Russia/Ukraine Update - June 2022

June 30, 2022

On February 23, 2022, Russia invaded Ukraine, despite numerous promises by the Russian President Vladimir Putin that troop movements were simply due to military exercises and Russia had no intent to invade. Prior to the physical invasion of Ukraine, Ukrainian companies and government organizations had suffered several cyber-attacks that had been attributed to Russian state sponsored actors. In January 2022, a destructive malware campaign, WhisperGate, targeted several Ukrainian public and private organizations. The attack was disguised as a ransomware attack, but evidence suggests the attack was destructive in nature rather than financially motivated. The week of February 21, 2022 was also characterized by additional wiper malware and Denial of Service (DoS) campaigns against institutions in Ukraine. Additionally, Psychological Operations (PSYOPs) and perception management operations were reported to be carried out by Russian and Ukrainian-separatist groups on social media – seeking to recruit fighters, fund separatist activities, and justify Russia’s military action. On February 28, 2022, a Ukrainian cyber security researcher leaked 393 JSON files that included 60,964 internal messages for the Conti ransomware group. This was a result of the group announcing their support of Russia and warning that any group that targets Russia would be targeted by the Conti group.

 

Since the military invasion of Ukraine, both Russia and Ukraine have continued to conduct cyber-attacks as a means to gain information, cause disruption, and create a climate of intimidation. Additionally, many threat actors and groups have announced their support of one country or the other, groups have split, and others have turned on each other due to the conflict. As tensions have escalated, Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian military actions and estimated cyber-related implications in Advisories and Optiv Source Zero blog posts of February 4, February 22, and February 24. In this blog, we will cover some of the cyber-attacks that have occurred and provide an update on the current situation.

 

 

Ukraine

On March 4, 2022, it was reported that Ukraine had been accepted as a contributing participant to the North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Centre of Excellence (CCDCOE). Members in the CCDCOE use it for research, training, and exercises covering areas such as technology, strategy, operations, and law. Ukraine was not accepted as a fully-fledged member. President Putin strongly opposed Ukraine’s entry into NATO, alleging that threats to Russia’s security would significantly increase if Ukraine were permitted to be a member of NATO.

 

In March 2022, the CERT-UA announced that the threat actors tracked as “UAC-0026” and “UAC-0088” had launched new cyberattacks against Ukraine. UAC-0026 was observed distributing executable files purporting to contain documents related to the Russia-Ukraine war. Running the file would execute the “HeaderTip” malicious program. UAC-0088 reportedly attempted to conduct network intrusion targeting the information systems of Ukrainian organizations.

 

Also in March 2022, a malware variant, CaddyWiper, was discovered. CaddyWiper is a data-destroying malware that was observed targeting Ukrainian organizations and deleting data across systems on the compromised networks. The malware used the DsRoleGetPrimaryDomainInformation() function to check if the device was a domain controller, if it was, the data was not deleted. This was Likely done to maintain access inside the victim network, while still dealing a devastating blow to operations by deleting the data. CaddyWiper was not found to share code with any other known malware variant. CaddyWiper was the fourth data wiping malware variant used to target Ukrainian organizations since the start of 2022, following HermeticWiper, IsaacWiper, and WhisperGate. Unlike the 2017 NotPetya attacks that were indiscriminately distributed, these wiper attacks were targeted, which indicates they were Likely specifically used for hybrid warfare purposes.

 

In April 2022, the Russian state-sponsored hacking group, Sandworm, tried to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware. This incident was not the first time Russia has targeted the Ukrainian energy sector. Ukraine has been a target of Russia for many years, including the NotPetya attacks in 2017. This time, the energy provider was able to prevent the attack from being carried out as intended.

 

Threat actors are also impersonating Ukrainian government organizations to distribute Cobalt Strike and other malware variants. Phishing emails were sent with lures including such topics as offering ways to increase network security and advise recipients to download “critical security updates”.

 

Image
russia_ukraine_update1.png

Figure 1: Phishing Email urging the download of a fake AV updater (Source: Bleeping Computer)

 

When a victim downloaded and ran the fake update, the users were prompted to install a “Windows Update Package”; however, the update actually downloaded and installed the “one.exe” file from the Discord CDN, which is a Cobalt Strike beacon. Eventually, the GraphSteel backdoor and GrimPlant backdoor were installed on the victim network. These attacks were also attributed to a Russian-based Advanced Persistent Threat (APT) group.

 

Ukraine has gotten support from cyber-criminal groups, such as Anonymous – who has declared digital war against the Kremlin. Anonymous has conducted multiple attacks against Russia, bringing down websites of Russian government sites. While the intent of Anonymous is to help support Ukraine, the group is using vulnerabilities to access websites and company infrastructure that could be useful for information gathering for intelligence. Russian organizations are then able to patch the vulnerabilities, which closes the opportunity for intelligence teams to gain access that could be helpful during the war.

 

 

Russia

In March 2022, the press service of the Russian Ministry of Economic Development reported that some of its federal agencies’ websites were compromised in a supply chain attack after unknown attackers hacked the stats widget used to track the number of visitors by multiple government agencies. The affected sites included the websites of the Energy Ministry, the Federal State Statistics Service, the Federal Penitentiary Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Culture Ministry, and others. Hackers were able to publish content on the pages of the websites. The sites were brought back within an hour of the incident.

 

While the majority of threat actors targeting Ukraine are Russian-based groups, the war has caused countries all over the world to feel the need to gain insight about global events, political issues, and motivations. This has led to other countries deploying malware in Russia. In March 2022, Chinese-sponsored threat group, BRONZE PRESIDENT, attempted to deploy advanced malware to computer systems of Russian officials. The threat actors distributed a PDF document that appeared to be related to Russian military operations. The campaign is similar to other campaigns that have been conducted to deploy the PlugX payload. BRONZE PRESIDENT has previously conducted campaigns against Southeast Asia; the change in targeting suggests that world events and the current Russia-Ukraine war has changed China’s intelligence interests and has shifted focus to Russia.

 

In March 2022, the developer behind the popular “node-ipc” NPM package shipped a new tampered version to condemn Russia’s invasion of Ukraine. The affected versions include 10.1.1 and 10.1.2 of the library and targeted users that are located in either Russia or Belarus and wiped arbitrary file contents and replaced them with a heart emoji. The library has roughly 1.1 million downloads, indicating there was a potential for a large target audience. The destructive modifications were removed, and another major update was released, which imported another dependency called “peacenotwar” as a form of “non-violent protest against Russia’s aggression”. The module added a message of peace on the users’ desktops.

 

In March, Russia’s telecommunications regulator, Roskomnadzor, banning Alphabet’s new aggregator service, Google news, and blocked access to the news.google.com domain. Google provided numerous publications that Russia claimed contained unreliable, publicly significant information about the course of the special military operation in Ukraine. Russian President Putin also signed new legislation making it illegal to spread “knowingly fake news” about the Russian army’s operations in Ukraine. In response to placing restrictions on state-owned media, Russia blocked access to Facebook and Twitter in the country. Roskomnadzor claimed the social network had violated the “rights and freedoms of Russian nationals” and added that there had been 26 cases of “discrimination” against Russian media from Facebook since October 2020. Google was asked to stop ad campaigns spreading misinformation regarding Russia’s invasion of Ukraine on YouTube’s video. In response, Google took action against such disinformation campaigns and blocked YouTube channels belonging to Russia Today (RT) and Sputnik in Europe at the request of the European Union.

 

Amidst the continuously rising tensions, the REvil ransomware group returned and began targeting organizations again. The group returned with new infrastructure and a modified encryptor allowing for more targeted attacks. The REvil ransomware group shut down after a law enforcement operation hijacked their Tor servers and members were arrested by Russian law enforcement. However, when the US began placing sanctions on Russia after the invasion of Ukraine, Russia stated that the US had withdrawn from the negotiation process regarding the REvil gang and closed communications channels.

 

Additionally, in June 2022, the Russian government warned the US and its allies that continued cyber-attacks on its infrastructure risks a “direct military clash”. This came after Russia’s Ministry of Construction, Housing and Utilities websites had been hacked and replaced with a message stating “Glory to Ukraine” on its homepage. A foreign ministry statement blamed the US and Ukraine for increasing attacks on state institutions and critical infrastructure. DDoS attacks have escalated since the start of the invasion and President Putin was forced to publicly recognize the scale of the impact of the attacks in May 2022. President Putin has called for reduced reliance on foreign-made software and hardware as well as enhanced cyber-defenses.

 

 

Looking forward

Cyber-attacks have become a part of the modern warfare; along with heavy fighting in Ukraine between armies, cyberspace is a secondary battlefield between the countries. Ukraine and Russia have both recruited and mobilized IT experts and cybercriminals to fight their cyber war. It is Likely that both countries will continue to expand their cyber-attacks in an attempt to collect intelligence and disrupt operations. However, it is Likely that Russia cybercriminals will conduct disinformation campaigns as an attempt to gain support for the war.

 

Along with the physical conflict, with Russia’s invasion of Ukraine, it is Likely that cyber adversaries, regardless of attribution will continue to leverage and employ techniques, tools, and vulnerabilities used in previous cyber-attacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software, and malware.

 

In addition to multiple vulnerabilities, it is Likely that cyber criminals will use common software and malware in the coming months, such as:

 

  • RDP
  • SMB/Samba
  • UPnP
  • Oracle WebLogic
  • Microsoft Exchange
  • Microsoft SharePoint
  • VMware vCenter, ESXi, vSphere, vAccess
  • VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway
  • Jenkins
  • Content Management System (CMS) platforms
  • WordPress – Joomla!, Drupal, Magento, Adobe Commerce
  • Mimikatz
  • AdFind
  • AnyDesk
  • Rclone
  • Ngrok reverse proxy
  • Zoho MangeEngine
  • LogMeIn
  • TeamViewer

 

 

Tactics and Techniques:

 

Tactic Technique Procedure
Reconnaissance T1593 Search Open Websites/Domains
T1595.002 Active Scanning: Vulnerability Scanning
Resource Development T1587.003 Digital Certificates
T1586 Compromise Accounts
T1584.005 Compromise Infrastructure: Botnet
Initial Access T1133 External Remote Services
T1190 Exploit Public Facing Application
T1566 Phishing
T1078 Valid Accounts
T1199 Trusted Relationship
Execution T1072 Software Development Tools
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
T1204 User Execution
T1204.001 User Execution: Malicious Link
T1204.002 User Execution: Malicious File
Persistence T1053 Scheduled Task/Job
T1098 Account Manipulation
Privilege Escalation T1611 Escape to Host/Exploitation for Privilege Escalation
T1078.001 Valid Accounts: Default Accounts
T1078.002 Valid Accounts: Domain Accounts
Defense Evasion T1127 Trusted Developer Utilities Proxy Execution
T1497 Virtualization/Sandbox Evasion
T1562.001 Impair Defenses: Disable or Modify Tools
T1562.002 Impair Defenses: Disable Windows Event Logging
T1055.001 Process Injection: Dynamic0link Library Injection
Credential Access T1212 Exploitation for Credential Access
T1003 OS Credential Dumping
T1110 Brute Force
Discovery T1120 Peripheral Device Discovery
T1083 File and Directory Discovery
T1135 Network Share Discovery
T1518 Software Discovery
Lateral Movement T1210 Exploitation of Remote Services
T1570 Lateral Tool Transfer
Collection T1213 Data from Information Repositories
Exfiltration T1041 Exfiltration over C2 Channel
Impact T1485 Data Destruction
T1486 Data Encrypted for Impact
T1489 Service Stop
T1489.001 Network Denial of Service – Direct Network Flood
T1531 Account Access Removal

 

Western countries imposed several sanctions against Russia when they invaded Ukraine, and it is Likely that if the United States imposes harsher and broader sanctions and embargos on Russia, the fallout would Likely result in nearly all ransomware groups being placed under severe restrictions through the US Treasury’s Office of Foreign Asset Control (OFAC). This would result in the inability of ransomware victims in the US to consider negotiations and payments in exchange for preventing data leaks and retrieving decryption keys for compromised files and systems.

 

When Russia invaded Ukraine, US-based organizations began pulling their business from Russia. Russia has always posed a risk to US-based organizations. Multiple ransomware groups, including REvil, Conti, and LockBit 2.0, are based in Russia and they target multiple US-based organizations daily. The sophistication and technical knowledge of the ransomware groups, the NotPetya attacks, and nation-state groups – such as APT28, APT29, and Sandworm – highlight the ability Russia has to create severe disruption and chaos in the US. It is Likely that as US companies continue to pull out of Russia and additional sanctions are put in place, Russian government-sponsored cyber-attacks against US organizations will still remain limited to strategic organizations in key verticals. There is an Even Chance that these attacks will include destructive and wiper malware, ransomware, backdoors, and information stealing malware over the next 12 months. The overall threat landscape across all US-based organizations and verticals remains largely unchanged, and cyber-attacks directly related to the war will remain concentrated in the Ukraine, Russia, and Eastern Europe. The overall risk from any state-sponsored attack across all verticals remains low and restricted to a small portion of organizations in key verticals, while the threat of cyber-criminal activity, regardless of attribution, still remains high. These include commodity malware, ransomware, cryptocurrency miners, and data exfiltration/leaks.

 

 

Recommendations

Optiv’s gTIC emphasizes that all organizations continue to remain vigilant of cyber threats beyond activity attributed to, or estimated to be carried out by, the Russian government. Cyber-criminal, commodity malware, business email compromise (BEC), and ransomware remain the most relevant and Very Likely most dangerous threats to all organizations. Although the overall threat of a targeted state-sponsored attack is Unlikely, organizations in the previously mentioned industry verticals remain at higher risk due to the critical nature of operations. All organizations are encouraged to practice defense-in-depth and defensive strategies to mitigate the threat from all adversary types.

 

Optiv’s gTIC makes the following recommendations on mitigation for the threats highlighted in this report:

 

  • Ensure that all remote access to organizations’ network and administrative access requires MFA.
  • Ensure that a vulnerability management program is in place that prioritizes patching based on the severity of a vulnerability, the number of systems and devices affected, and how widely known the vulnerability is.
  • Ensure all ports and protocols that are not essential are disabled and not Internet-facing.
  • Implement network monitoring tools to monitor for traffic indicative of Command and Control (C2) activity, lateral movement, and similar activity.
  • Deploy endpoint security controls to monitor for behavioral indicators of compromise and deny unwanted code execution.
  • Ensure that all vendors and partners in the supply chain are held to the same security standards and affected organizations’ traffic is isolated and closely reviewed.
  • Create and implement an incident response plan that includes a designated incident response team.
  • Conduct penetration testing to identify points of weakness; combine with tabletop exercises to ensure the incident response plan is effective and all members of the incident response team understand their roles in the event of a cyber-attack.
  • Ensure offline backups are available, they are updated, and they can effectively be used in the event of an incident.

 

 

References

 

https://www.bleepingcomputer.com/news/security/russian-government-sites-hacked-in-supply-chain-attack/
https://www.washingtonpost.com/national-security/2022/03/24/russian-military-behind-hack-satellite-communication-devices-ukraine-wars-outset-us-officials-say/
https://www.bleepingcomputer.com/news/security/malware-disguised-as-security-tool-targets-ukraines-it-army/launch
https://cert.gov.ua/article/38088
https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/launch
https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/launch
https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/
https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx
https://thehackernews.com/2022/03/popular-npm-package-updated-to-wipe.html
https://www.bleepingcomputer.com/news/technology/russia-bans-google-news-for-unreliable-info-on-war-in-ukraine/launch
https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/

Jamie Hart
Jamie Hart has over three years of experience in Threat Intelligence. Hart began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Hart’s research focuses on ransomware groups and their tactics. Prior to joining Optiv, Hart was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk.
Hart earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.