Russia/Ukraine Update - June 2022

June 30, 2022

On February 23, 2022, Russia invaded Ukraine, despite numerous promises by the Russian President Vladimir Putin that troop movements were simply due to military exercises and Russia had no intent to invade. Prior to the physical invasion of Ukraine, Ukrainian companies and government organizations had suffered several cyber-attacks that had been attributed to Russian state sponsored actors. In January 2022, a destructive malware campaign, WhisperGate, targeted several Ukrainian public and private organizations. The attack was disguised as a ransomware attack, but evidence suggests the attack was destructive in nature rather than financially motivated. The week of February 21, 2022 was also characterized by additional wiper malware and Denial of Service (DoS) campaigns against institutions in Ukraine. Additionally, Psychological Operations (PSYOPs) and perception management operations were reported to be carried out by Russian and Ukrainian-separatist groups on social media – seeking to recruit fighters, fund separatist activities, and justify Russia’s military action. On February 28, 2022, a Ukrainian cyber security researcher leaked 393 JSON files that included 60,964 internal messages for the Conti ransomware group. This was a result of the group announcing their support of Russia and warning that any group that targets Russia would be targeted by the Conti group.

Since the military invasion of Ukraine, both Russia and Ukraine have continued to conduct cyber-attacks as a means to gain information, cause disruption, and create a climate of intimidation. Additionally, many threat actors and groups have announced their support of one country or the other, groups have split, and others have turned on each other due to the conflict. As tensions have escalated, Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian military actions and estimated cyber-related implications in Advisories and Optiv Source Zero blog posts of February 4, February 22, and February 24. In this blog, we will cover some of the cyber-attacks that have occurred and provide an update on the current situation.

Ukraine

On March 4, 2022, it was reported that Ukraine had been accepted as a contributing participant to the North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Centre of Excellence (CCDCOE). Members in the CCDCOE use it for research, training, and exercises covering areas such as technology, strategy, operations, and law. Ukraine was not accepted as a fully-fledged member. President Putin strongly opposed Ukraine’s entry into NATO, alleging that threats to Russia’s security would significantly increase if Ukraine were permitted to be a member of NATO.

In March 2022, the CERT-UA announced that the threat actors tracked as “UAC-0026” and “UAC-0088” had launched new cyberattacks against Ukraine. UAC-0026 was observed distributing executable files purporting to contain documents related to the Russia-Ukraine war. Running the file would execute the “HeaderTip” malicious program. UAC-0088 reportedly attempted to conduct network intrusion targeting the information systems of Ukrainian organizations.

Also in March 2022, a malware variant, CaddyWiper, was discovered. CaddyWiper is a data-destroying malware that was observed targeting Ukrainian organizations and deleting data across systems on the compromised networks. The malware used the DsRoleGetPrimaryDomainInformation() function to check if the device was a domain controller, if it was, the data was not deleted. This was Likely done to maintain access inside the victim network, while still dealing a devastating blow to operations by deleting the data. CaddyWiper was not found to share code with any other known malware variant. CaddyWiper was the fourth data wiping malware variant used to target Ukrainian organizations since the start of 2022, following HermeticWiper, IsaacWiper, and WhisperGate. Unlike the 2017 NotPetya attacks that were indiscriminately distributed, these wiper attacks were targeted, which indicates they were Likely specifically used for hybrid warfare purposes.

In April 2022, the Russian state-sponsored hacking group, Sandworm, tried to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware. This incident was not the first time Russia has targeted the Ukrainian energy sector. Ukraine has been a target of Russia for many years, including the NotPetya attacks in 2017. This time, the energy provider was able to prevent the attack from being carried out as intended.

Threat actors are also impersonating Ukrainian government organizations to distribute Cobalt Strike and other malware variants. Phishing emails were sent with lures including such topics as offering ways to increase network security and advise recipients to download “critical security updates”.

Image

Figure 1: Phishing Email urging the download of a fake AV updater (Source: Bleeping Computer)

When a victim downloaded and ran the fake update, the users were prompted to install a “Windows Update Package”; however, the update actually downloaded and installed the “one.exe” file from the Discord CDN, which is a Cobalt Strike beacon. Eventually, the GraphSteel backdoor and GrimPlant backdoor were installed on the victim network. These attacks were also attributed to a Russian-based Advanced Persistent Threat (APT) group.

Ukraine has gotten support from cyber-criminal groups, such as Anonymous – who has declared digital war against the Kremlin. Anonymous has conducted multiple attacks against Russia, bringing down websites of Russian government sites. While the intent of Anonymous is to help support Ukraine, the group is using vulnerabilities to access websites and company infrastructure that could be useful for information gathering for intelligence. Russian organizations are then able to patch the vulnerabilities, which closes the opportunity for intelligence teams to gain access that could be helpful during the war.

Russia

In March 2022, the press service of the Russian Ministry of Economic Development reported that some of its federal agencies’ websites were compromised in a supply chain attack after unknown attackers hacked the stats widget used to track the number of visitors by multiple government agencies. The affected sites included the websites of the Energy Ministry, the Federal State Statistics Service, the Federal Penitentiary Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Culture Ministry, and others. Hackers were able to publish content on the pages of the websites. The sites were brought back within an hour of the incident.

While the majority of threat actors targeting Ukraine are Russian-based groups, the war has caused countries all over the world to feel the need to gain insight about global events, political issues, and motivations. This has led to other countries deploying malware in Russia. In March 2022, Chinese-sponsored threat group, BRONZE PRESIDENT, attempted to deploy advanced malware to computer systems of Russian officials. The threat actors distributed a PDF document that appeared to be related to Russian military operations. The campaign is similar to other campaigns that have been conducted to deploy the PlugX payload. BRONZE PRESIDENT has previously conducted campaigns against Southeast Asia; the change in targeting suggests that world events and the current Russia-Ukraine war has changed China’s intelligence interests and has shifted focus to Russia.

In March 2022, the developer behind the popular “node-ipc” NPM package shipped a new tampered version to condemn Russia’s invasion of Ukraine. The affected versions include 10.1.1 and 10.1.2 of the library and targeted users that are located in either Russia or Belarus and wiped arbitrary file contents and replaced them with a heart emoji. The library has roughly 1.1 million downloads, indicating there was a potential for a large target audience. The destructive modifications were removed, and another major update was released, which imported another dependency called “peacenotwar” as a form of “non-violent protest against Russia’s aggression”. The module added a message of peace on the users’ desktops.

In March, Russia’s telecommunications regulator, Roskomnadzor, banning Alphabet’s new aggregator service, Google news, and blocked access to the news.google.com domain. Google provided numerous publications that Russia claimed contained unreliable, publicly significant information about the course of the special military operation in Ukraine. Russian President Putin also signed new legislation making it illegal to spread “knowingly fake news” about the Russian army’s operations in Ukraine. In response to placing restrictions on state-owned media, Russia blocked access to Facebook and Twitter in the country. Roskomnadzor claimed the social network had violated the “rights and freedoms of Russian nationals” and added that there had been 26 cases of “discrimination” against Russian media from Facebook since October 2020. Google was asked to stop ad campaigns spreading misinformation regarding Russia’s invasion of Ukraine on YouTube’s video. In response, Google took action against such disinformation campaigns and blocked YouTube channels belonging to Russia Today (RT) and Sputnik in Europe at the request of the European Union.

Amidst the continuously rising tensions, the REvil ransomware group returned and began targeting organizations again. The group returned with new infrastructure and a modified encryptor allowing for more targeted attacks. The REvil ransomware group shut down after a law enforcement operation hijacked their Tor servers and members were arrested by Russian law enforcement. However, when the US began placing sanctions on Russia after the invasion of Ukraine, Russia stated that the US had withdrawn from the negotiation process regarding the REvil gang and closed communications channels.

Additionally, in June 2022, the Russian government warned the US and its allies that continued cyber-attacks on its infrastructure risks a “direct military clash”. This came after Russia’s Ministry of Construction, Housing and Utilities websites had been hacked and replaced with a message stating “Glory to Ukraine” on its homepage. A foreign ministry statement blamed the US and Ukraine for increasing attacks on state institutions and critical infrastructure. DDoS attacks have escalated since the start of the invasion and President Putin was forced to publicly recognize the scale of the impact of the attacks in May 2022. President Putin has called for reduced reliance on foreign-made software and hardware as well as enhanced cyber-defenses.

Looking forward

Cyber-attacks have become a part of the modern warfare; along with heavy fighting in Ukraine between armies, cyberspace is a secondary battlefield between the countries. Ukraine and Russia have both recruited and mobilized IT experts and cybercriminals to fight their cyber war. It is Likely that both countries will continue to expand their cyber-attacks in an attempt to collect intelligence and disrupt operations. However, it is Likely that Russia cybercriminals will conduct disinformation campaigns as an attempt to gain support for the war.

Along with the physical conflict, with Russia’s invasion of Ukraine, it is Likely that cyber adversaries, regardless of attribution will continue to leverage and employ techniques, tools, and vulnerabilities used in previous cyber-attacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software, and malware.

In addition to multiple vulnerabilities, it is Likely that cyber criminals will use common software and malware in the coming months, such as:

Tactics and Techniques:

Western countries imposed several sanctions against Russia when they invaded Ukraine, and it is Likely that if the United States imposes harsher and broader sanctions and embargos on Russia, the fallout would Likely result in nearly all ransomware groups being placed under severe restrictions through the US Treasury’s Office of Foreign Asset Control (OFAC). This would result in the inability of ransomware victims in the US to consider negotiations and payments in exchange for preventing data leaks and retrieving decryption keys for compromised files and systems.

When Russia invaded Ukraine, US-based organizations began pulling their business from Russia. Russia has always posed a risk to US-based organizations. Multiple ransomware groups, including REvil, Conti, and LockBit 2.0, are based in Russia and they target multiple US-based organizations daily. The sophistication and technical knowledge of the ransomware groups, the NotPetya attacks, and nation-state groups – such as APT28, APT29, and Sandworm – highlight the ability Russia has to create severe disruption and chaos in the US. It is Likely that as US companies continue to pull out of Russia and additional sanctions are put in place, Russian government-sponsored cyber-attacks against US organizations will still remain limited to strategic organizations in key verticals. There is an Even Chance that these attacks will include destructive and wiper malware, ransomware, backdoors, and information stealing malware over the next 12 months. The overall threat landscape across all US-based organizations and verticals remains largely unchanged, and cyber-attacks directly related to the war will remain concentrated in the Ukraine, Russia, and Eastern Europe. The overall risk from any state-sponsored attack across all verticals remains low and restricted to a small portion of organizations in key verticals, while the threat of cyber-criminal activity, regardless of attribution, still remains high. These include commodity malware, ransomware, cryptocurrency miners, and data exfiltration/leaks.

Recommendations

Optiv’s gTIC emphasizes that all organizations continue to remain vigilant of cyber threats beyond activity attributed to, or estimated to be carried out by, the Russian government. Cyber-criminal, commodity malware, business email compromise (BEC), and ransomware remain the most relevant and Very Likely most dangerous threats to all organizations. Although the overall threat of a targeted state-sponsored attack is Unlikely, organizations in the previously mentioned industry verticals remain at higher risk due to the critical nature of operations. All organizations are encouraged to practice defense-in-depth and defensive strategies to mitigate the threat from all adversary types.

Optiv’s gTIC makes the following recommendations on mitigation for the threats highlighted in this report:

References

https://www.bleepingcomputer.com/news/security/russian-government-sites-hacked-in-supply-chain-attack/
https://www.washingtonpost.com/national-security/2022/03/24/russian-military-behind-hack-satellite-communication-devices-ukraine-wars-outset-us-officials-say/
https://www.bleepingcomputer.com/news/security/malware-disguised-as-security-tool-targets-ukraines-it-army/launch
https://cert.gov.ua/article/38088
https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/launch
https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/launch
https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/
https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx
https://thehackernews.com/2022/03/popular-npm-package-updated-to-wipe.html
https://www.bleepingcomputer.com/news/technology/russia-bans-google-news-for-unreliable-info-on-war-in-ukraine/launch
https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/