Russia/Ukraine Update - February 2023

March 2, 2023

The Russia-Ukraine war has lasted for a full year at the time of this update, with no indication of ending in the near future. Cybercriminals have continued to show their support for both sides of the war, targeting organizations and government agencies to obtain sensitive data, disrupt operations, and wreak havoc. Destructive cyberattacks were a large portion of Russia’s strategy during the invasion. However, Russia has continued to move their focus beyond Ukraine. Countries offering financial, military, and cyber defensive support of Ukraine have also become targets for cybercriminals and state-sponsored groups aligned with Russia. This war has caused a rippling effect of destruction and disruption across the world, including the cybercriminal landscape. During the first half of the war, groups split, turned on each other, and announced support for one country or the other. To date, groups have still launched attacks in support of Russia or Ukraine and have continued to move cybercriminal activity into a political arena.

Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian actions and estimated cyber-related implications in Advisories and Optiv Blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31, November 29 and December 20. This update will provide information on the events of the previous 90 days and what we can expect looking forward.

Russia

Russia continued to launch cyberattacks against Ukraine and supporting countries. From additional wiper attacks to ransomware to DDoS attacks, Russia-linked threat actors have relentlessly launched attacks to show support for their government. The most active groups during this period were Sandworm and Gamaredon APT groups. Additionally, Killnet continued their onslaught of DDoS attacks, which were inconvenient rather than truly disruptive. Lastly, a new threat group, NoName057(16), made headlines for launching attacks in support of Russia.

Sandworm

Sandworm (aka IRON VIKING, BlackEnergy, Voodoo Bear) is an APT group that is attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. The group has been one of the most active groups in targeting Ukraine since at least 2012. However, the use of wiper malware increased significantly since the invasion of Ukraine in February 2022. In January 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a destructive malware attack targeting Ukraine’s national news agency (Ukrinform). The attackers launched the CaddyWiper malware on the news agency’s systems using a Windows group policy (GPO), indicating the group had breached the target’s network prior to launching the wiper malware. Ukrinform was able to prevent the wiper malware from having a significant impact on the organization. This attack was linked to Sandworm based on the group’s tactics and Sandworm’s use of CaddyWiper in a previously failed cyberattack targeting a Ukrainian energy organization.

On January 27, 2023, CERT-UA released an advisory that a post related to the targeting of Ukrinform was added to the Telegram channel, “CyberArmyofRussia_Reborn”. CERT-UA identified five samples of wiper malware, including CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. The investigation revealed that the attackers obtained access to the network in December 2022 and launched the final payload on January 17, 2023, which was only partially successful. This post was Likely related to the January targeting using CaddyWiper and has been attributed to the Sandworm APT group.

On January 25, 2023, Sandworm deployed a new wiper, dubbed SwiftSlicer, using Group Policy of Active Directory. SwiftSlicer is a Golang-based malware that deletes shadow copies, recursively overwrites files, and reboots the computer. Although additional details related to the attack and the malware are limited at the time of writing, Sandworm has a proven history of the use of wiper malware targeting Ukraine. Over the next 12 months, it is Likely that Sandworm will continue to develop new wiper malware variants, as well as continue to use older variants.

Gamaredon

Gamaredon (aka IRON TILDEN, Primitive Bear, Shuckworm, UAC-0010) is a cyber espionage group attributed to Russia’s Federal Security Service (FSB) Center 18. Gamaredon has been observed targeting Ukrainian organizations since at least 2013 and has been observed providing services to other APT actors. Gamaredon has notoriously used phishing emails for malware distribution and provides the access to compromised networks and intelligence to other threat actors. According to researchers with Palo Alto Networks’ Unit 42, Gamaredon is one of the most intrusive, continuously active APTs targeting Ukraine. The group has been observed using phishing lures in the Ukrainian and English languages, Likely to target both Ukrainian and NATO members. Although the group has used similar tactics and malware variants for the last 10+ years and has experienced multiple failed attacks, it is the group’s persistence and dedication make them a credible threat to organizations.

In January 2023, the group was observed leveraging the Telegram messaging app to target military and law enforcement agencies in Ukraine. The group reportedly used Telegram accounts for victim profiling and confirmation of geographic location before leading the victim to the next-stage server for the final payload. Telegram has grown in popularity over the past 12 months for multiple reasons. If both parties engaged in a communication exchange are online simultaneously, Telegram offers near-real-time encrypted communications. Law enforcement often monitors underground forums in certain geographic locations, such as China. But by using an anonymous chat platform that offers encrypted channels and little to no monitoring, threat actors can remain undetected for longer periods. This is Likely the reason for the shift to Telegram for communications.

In February 2023, the State Cyber Protection Centre (SCPC) of Ukraine linked Gamaredon to cyberattacks targeting public authorities and critical information infrastructure in the country. The SCPC reported that Gamaredon had launched attacks deploying GammaLoad and GammaSteel spyware in their campaigns. GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that is capable of conducting reconnaissance and executing additional commands.

The GammaLoad and GammaSteel spyware variants were deployed via spearphishing emails with a .RAR attachment that contained a .LNK file. According to the alert published by the SCPC, “the current activity of the UAC-0010 group is characterized by an approach to the multi-stage loading and execution of payloads of WPS, which is used to maintain control over infected hosts.”

Cold River

Cold River (aka Calisto, Callisto) is an APT group attributed to Russia. The Security Service of Ukraine (SBU) has previously associated Cold River with the Gamaredon group and the Russian FSB – however, this has not been confirmed. Cold River has been observed targeting military and strategic research verticals, such as NATO entities and a Ukraine-based defense contractor. Additionally, the group has been observed targeting former intelligence officials, experts in Russian matters, and Russian citizens abroad.

In January 2023, reports emerged that Cold River had targeted three nuclear research laboratories in the United States in the summer of 2022. Between August and September 2022, there were multiple reports of Russian President Putin claiming that he would be willing to use nuclear weapons to defend its territory. Cold River was identified as the threat group behind cyberattacks targeting the Brookhaven, Argonne, and Lawrence Livermore National Laboratories. The attackers reportedly created fake login pages for each institution and sent phishing emails to nuclear scientists in an attempt to harvest credentials.

In December 2022, security researchers with Sekoia reported that Cold River targeted six private companies based in the U.S. and Eastern Europe and four non-governmental organizations (NGO), all involved in Ukraine support. Cold River reportedly sent phishing emails containing a malicious PDF attachment. The emails reportedly appeared to come from a trusted source and did not contain the malicious attachment in the first email. Rather, the attacker waited for a reply and then sent the malicious attachment in a subsequent email. Cold River has not been named as one of the more prominent threat groups active in the Russia-Ukraine war. However, these reports indicate that the group may be collecting data from organizations indirectly related to supporting Ukraine. Additionally, the targeting of NGOs, including the Commission for International Justice and Accountability, indicates the group is Likely collecting intelligence related to war actions and international procedures that could give Russia an insight into emerging news and activities of Ukrainian and Western countries.

Killnet

Killnet is a pro-Russian hacktivist group that emerged during the ongoing Russian invasion of Ukraine. The group has been active since at least January 2022, largely executing attacks in response to pro-Ukrainian and pro-Western hacktivism. Killnet uses botnets to perform DDoS attacks. While more than 100 threat groups have deployed cyberattacks during the war, Killnet is the most vocal and active group.

Killnet uses Telegram to claim responsibility for attacks and announce future attacks. The group lists potential future targets and calls for action against certain countries that refuse to stop supporting Ukraine. The group uses Telegram to boast their disdain for countries that refuse to stop supporting Ukraine. These are all Russian-language messages, and they often include aggressive and/or obscene comments.

Killnet is reportedly comprised of smaller, lesser-known groups that are in support of Russia’s actions. The group is most known for its use of DDoS attacks, but also has been observed spreading propaganda and disinformation. Although Killnet is not considered highly sophisticated or well-organized, the group can still cause service outages for hours or even days, which could have a significant impact on health care and critical infrastructure organizations.

In January 2023, Killnet posted an alleged attack list for hospitals and medical organizations in several countries. The list included 15 URLs and called for action against the U.S. government and health-care organizations. This threat was Likely in response to President Biden’s promise to provide dozens of military tanks to Ukraine. On January 30, 2023, several of the listed organizations reported disruptions on their public-facing webpages.

In February 2023, Killnet announced via their Telegram channel that they were “carrying out strikes on NATO”. NATO’s Special Operations Headquarters and Strategic Airlift Capability were among NATO organizations disrupted by the Killnet attacks. These organizations were involved in humanitarian aid to victims of the Turkish-Syrian earthquake. The attacks limited communications between SAC and a C-17 aircraft in flight, which was able to land safely despite the attack. The group’s attacks did not result in network breaches, but they were successful in disrupting aid missions and NATO countries operations.

Image

Figure 1: Killnet Telegram Channel

Other Notable Groups

In December 2022, the CERT-UA disclosed that users of the Delta situational awareness program received phishing emails from a compromised email account belonging to the Ministry of Defense. CERT-UA attributed the attacks to a threat cluster tracked as UAC-0142, with the goal of deploying FateGrab and StealDeal data-stealing malware. Delta is a cloud-based operational situation display system developed by Aerorozvidka that allows real-time monitoring of troops on the battlefield, making it a lucrative target for threat actors. The phishing emails used lures with fake warning to update root certificates in the Delta software, included malicious PDF documents containing links to archive files hosted on a fraudulent Delta domain, and dropped the malware on compromised systems.

FateGrab is designed to exfiltrate flies with specific extensions through FTP, and StealData targets web browsers to steal passwords and other sensitive information. The attack targeting users of the Delta program was launched just days after Ukraine presented the system to the NATO Consultation, Command, and Control Organizations (NC3O).

In January 2023, security researchers with Mandiant reported that the Russia-linked APT group, Turla, was observed targeting Ukrainian systems by using run-of-the-mill commodity malware and piggybacking on infrastructure used in earlier criminal operations. Turla has been active since at least 2004 and has previously been observed targeting government and military-related organizations. Turla is known for conducting watering hole and spearphishing campaigns and has been linked to Russia. This indicates Turla Likely acts at the direction of, and/or to fulfill the intelligence requirements of, the Russian government. Its objective is Likely to gather intelligence.

Turla’s cyberattacks targeting Ukrainian systems began with the insertion of an infected USB stick into a Ukrainian system in December 2021. The USB contained a 2013 version of the Andromeda malware that began sending beacons to Turla’s C2 infrastructure. Interestingly, Turla appeared to have re-registered domains—including expired ones—used in an earlier criminal campaign. In September 2022, the threat actors then downloaded and executed a WinRAR Self-Extracting Archive containing KOPILUWAK, which was run seven times between September 6 and September 8. Each time, the malware attempted to transfer significant amounts of data to the C2. On September 8, 2022, the threat actors downloaded QUIETCANARY to a host that was used to gather and exfiltrate data from the victim.

Turla has not been a significant threat actor active in the targeting of Ukraine during the Russia-Ukraine war. However, the identification of a campaign taking advantage of another threat actor’s C2 and malware indicates that Turla could still select victims of strategic interest, while removing themselves from the responsibility of spreading malware singlehandedly.

In January 2023, security researchers with SentinelLabs reported that the Pro-Russian hacking group, NoName057(16) (aka NoName05716, 05716nnm or Nnm05716), was observed conducting a campaign of DDoS attacks on Ukraine and NATO organizations. This campaign began shortly after the start of the war. The group has been reportedly conducting DDoS attacks in support of Russia since March 2022 alongside Killnet. However, the group remains relatively underreported – Likely due to DDoS attacks causing minimal disruption to organizations. The group is reportedly focused on disrupting websites relevant to nations that are critical of Russia’s invasion of Ukraine. Early attacks reportedly targeted Ukrainian media organizations and later shifted to NATO-associated targets.

NoName057(16), similar to Killnet, reportedly operates through Telegram to claim responsibility for their attacks, mock their targets, and make additional threats. Posts on the group’s channel indicate the group considers themselves more prominent and important than they actually are. The group has been observed utilizing GitHub to host their DDoS tool website and the latest version of their tools that are advertised in the Telegram channel. NoName057(16) victims include the Polish government in December 2022, after the Sejm of the Republic of Poland recognized Russia as a state sponsor of terrorism; Lithuanian organizations in the Transportation vertical in January 2023; and 2023 Czech presidential election candidates in January 2023. Tools utilized by the group include the Bobik botnet and two variants of the DDOSIA tool (aka Dosia, Go Stresser). Over the next 12 months, it is Likely that NoName057(16) will continue to target organizations in Ukraine and Western countries that publicly scrutinize Russian actions.

In February 2023, security researchers with the Symantec Threat Hunter Team reported that the Russia-linked threat actor, Nodaria (aka UAC-0056, DEV-0586, UNC2589, TA471), deployed a new information-stealing malware, Graphiron, targeting Ukraine. Graphiron is a two-stage malware consisting of a download and a payload. The downloader is configured to run once, meaning if it fails to download and install the payload, it will not attempt to do it again. The payload, similar to previously observed malware variants, GraphSteel and GrimPlant, can carry out various tasks, including:

The Nodaria threat group has previously remained under the radar. However, their activity over the previous 12 months indicates the group has become a key part of Russia’s ongoing cyber campaigns targeting Ukraine and Western-supporting countries.

In February 2023, CERT-UA warned of phishing attacks targeting state authorities that were deploying the legitimate remote access software, Remcos. The phishing emails contained a .RAR attachment that claimed to be a court letter including information related to a debt. The phishing emails featured the subject, “Court claim against your personal accounts # 7192206443063763 dated: 06.02.2023”. The .RAR archive contained two documents: a .txt file with a “personal access code” and a password-protected RAR-archive that contained the executable. CERT-UA attributed this campaign to UAC-0050, which has been active since at least 2020—previously targeting Ukrainian state authorities. It is Likely that this group is actively conducting espionage campaigns to gather information related to Ukraine’s government actions. If successful, the installation of Remcos would provide threat actors complete access to the compromised device.

In February 2023, Russian media reported that Alexander Khinshtein, the head of the Duma committee on information policy, announced that the Russian government was evaluating whether to avoid punishing hackers acting in the interests of Moscow. The Russian government reportedly recognizes the importance of the cybercriminal groups and hacktivists’ contribution to the defense of its interests. Russia has a reputation as a cybercriminal safe haven, including for ransomware operations creating malware to avoid victims in Russia or the Commonwealth of Independent States (CIS) regions. However, the current Russian law framework currently punishes criminals charged with creating, using, and distributing malware with up to seven years in jail. The Russian Parliament announced that they would discuss the proposal in more detail in the coming months, with the intent to better formulate the initiative.

Ukraine

In January 2023, Ukrainian air defense forces shot down a total of 45 drones, most of which were supplied by Iran. As a result of Iran purportedly supporting Russia’s actions, pro-Ukrainian hacktivists claimed they launched DDoS attacks against Iranian websites. Affected websites included those of Iranian supreme leader Ali Khamenei and the National Iranian Oil Company. Multiple pro-Ukrainian hackers turned to Telegram channels to voice their disdain for Iran’s involvement in the war. No specific threat group has been attributed to the attacks. But multiple hacking group’s Twitter and Telegram accounts host messages related to DDoS attacks, including ones launched by Anonymous and a hacker by the Twitter username “rootkit_sec” (aka “rootkitsecurity”).

Image

Figure 2: rootkitsecurity Twitter post related to Iranian DDoS attacks

DDoS attacks conducted during the Russia-Ukraine war have not created as big of an impact as the wiper or ransomware attacks conducted over the previous 12 months. Most of the DDoS attacks lasted only minutes or hours, with some lasting a few days. However, Ukrainian hacktivists do not appear to be deterred, claiming via Telegram channels that they will continue to launch attacks until Iran stops supplying Russia with drones.

In February 2022, the hacking group, Anonymous, pushed the #OpRussia tag to prioritize attacks against Russia interests in cyberspace after the invasion of Ukraine. A year later, news relating to cyberattacks has largely waned. Most headlines now cover new attacks launched by Russian-based threat actors against Ukraine and Western-supporting countries. However, #OpRussia is still active. There are 150,000 to 400,000 active subscribers to various Telegram channels, as well as 200,000 Discord channel subscribers. These active members include multiple hacking groups, including Anonymous and IT Army of Ukraine. But they also include individual volunteers and pro-Ukrainian outfits, such as Network Battalion 65. Some of the known activity is listed below:

During the first six months of the war, Russia was suffering a data breach every three days on average. However, after August 2022, a majority of the groups had gone quiet. Most of the current activity remains with Disbalancer, with their rotating target list, and with the IT Army of Ukraine, who reportedly targeted two Russian organizations in January 2023.

Unfortunately, as attention and interest in the Russia-Ukraine war wanes, it is Likely that fewer Russian victims will be disclosed. Additionally, as most of the groups targeting victims on behalf of Ukraine are volunteer based or hacktivist groups, most of these members have Likely moved on to other targets. Additionally, as Russia-linked groups continue to deploy information-stealing malware, backdoors, ransomware, and wiper malware, these attacks are Likely to make headlines before hacktivist groups launch DDoS attacks. It is Likely that Russian organizations have been targeted more often than what has been publicly reported.

As Russia has continued to launch attacks targeting Ukraine, Yurii Shchyhol, the head of Ukraine’s State Service of Special Communications and Information Protection, has reportedly called for a “Cyber United Nations”. The goal is to establish a single global organization uniting nations in cyberspace to share threat information and prepare for future attacks. There is little information on global support for the idea; there is an Even Chance that NATO countries’ sharing cyberattack information would help to detect and mitigate known cyberattacks more quickly.

Other Countries

Russia has increasingly targeted other countries that either support Ukraine or publicly reprimand Russia’s actions in the war. Moldovan Prime Minister Natalia Gavrilița accused Russia of trying to destabilize the country by sponsoring protests and carrying out cyberattacks. A few of the attacks targeting Moldova from 2022-2023 include Killnet’s announcement of a week-long hacking campaign against the nation of Moldova in August 2022. Moreover, an unknown attacker targeted 80 Moldovan state computer systems with DDoS attacks in October 2022. Not long after, in November 2022, a hacker leaked purported private Telegram conversations between Moldovan political figures (chats that the Moldovan President’s office claimed were fake). And in January 2023, a phishing campaign lured Moldovan government victims to a fake payment page to renew the alleged expiration of the .md government domain. Moldova is also connected to Ukraine’s power grid, and therefore Russia’s missile strikes on Ukraine have caused internet and power disruptions in Moldova.

Outlook

Dating back to 2014, Russia-linked and Russia-supporting threat groups have launched hundreds of attempted cyberattacks, including ransomware, wiper, and information stealers against Ukrainian organizations. Since the invasion of Ukraine in February 2022, Russia-linked and Russia-supporting groups have conducted cyberattacks and spread disinformation in an attempt to gather information and show their support for Russia. However, the larger strikes that would have crippled Ukrainian critical infrastructure, such as its electrical grid, have not been as successful as expected. Ukraine has recovered quickly from successful attacks, restoring systems and communications.

Russia’s cyber capabilities have previously proven to be significant, based off previous cyberattacks reportedly linked to Russia-linked and Russia-supporting threat groups. However, many state-sponsored and state-supported groups are linked to military organizations. With the military organizations focused on physical war, it is Likely resources typically allocated to cyber capabilities are currently dedicated to the physical war. Additionally, the U.S. and other NATO countries, as well as companies, such as Microsoft and Google, have offered their support to Ukrainian experts. This support has included hands-on recovery efforts, communication devices and critical infrastructure operators, and financial and technical help to improve cyber resilience against cyberattacks. Ukraine’s analysis in January 2023 stated that “cyberattacks are entirely consistent with Russia’s overall military strategy” and Russian cyberattacks targeting Ukraine have tripled over 2022. It is Very Likely that Russia will continue targeting Ukraine and supporting countries over the next 12 months.

Despite reports that Russia-linked groups have not been as successful as expected, it is Likely that these groups will continue launching attacks against Ukraine and Western-supporting countries over the next 12 months. This is Likely to encompass critical infrastructure verticals, such as Energy, Government, Manufacturing, and Transportation in destructive cyberattacks that include wiper or ransomware malware. There is an Even Chance that Russian President Putin will refocus efforts on cyberattacks as kinetic military action sees setbacks, including reshuffling of military leaders and high turnover.

It is Likely that the U.S. and other countries that provide support and offer alliances to Ukraine, as well as publicly criticize Russia’s actions, will remain attractive targets for Russia-linked and supporting threat groups. It is Likely that these countries will be targeted in cyberattacks conducted by Russia-linked or Russia-supporting threat actors, including DDoS attacks, wiper malware, information stealing, and ransomware attacks. Iran’s purported involvement in supporting Russia will Likely include Iran-linked threat groups targeting Ukraine and Western-supporting countries. Countries like China and India also have a history of state-sponsored and/or APT attacks that have indirectly aligned or maintained suspicious neutrality toward Russia. This could also pose additional risks or proxies for cyberattacks. While China has ultimately avoided physical involvement in the war, they have suspended business when threats to Chinese interests called for it, continued business and trading when they could, and parroted Russian narratives when they aligned with China’s criticism of the U.S. While China-linked threat groups have a proven history of targeting U.S. and other Western countries in espionage campaigns related to China’s strategic interests, there is an Even Chance that these groups could target countries of strategic interest to Russia over the next 12 months.

As Russia continues to launch cyberattacks against Ukraine, it is Likely that the impact of those will affect other countries as well. Similar to the internet availability issues faced by Moldova, attacks targeting Ukraine’s critical infrastructure verticals are Likely to impact the citizens of nearby countries that have interwoven systems, networks, and grids. Additionally, as South Korea and Japan have joined the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and Ukraine has singed the Treaty of Amity and Cooperation (TAC) with ASEAN, it is Likely that Asia-Pacific countries will also experience cyberattacks at the hands of both China-linked and Russia-linked threat groups over the next 12 months.

It’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools, and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ year-old) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and the utilization of minimal resources by reusing open-source and commercially available tools, software, and malware.

In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:

It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.

Table 1: MITRE ATT&CK techniques associated with groups mentioned