible attack surface. It is important to release as few systems as possible, not to grant sensitive accounts high privileges and not to store confidential data unencrypted.
- Close security gaps and keep systems up to date: Unpatched computers can be exploited by a malicious actor. If companies keep their systems up to date, they can reduce the risk of remote exploitation.
- Using MFA and complex passwords: Multi-factor authentication (MFA) makes unauthorized access difficult. Systems with complex passwords are harder to crack.
- Using logging Services: Logging services are now offered by all major cloud providers and help to keep track of account monitoring.