Russia/Ukraine Update - September 2022

September 29, 2022

As the Russian and Ukrainian war continues, cybercriminals in support of both sides continue to target organizations to obtain sensitive data, disrupt operations and wreak havoc. What’s more, Russia has used the conflict to move their targeting beyond Ukraine.

This war has had a rippling effect across the world, including a cybercriminal landscape that’s also been affected as groups split, turn sides and announce support for one country or the other. Since the invasion began, Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian military actions and estimated cyber-related implications in advisories and blog posts on February 4, February 22, February 24, June 30 and August 25. In this update, we’ll provide information on the events of the previous 30 days and what to expect looking forward.

Russia

Russia has consistently targeted Ukraine in cyberattacks since well before the physical invasion in February 2022. One infamous attack targeted Ukraine’s power grid on December 23, 2015. Attackers were able to take control of the facilities’ SCADA systems. During the attack, malicious actors opened breakers at 30 distribution substations causing more than 200,000 consumers to lose power.¹ Since the invasion of Ukraine, Russia’s cyberattacks against Ukraine have increased significantly, as have Russian supporters, including both state-supported and cybercriminal groups that have pledged their allegiance to the Kremlin.

In August 2022, The Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the ongoing cyberespionage campaign conducted by the Russia-linked Gamaredon APT group (aka Shuckworm, Primitive Bear, Armageddon). The group has been observed targeting Ukrainian entities with a PowerShell info-stealer malware dubbed GammaLoad. This campaign is reported to have started on July 15, and was detected as recently as August 8, 2022. The attackers started with spear-phishing messages using a self-extracting 7-zip file, which was downloaded via the system’s default browser. Then the attackers used mshta.exe to download an XML file, which was likely masquerading as an HTML application file (See Table 1 below). Following the downloading of the XML file onto victim networks, the attackers executed a PowerShell stealer. In some of the cases, the attackers also delivered two backdoors named Giddome and Pterodo, which are known to be used by the Gamaredon group.²

In August 2022, the Microsoft Threat Intelligence Center (MSTIC) observed and took actions to disrupt campaigns launched by the Russia-linked APT group SEABORGIUM. SEABORGIUM is a highly persistent threat actor that targets the same organizations over long periods of time using constant impersonation, rapport building and phishing to slowly deepen their intrusion. SEABORGIUM intrusions have been linked to hacking and leak campaigns where stolen and leaked data is used to shape narratives in targeted countries. Since the beginning of 2022, MSTIC has observed SEABORGIUM campaigns targeting over 30 organizations in NATO countries, particularly the U.S., U.K. and the government sector of Ukraine. SEABORGIUM primarily focuses operations on defense and intelligence consulting companies, non-governmental and intergovernmental organizations, think tanks and higher education.

SEABORGIUM conducts reconnaissance on their target individuals before beginning a campaign and focuses on identifying legitimate contacts in the target’s social network. The threat actors Likely leverage social media platforms, personal directories and open-source intelligence (OSINT) to identify targets’ contacts that can be used for impersonation. Once the group has a contact, they create an email address that matches the contact and sends a phishing email. If the target is a personal or consumer target, the threat actor typically begins with a benign email that includes pleasantries, Likely to establish rapport and avoid suspicion. When the victim is an organization, the emails appear to have a more authoritative approach. The goal of these campaigns is to steal sensitive information and harvest credentials.

Image

Figure 1: Phishing email observed in SEABORGIUM campaign, August 2022 (Source: Microsoft)

In August 2022, Mandiant reported that the Russia-linked group APT29 (aka Cozy Bear) has been vigorously targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information. Victims have included accounts that APT29 compromised months or even years before. APT29 used multiple new techniques during these attacks:

In August 2022, Latvia’s Computer Emergency Response Team (CERT.LV) reported that their website was suffering a massive DDoS attack. Latvia attributed the attack to the Russia-linked hacker group Killnet, after Latvia’s parliament announced Russia as a “state sponsor of terrorism.” In May 2022, Killnet declared war against any country that allied with Ukraine during the war, which has included the U.S., the U.K., Germany, Italy, Latvia, Romania, Lithuania, Estonia and Poland. These countries have been targeted each time they announce support for Ukraine, with Latvia and Lithuania targeted the most often. Latvia’s head of CERT.LV stated that Latvia is attacked by hackers almost on a daily basis with around 1,000 targets on some days.⁵ Finland’s parliament was also targeted by Russia-linked hackers, a group called NoName057(16), in August 2022. The hackers stated on their Telegram channel that they “punished” Finland for its aspiration to join NATO. The cyberattack on Finland’s parliament occurred on the same day U.S. President Joe Biden announced his support for Finland and Sweden to join NATO.⁶

Ukraine

There are multiple threat groups, including the IT Army of Ukraine and Anonymous, that have pledged their allegiance to helping Ukraine in the cyberwar that has ensued. These groups are comprised of threat actors from all areas of the world that have come together to support the country. The IT Army of Ukraine was created on February 26, 2022, after the ground invasion of Ukraine and is comprised of more than 1,000 Ukrainian and foreign volunteers. Additionally, after the invasion of Ukraine, the Anonymous hacking group posted on their Twitter for hackers around the world to target Russia, effectively declaring war on Russia in an operation dubbed #OpRussia.

Anonymous/IT Army of Ukraine

In August 2022, Ukrainian hackers hacked the TV shown in Russian-occupied Crimea and broadcasted an address by President Volodymyr Zelenskyy. The address was broadcast on Russia’s Pervyi Kanal (Channel One).⁷

Image

Figure 2: Announcement on Strategic Communications Department of the Armed Forces of Ukraine on Telegram (Source: Ukrainska Pravda)

In August 2022, the Anonymous hacking group announced via Twitter that two Russian video conferencing services were under attack. The group announced that all services were down. The first, Webinar Group, is used for meetings, online events, training and webinars throughout Russia. The second, Videomost, is another of the top video conferencing apps used throughout Russia for meetings, trainings and online events.

On September 06, 2022, Anonymous TV (@YourAnonTV) posted on their Twitter that the IT Army of Ukraine successfully targeted the third largest bank in the Russian Federation, GazpromBank, with a purported DDoS attack. The post stated that the website was down for four hours, making it impossible to send payments and transfers and blocking access to personal accounts and mobile banking. The post included two screenshots that showed the application as unavailable.⁸

Image

Figure 3: Screenshot included in Anonymous TV Twitter Post (Source: Twitter)

In September 2022, the IT Army of Ukraine targeted the Yandex Taxi app causing a major traffic back up in Moscow. The group ordered all available taxis to the same location in Moscow, creating a traffic jam that took place in the center of the Russian city on September 01, 2022. Due to the hack, one of the main streets of Moscow was completely blocked for more than two hours. The Yandex-owned company stated that the security department immediately blocked the intruder and halted the fake taxi requests.⁹ This incident highlights how even high-level (low-complexity, simple) cyberattacks can result in real-world economic and social disruptions and impact.

Other Activity

In August 2022, the Russian streaming company, START, confirmed that the personal information of its customers was leaked during a cyberattack. The company did not disclose how many customers were affected, but the incident was listed on the Russian Telegram channel, Information Leaks, which stated the information included 72GB of data for 44 million customers. The leaked information included usernames, email addresses, hashed passwords, IP addresses, country of registration, subscription start and end date and the last login to the service. The breach purportedly affects viewers from Russia, Kazakhstan, China and Ukraine. The hacking group announced that the data came from an exposed MongoDB database program. START announced they fixed the vulnerability that allowed the data breach to occur.¹⁰

In August 2022, a forum specializing in cyberattacks against Russia and Belarus, DUMPS, appeared and was observed advertising DDoS attacks starting at $80 per hour. The forum only targets organizations in Russia and Belarus and does not offer any services for other countries. The activity centers around data leaks, advertising DDoS attack services, forged and stolen identity documents, and anonymous and bulletproof hosting services. The data-leaks section of the forum appears to be the largest, where users shared data stolen from Russia-based government and private institutions. DUMPS offers prices based on the power of the DDoS attack on offer, with a lower level “layer four” assault lasting one day priced at $500 and a higher “level seven” attack over one day priced at $600. Shorter attacks are offered by the hour. DUMPS appears to support their Ukrainian users while attracting Russian users that are willing to take up cyber-arms against their own country. The site has yet to gain much notoriety, with just 100 users; but could grow significantly if the site gains attention.

In September 2022, unknown hackers reportedly started flooding Cobalt Strike servers operated by former members of the Conti ransomware group with anti-Russian messages to disrupt their activity. Although the Conti ransomware group turned off their internal infrastructure in May 2022, their members shifted to other ransomware groups, such as Quantum, Hive and Alphv. The former Conti members have continued to use the same Cobalt Strike infrastructure to conduct new attacks under the other ransomware operations. The threat actor flooding the servers are using the username “Stop Putin!” on multiple computers and changing their computer names to various messages – “Stop the war!”, “15000+ dead Russian soldiers!”, and “Be a Russian patriot!”. The messages are flooding the servers at a rate or about two every second. The messages cause the TeamServer’s Java application to be overloaded and the activity was disrupted similar to a DoS condition. The threat actors are unknown, however, they have been observed resuming the flooding each time a new server believed to be connected to the former Conti members is identified.¹¹

In September 2022, the Cyber Department of the Ukrainian Security Service (SSU) dismantled two bot farms that spread Russian disinformation on social networks and messaging platforms via thousands of fake accounts. The bot army was comprised of nearly 7,000 accounts and was used to push content discrediting the defense forces of Ukraine, justify Russia’s armed aggression and destabilize Ukraine’s social and political situation. One of the farms was operated by a 24-year-old native living in the Kyiv region and was used by “representatives of the PR departments of political parties and Russian citizens promoting destructive and provocative material in Ukrainian information space.” The second farm was operated by a user from Odessa and spread panic in the region by pushing disinformation and fake news from the front, selling its services to Russian “clients.” Ukraine has dismantled farms comprising of more than one million bots since the beginning of the war in February 2022.¹²

Looking Forward

In September 2022, it was reported that the Ukrainian military made advances which led to Russia Likely ordering the withdrawal of its troops of occupied Kharkiv Oblast west of the Oskil River. Additionally, it was reported that in the south, near Kherson, Russia was Likely struggling to bring sufficient reserves forward across the Dnipro River to the front line. The Ukrainian success reported over the previous 30 days will Likely have significant implications for Russia’s overall operations on the ground. Due to this factor, it is Likely that Russia-based and supporting threat groups will increase their attacks on Ukrainian government and military organizations, as well as those of countries in support of Russia over the next 30 days.¹³

Along with the physical conflict in Russia’s invasion of Ukraine, it’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software and malware.

In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:

Table 1: Commonly observed MITRE ATT&CK tactics

It’s Likely that the U.S. and other Western Coalition countries will remain attractive targets for Russia-based threat actors for financial gain and espionage attacks. It’s Likely that if the United States imposes harsher and broader sanctions and embargos on Russia, the fallout will result in nearly all ransomware groups being placed under severe restrictions through the U.S. Treasury’s Office of Foreign Asset Control (OFAC). This would result in the inability of ransomware victims in the U.S. to consider negotiations and payments in exchange for preventing data leaks and retrieving decryption keys for compromised files and systems. Other countries that have a history of state-sponsored and/or APT attacks which have indirectly aligned or maintained suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks.

When Russia invaded Ukraine, U.S.-based organizations began pulling their businesses from Russia. Multiple ransomware groups, including REvil, Conti and LockBit 2.0/3.0, are based in Russia and target multiple U.S.-based organizations daily. The sophistication and technical knowledge of the ransomware groups, the NotPetya attacks and nation-state groups – such as APT28, APT29 and Sandworm – highlight Russia’s ability to create severe disruption and chaos in the United States. U.S.-based organizations are a historically attractive target and it’s Likely that U.S. companies will continue to be targeted, whether by threat actors based in Russia or those in support of the Kremlin’s invasion of Ukraine.

References