While the world is following the development of the war in Ukraine, cyber security experts are monitoring the situation with the highest level of alert. Together with industry and governments, they are closely monitoring the use of cyber threats and preparing for possible Russian hacker attacks.
Adam Meyers, Senior vice President of Intelligence at CrowdStrike
However, the threat is not new. Russia has already conducted several cyber operations against Ukraine in the past. These were first made clear during the Euromaidan protests at the end of 2013. The cyber attacker VODOO BEAR, also known as Unit 74455 of the Russian military intelligence GRU, is one of the main responsible behind these attacks. The aim of this group is to weaken, delegitimize or reduce public confidence in the state institutions and industry of Ukraine.
In addition, VOODOO BEAR is responsible for disruptions in Ukrainian critical infrastructures, which led to extreme power outages both in December 2015 and the following year. The group’s operations also caused international concern in June 2017, as an attack on Ukrainian supply chains led to the widespread dissemination of NotPeyta. NotPeyta caused an estimated $10 billion in total damage and impacted businesses and public services worldwide. Other Russian groups, such as PRIMITIVE BEAR, also participated in the asymmetric campaigns against Ukraine.
The Cyber Front
With the deployment of Russian forces on the Ukrainian border, the number of cyber attacks on the country also increased. In mid-January 2022, a whole series of attacks occurred, such as defacement of government websites, data thefts and a wiper attack, which is called Whispergate by the security industry. The data thefts and the attacks on the websites took place immediately after various meetings between the US and Russia, during which troop marches near the Ukrainian border were discussed. As a result, personas appeared on the Dark Web associated with the Russian threat actor EMBER BEAR, selling data stolen in the Wiper attack.
In mid-February, Ukrainian banking and government websites were attacked by Russian military intelligence as part of an extensive distributed denial of service (DDoS) attack. The attack affected the websites of the Ukrainian Ministry of Defense and the Armed Forces, as well as the State Savings Bank (Oschadbank) and the mobile application of the largest Ukrainian commercial bank, PrivatBank. At the same time, bank customers received SMS messages falsely claiming that ATMs would not work. Bomb threats were also made against various bank branches.
On February 23, 2022, a second wiper attack was identified with DriveSlayer, which was more technically sophisticated than the activities of WhisperGate/EMBER BEAR in January. The features of DriveSlayer are more in line with the activities of VOODOO BEAR.
On February 24, 2022, various Ukrainian government websites displayed a message and did not respond after that. The message displayed was almost identical to the one used in the defacement activity against similar targets on January 14, 2022.
Shortly after the Wiper attack with DriveSlayer and the website defacements, Russian troops attacked Ukraine. Since the beginning of the conflict, other wiper attacks, misinformation and espionage activities against Ukraine have been observed in the following weeks.
We have also identified two other activities that are also related to this conflict. The first concerns destructive attacks on Ukrainian satellite communications. The second activity is (false) information or psychological operations, probably including reinforcement through personas and dissemination through social media.
eCrime gets involved
The Ukraine war also involves the eCrime ecosystem. This is noteworthy in that Russia has long been hosting eCrime actors in order to potentially use them for political purposes. The actors have the potential to support Russian state goals, for example, by acting as irregular armed forces and carrying out disruptive attacks around the world, but especially in the United States.
Immediately after the invasion of Ukraine, eCrime groups, which otherwise carry out financially motivated cyber activities, began to respond to the conflict. Some actors communicated their support of the Russian state goals directly, such as WIZARD SPIDER. This group first attracted attention with its Trickbot malware in 2016 and has already been involved in ransomware operations with Ryuk and Conti. She reaffirmed her full support for the Russian government and announced her readiness to strike back against Russia’s enemies. Other eCrime groups have also recently directed their DDoS attacks at Ukrainian targets, which is atypical for their previous activities.
Ready or not
Long before the Ukraine war, security agencies and analysts in the cybersecurity industry expressed concern about Russia’s capabilities and intentions that critical infrastructures in Germany could also be attacked. Regular violations by actors close to Russia show that in times of geopolitical tensions, the infrastructure could be endangered and possibly attacked, impaired and even destroyed. The longer the war in Ukraine drags on without Russia achieving its political goals and at the same time tightening sanctions, the greater the risks for attacks in Germany become.
Critical infrastructure operators are increasingly adapting to these threats. However, even with heightened awareness, resources and support, operators of critical infrastructures must continue to be mindful in cyber security. This “last mile” problem cannot be solved by political initiatives alone. Companies should pay attention to the following points:
- Establish relationships with law enforcement agencies or internal security personnel who can help in the event of an attack.
- Draw on the know-how of specialists or support staff. This includes, for example, an emergency plan and, in many cases, a contract with a BSI-qualified provider of emergency services (incident Response).
- Take measures to improve the general security situation. This includes, among other things, the use of modern IT security tools and concepts such as multi-factor authentication (MFA) and endpoint detection and response (EDR), comprehensive logging, migration to cloud/software-as-a-service (SaaS) applications, implementation of zero trust architectures and proactive search for attackers in their own networks (threat hunting).
- If necessary, use special tools and resources that are necessary for the safety of operational technology (OT).
Small and medium-sized companies with fewer than six or eight dedicated cybersecurity employees have benefited from managed security service providers (MSSP) or Managed Detection and Response (MDR) providers in recent years. Considering the current threat situation and future challenges, this is a trend that should be welcomed.
Although there were initial fears about Russian cyber activities outside the Ukraine conflict, the situation remains calmer than expected. However, this can change quickly. There are signs that Russia may become more aggressive towards Russian companies and individuals as a countermeasure to the support of other countries and the significant sanctions. Operators of critical infrastructures must therefore remain attentive. Given the extensive media coverage and the government’s actions and warnings described above, it seems that private sector companies are becoming increasingly vigilant.