Russia/Ukraine Update - May 2023

May 30, 2023

The Russia/Ukraine war has now been actively occurring for 15 months, with both physical and cyber warfare ensuing. Ukraine has continued to launch defensive strategies, while cybercriminal groups in support of Ukraine launch DDoS attacks and information theft campaigns. Moving their focus beyond Ukraine, Russia has focused their cyberattacks on countries supporting Ukraine, whether financially, militarily, or cyber defensively. This war has caused a rippling effect of destruction and disruption across the world, including the cybercriminal landscape.

Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian actions and estimated cyber-related implications in Advisories and Optiv Blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31, November 29, December 20, and March 02, 2023. This update will provide information on the events of the previous 90 days and what we can expect looking forward.

Russia

Russia has continued to launch cyberattacks against Ukraine and supporting countries. From wiper malware attacks to ransomware to DDoS attacks, Russia-linked threat actors have relentlessly launched attacks to show support for Russia. Active groups so far in 2023 include Sandworm, DEV-0586, Anonymous Sudan, CommonMagic, APT29, and more.

In February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) reported that Russia-linked threat actors, purportedly DEV-0586 (aka UAC-0056, unc2589, Nodaria, or Lorec53), had breached multiple government websites. CERT-UA identified a previously known encrypted web shell on one of the websites. The web shell was used to modify the content of the main page of the web resource. Additionally, the threat actors deployed multiple backdoors, including CredPump, HoaxPen, and HoaxApe, to achieve remote access and log the usernames and passwords. DEV-0586 has been active since March 2021 and focuses most of their activities on Ukraine; other attacks have targeted Kyrgyzstan and Georgia.

In February 2023, a group of Russian hacktivists that call themselves “Anonymous Sudan” were observed conducting a series of DDoS attacks that shut down nine Danish hospitals’ websites for a few hours. The attacks did not have any life-threatening impact on the medical centers’ operations or digital infrastructure. Anonymous Sudan claimed responsibility for the attacks on its Telegram page. The group reportedly claimed to have conducted the attacks because Rasmus Paludan – a far-right Swedish-Danish politician – burned a Quran in front of a mosque in Denmark. However, security researchers have reported that Anonymous Sudan are Likely Russian or located in former Soviet Union countries with ties to Killnet. In support of Killnet, Anonymous Sudan also conducted a series of DDoS attacks against the websites of the German foreign intelligence service and the Cabinet of Germany.

In March 2023, Microsoft’s Digital Threat Analysis Center released a report indicating that Russia was readying another destructive cyberattack against Ukraine. The researchers reported that Sandworm, an APT group linked to Russian military intelligence agency GRU, was preparing to follow Foxblade and Caddywiper efforts from last year with new wiper malware. The researchers asserted that in 2023, Russia targeted organizations in at least 17 European nations, mostly government agencies, with cyber espionage attacks, while wiper attacks continued to target Ukraine. At the time of writing, there is no evidence that Sandworm has successfully conducted another wiper attack against Ukraine. However, there is an Even Chance that Russian threat actors will conduct additional wiper malware and other destructive attacks over the next 12 months.

Along with destructive and information stealing cyberattacks, Russia has been observed conducting influence operations as well. Russia reportedly took aim at Ukrainian refugee populations across Europe, attempting to convince them that they could be deported and enlisted into the Ukrainian military. Additionally, Russian influence operations took aim at Moldova when the Russian media promoted protests supported by a pro-Russia political party encouraging citizens to demand that the government pay for winter energy bills. Another campaign, dubbed “Moldova Leaks,” published alleged leaks from Moldovan politicians aimed at creating a lack of trust between citizens and their governments.

In March 2023, security researchers with Kaspersky reported that the APT group, CommonMagic, was observed targeting administrative organizations in the Russo-Ukrainian conflict zone. The initial access vector was not known. However, the group commonly uses phishing attacks to deliver malicious attachments. The group used a PowerShell-based backdoor, PowerMagic, and a malicious framework, CommonMagic. The backdoor receives and executes commands from the attacker’s C2, and the framework is capable of stealing files from devices and taking screenshots. CommonMagic has been active since September 2021 and has targeted administrative, agricultural, and transportation organizations across Donetsk, Luhansk, and Crimea.

In April 2023, the Polish Military Counterintelligence Service and the CERT team in Poland issued an alert warning of an espionage campaign allegedly conducted by the Russia-linked APT group, APT29 (aka Nobelium, Cozy Bear, The Dukes, Cloaked Ursa). The attacks began with a spearphishing email that purportedly impersonated embassies of European countries and was sent to selected personnel at diplomatic posts. The email message directed the recipient to click on a link or download a PDF to access the ambassador’s calendar or meeting details. The attacks used the HTML-smuggling technique – where a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim’s device. Once a victim was compromised, the group used modified versions of the Snowyamber downloader, Halfrig, and Quarterrig. Snowyamber and Quarterrig were used for reconnaissance to help the attackers evaluate each target’s relevance and to determine if the group compromised honeypots or VMs used for malware analysis. Halfrig acts as a loader and automatically deployed the Cobalt Strike payload. In addition to Poland’s warning, Canada’s Prime Minister Justin Trudeau made a public statement related to Russia-linked cyberattacks aimed at Canadian infrastructure, including DDoS attacks.

In April 2023, the Russian FSB accused the U.S. and other NATO countries of launching more than 5,000 cyberattacks against critical infrastructure organizations in Russia since the start of 2022. The FSB claimed that these attacks originated from Ukrainian territories, which were reportedly used to mask the true origin of the attacks. The FSB stated that despite many of the attacks were presented as activities by the “IT Army of Ukraine,” a hacking group created in support of Ukraine during the war. The FSB claims to have identified other groups involved, including Anonymous, Sailens, Goast Clan, Ji-En-Ji, SquadZOZ, and more. The FSB released this statement just one day after the Poland alert related to attacks conducted by Russia-linked groups.

Rostelecom, a digital services provider in Russia, released a report about cyberattacks targeting Russia between March 2022 - March 2023. Rostelecom claimed that 20% of all detected attacks targeting Russia could be attributed to APT groups, while 38% were cases of hacktivism and another 38% were ransomware attacks.

Image

Figure 1: Attack types targeting Russian organizations (Source: Rostelecom)

Additionally, Rostelecom reported that the most significant activity targeting Russian organizations during the reported period was conducted by APT27, APT41, APT10, and Lazarus Group – which are all China and North Korea-linked threat groups. This report contradicts the statement made by FSB regarding a massive number of attacks originating from Western countries that support Ukraine.

In April 2023, Google’s Threat Analysis Group (TAG) released a blog related to Russia’s continued activity during the Russia/Ukraine war. TAG researchers stated that Russian government-backed phishing campaigns targeted users in Ukraine most often, with 60% of attacks in Q1 2023 aimed at Ukraine. Sandworm (aka FROZENBARENTS) remains one of the Russia-linked threat groups focused on Ukraine during the war. Sandworm targeted critical infrastructure organizations and exploited EXIM mail servers globally to use as part of their operational network, which has been a tactic of the group since 2019.

Another active group in the targeting of Ukraine is APT28 (aka FROZENLAKE, Sofacy, Iron Twilight, Fightin Ursa, Fancy Bear). APT28 has conducted large phishing campaigns targeting hundreds of users in Ukraine and Eastern Europe. Beginning in February 2023, the group was observed using XSS on multiple Ukrainian government websites to redirect users to phishing pages.

Over the past 90 days, Russia has continued to leverage information operations to shape the public perception of the war in Ukraine. In the first quarter of 2023, Google’s TAG observed a coordinated information operations (IO) campaign from actors affiliated with the Internet Research Agency (IRA) creating content on platforms like YouTube. The group has focused on narratives supportive of Russia. One of the promotions included a movie that positively portrays the Wagner Group, a Russian paramilitary group.

In addition to APT activity, cybercriminal groups, including the Cuba ransomware operators, have been observed targeting Ukraine and Western-supporting countries over the past 90 days. The group reportedly used phishing URLs with spoofed domain names related to ChatGPT and OpenAI to target government and military officials in Ukraine. However, rather than the typical encryption-based attacks, Cuban ransomware operators stole data that was more in line with intelligence gathering operations.

Ukraine

In February 2023, pro-Ukrainian hackers, CH01, reportedly defaced at least 32 Russian websites in protest of the one-year anniversary of Russia’s invasion of Ukraine. Anonymous, a global hacking group, reported the attacks via their Twitter account and attributed the actions to #OpRussia – a collective operation of Anonymous and affiliate hacking groups targeting Russia organizations in protest to the war. CH01 is a known affiliate that joined the Anonymous collective after the group’s call to arms against Russia due to the invasion of Ukraine.

Image

Figure 2: Anonymous Collective tweet related to targeting of Russian websites (Source: Twitter)

The hackers reportedly uploaded a video of the Kremlin burning on the defaced websites. Additionally, in February 2023, Anonymous reported that they had successfully hacked into several radio stations across Russia, including Yumor FM, Relax FM, Comedy Radio, Humor FM, and Avatoradio. The group had a female voice render fake air raid alerts warning listeners to seek shelter quickly. While these attacks do not have a significant impact on organizations, like ransomware or wiper malware attacks, the breach of websites and radio/TV streams has previously been used in influence operations and to build distrust between organizations and their customer base.

In March 2023, Ukrainian and Czech Republic police disrupted a phishing group that claimed to have made more than 160 million hryvnias ($4.3 million USD) from victims across the Czech Republic, Poland, France, Spain, Portugal, and other European countries. The group reportedly created over 100 phishing sites offering discounted goods to lure victims into purchasing them. The group then used the harvested payment data to conduct fraud. Additionally, the group hired scammers in two different call centers to convince victims to complete their purchases on the fraudulent websites. While this operation is not a direct connection to the Russia/Ukraine war, it is Likely that this type of group created phishing sites that could be used to target displaced Ukrainian citizens. Ukrainian police have disrupted two phishing groups over the past 12 months of the Russia/Ukraine war, including one in 2022 that was suspected of creating phishing sites offering financial support from the EU to affected Ukrainian citizens.

A pro-Ukrainian hacking group, Cyber Resistance UA, claimed responsibility for multiple hacks in 2023. Cyber Resistance claimed to have hacked into Z-volunteer Mikhail Luchin’s AliExpress account, which included a linked card containing donation funds to purchase an unmanned aerial vehicle (UAV). The hackers claimed to have used the entire $25,000 to order sex toys to be sent to Russian military members. Luchin reportedly released a public post where he admitted to the hack and claimed that he would be able to return the money and the goods to recoup the money used during the hack.

Image

Figure 3: Cyber Resistance UA's Telegram post related to Mikhail Luchin

In April 2023, Cyber Resistance claimed to have hacked into the emails of Lieutenant Colonel Sergey Alexandrovich Morgachev, an officer of the Russian Main Intelligence Directorate of the General Staff of the Russian Army (GRU), leader of the Russian hacker group APT 28. Cyber Resistance reportedly shared the details of the hack with InformNapalm, a volunteer intelligence community. The pro-Ukrainian hacker group obtained both personal and service information related to Morgachev. This included a 2018 email from Apple requesting his account data from the U.S. FBI in connection with the 2018 indictment he was named in related to the 2016 hack of the servers of the Democratic National Committee (DNC) and attempted election interference.

Other Information

In March 2023, Russia’s internet watchdog agency Roskomnadzor warned about laws banning the use of many foreign private messaging applications in Russian government and state agencies. The law established a ban for a number of Russian organizations on the use of foreign messaging platforms to exchange messages exclusively between their users. These platforms included Discord, Microsoft Teams, Skype for Business, Snapchat, Telegram, Threema, Viber, WhatsApp, and WeChat. While the law was reportedly designed to prevent leaks of sensitive information to foreign entities, there have been speculations that the law is an attempt to prevent the influx of foreign information that could shape the opinion of the local population. Other bans have included VPN products and Russia-introduced “domestic software” incentives that promote using Russian Linux-based operating systems like Astra Linux, ALT OS, and Red OS in government and public service organizations.

In March 2023, reports emerged that an unidentified whistleblower had provided several media organizations with access to leaked documents from NTC Vulkan, a Mosco IT constulancy. These reports allegedly show how the firm supports Russia’s military and intelligence agencies with cyber warfare tools. The whistleblower reportedly leaked the documents due to anger over Russia’s invasion of Ukraine and a desire to reveal what is going on within Russia. The reports purportedly described Russian hacking tools used in various attacks – including a reported blackout in Ukraine, the disruption of the Olympics in South Korea, and the creation of the NotPetya malware. The documents detailed project requirements contracted with the Sandworm threat group. Additionally, the leaked files linked NTC Vulkan to the APT29 threat group. Tools described included:

These leaked reports provide insight into the investment of Russian intelligence services in developing capabilities, which has been previously hidden from public view. A tool like Scan-V can indicate how Russia-linked APT groups appear to streamline their targeting of vulnerable software and services. The documents also help the public understand Russia’s targeting. The reports highlight Russia’s interest in targeting critical infrastructure organizations, including those in the energy, utilities, and transportation fields.

Other Countries

In February 2023, the Foreign Policy Research Institution (FPRI) reported dramatic shifts in the U.S. strategy toward Russian relations. The U.S. has prioritized cooperation with Russia for the better part of the previous 30 years, as Russia is considered a “great power” competitor of the U.S. A cooperative relationship between the U.S. and Russia would be economically beneficial for both countries. However, according to the FPRI, the U.S. no longer seeks to prioritize cooperation with Russia and no longer expects to forestall greater Russia-China cooperation; support for Ukraine has become a critical part of the overall U.S. strategy, designed to degrade Russian capabilities.

In February 2023, Secretary of State Anthony Blinken released a statement warning that China is “strongly considering” providing Russia with “lethal assistance” in its war with Ukraine. China has been observed publicly striving to achieve peace between Russia and Ukraine. However, throughout 2022, China-linked APT groups have been observed targeting Ukrainian organizations. In November 2022, Earth Longzhi, a sub-group of APT41, was observed targeting Ukraine. While this is not new information, as China-linked groups have targeted Ukraine since at least 2020, there is an Even Chance that information gathered by China-linked groups could provide Russia with a strategic advantage in the war with Ukraine.

In March 2023, Polish counterintelligence reportedly dismantled a Russia-linked spy group that gathered information on military equipment deliveries to Ukraine. Nine individuals were reportedly arrested in connection with the spy group, and they were suspected of working for the Russian secret service. The individuals have reportedly conducted espionage activities against Poland and preparing acts of sabotage on behalf of Russian intelligence services. Poland officials reported that the entire ring of threat actors was dismantled. However, it is Likely that other threat actors, including Russia-linked APT groups, will continue to target military-related information from Western-supporting countries over the next 12 months.

In April 2023, PUSHCHA, a Belarusian threat actor, was attributed to the consistent targeting of users in Ukraine and neighboring countries during the war. The group has been observed targeting regional webmail providers with phishing attacks that are targeted and focused on a small number of users in Ukraine.

In April 2023, The U.K. government formally confirmed that its National Cyber Force (NCF) agency is active and has conducted real-world offensive operations. Established in 2020, the NCF is a joint agency between the U.K.’s Ministry of Defence and its main intelligence agency, GCHQ. The NCF operates in and through cyberspace and the work is labeled as “covert”. Although the agency’s work is meant to help the U.K. and counter sophisticated, stealthy, and continuous cyber threats to the U.K., the agency has also reportedly been actively aiding Ukraine in defending against Russia’s cyberattacks. However, the exact actions taken and the support provided were not disclosed. The U.K. NCF joined other organizations and agencies in helping Ukraine defend against attacks, including Google and Microsoft.

In May 2023, researchers reported that the U.S. IRS criminal investigative division donated 15 licenses for the Chainalysis Reactor platform to a team of Ukrainian investigators. This act was part of the ongoing effort to identify and take down the financial networks used by Russian cybercriminals to avoid international sanctions. The donation was made as personnel from the IRS Criminal Investigations unit and Chainalysis kicked off a week of training for 20 Ukrainian investigators. The trainings are meant to help Ukrainian law enforcement and investigators hone their digital investigative skills to trace the source of blockchain funds and unmask cryptocurrency transactions. While the support during investigations can be helpful, donations and trainings like this can help Ukrainian investigation units in their long-term goals of taking down cybercriminal financial infrastructures and preventing future attacks.

In May 2023, the U.S. Justice Department announced the completion of a court-authorized operation, dubbed MEDUSA, to disrupt a global network of computers compromised by sophisticated malware “Snake” attributed to a unit of the FSB of the Russian Federation. The unit, Turla, has used versions of the Snake malware for nearly 20 years to steal sensitive documents from hundreds of computer systems across 50 countries. Turla is known for targeting NATO member governments, journalists, and other targets of interest to the Russian government. Operation MEDUSA used an FBI-created tool named PERSEUS to disable the Snake malware on compromised computers by issuing commands that caused the Snake malware to overwrite its own vital components. Multiple law enforcement takedowns and arrests over the last year have highlighted the resilience of cybercriminals. They have demonstrated that even when arrests are made and threat groups are seemingly dismantled, they can continue attacks. It is Likely that Turla will continue to utilize its Snake tool in other countries and develop other malware to pursue U.S. targets.

Impact

Over a full year into Russia’s war with Ukraine, Russia has conducted many failed cyberattacks against Ukraine. According to the Middle East Institute (MEI), Russia’s errors have complicated their ability to influence developments across the Middle East. Russia has historically had a reputation for using its power and perceived strength to influence operations and erode Western influence across the Middle East. In 2022, Russia created a food crisis by limiting Ukrainian grain exports to multiple Middle Eastern countries to influence these countries to Russia’s will. Multiple errors have contributed to the degradation of Russia’s perceived power in both the physical and cybercriminal landscapes. These errors include failures to physically take control of Ukrainian territories; failed cyberattacks targeting Ukrainian critical infrastructure and Western countries; and the leak of Russia’s internal cyber tools, actions, and bespoke malware used by APT groups. It is Likely that Russia’s overall power throughout the Middle East and Western-supporting countries will remain limited over the next 12 months.

Ukraine has been relatively successful in defending against Russian cyberattacks, including successfully preventing multiple wiper malware attacks on their Energy vertical organizations in 2022. Russia’s cyberattacks increased 250% in 2022 against Ukraine and 300% against NATO countries. These attacks, while considered sophisticated in the first months of the war, have slowed down and appear less coordinated after the initial wave of attacks. With the technical assistance of Western allies, Ukraine has significantly boosted its continuous security monitoring capabilities, which has aided in detecting and preventing multiple Russian cyberattacks. It is Likely that Ukraine will continue to improve their security posture over the next 12 months. Additionally, it is Likely that Russia will continue to launch cyberattacks against both Ukraine and NATO countries over the next 12 months.

Security researchers have observed multiple changes in the cybersecurity landscape since the invasion of Ukraine in February 2022, including groups splitting and turning on each other, as well as leaking source code, chats, and builders. However, researchers have noted a decrease in activity on Russian-language dark web and special-access forums, as well as decreases in the number of new posts and threats in general since September 2022. Multiple factors have Likely contributed to the decrease, including cybercriminals that have fled both Ukraine and Russia during the war to avoid being recruited and/or due to dangerous environments. The drafting of young men into the physical war has also decreased the number of active participants on cybercriminal forums.

There has historically been a high level of solidarity between Russia-linked threat groups, which has contributed to the groups’ sophistication and capabilities. However, the disagreements over support for the war, the leaks, and the splits have Likely evaporated that belief throughout the world. It is therefore Likely that more threat actors will target Russia-based organizations over the next 12 months to steal sensitive information – PII and IP information – and malware-based attacks – ransomware, wiper, backdoor, etc. Although Russia-linked groups have lost some of their respect as sophisticated and “untouchable” groups, it is Likely that Russia-linked groups will still successfully conduct cyberattacks over the next 12 months. Rumors of Russia absolving Russian cybercriminals of their crimes have circulated, which would Likely supply Russia with more cybercriminals to support their cyber efforts against Ukraine and NATO countries. There is an Even Chance that threat actors will shift to more English-language forums, shops, and marketplaces over the next 12 months as the war continues and cybercriminals are no longer willing to work together with others from Commonwealth of Independent States (CIS) countries.

Outlook

Russia-linked and Russia-supporting threat groups have launched hundreds to thousands of attempted cyberattacks against Ukraine and NATO countries over the previous 12 months, including ransomware and wiper attacks, as well as information stealers. Such attacks have occurred since at least 2014. But larger strikes, which the world expected would have crippled Ukrainian critical infrastructure, have been mostly unsuccessful. In the attacks that have been considered successful, Ukraine has been able to recover quickly, restoring systems and communications within a reasonable timeframe.

Despite reports that Russia-linked threat groups have not been as successful as expected, it is Likely that these groups will continue launching attacks against Ukraine and NATO countries over the next 12 months. This is Likely to include critical infrastructure verticals – Energy, Government, Manufacturing, and Transportation – in destructive cyberattacks that include wiper and ransomware malware. There is an Even Chance that Russian President Putin will refocus efforts on cyberattacks as kinetic military actions face setbacks, including the reshuffling of military leaders, high turnover, and Ukrainian advancements.

Other countries with a history of state-sponsored and/or APT attacks that have indirectly aligned or maintained suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks. While China has ultimately avoided physical involvement in the war, they have suspended business when threats to Chinese interests called for it, continued business and trading when they could, and parroted Russian narratives when they aligned with China’s criticism of the U.S. While China-linked threat groups have a proven history of targeting U.S. and other Western countries in espionage campaigns related to China’s strategic interests, there is an Even Chance that these groups could target countries of strategic interest to Russia over the next 12 months.

It’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software, and malware.

In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:

It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.

Table 1: MITRE ATT&CK techniques observed in reported cyberattacks related incidents notated above