Updated 2/22/2022 advisory available. See the latest here.

Executive Summary

In mid-January, a destructive malware campaign targeted several Ukrainian public and private organizations. The attack was disguised as a ransomware attack, but evidence suggests the attack was destructive in nature rather than financially motivated. The attack came as Russian troops continue to mass forces along Ukraine’s border.

Days after the Ukrainian attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an “Insights” document warning all organizations in the U.S. about potential critical risks and cyber attacks. The document includes mitigation techniques and identification methods. Russian kinetic and shaping military operations have frequently been supplemented with cyber operations by Russian state-sponsored actors, as witnessed in numerous historical attacks.

Optiv’s Global Threat Intelligence Center (gTIC) assesses with high confidence that Russian state-sponsored actors will continue utilizing cyber attacks in conjunction with military shaping operations over the next 30 to 90 days for espionage and destabilization to achieve political aims, as witnessed in the most recent attacks on Ukrainian civilian and state organizations in January 2022.

In response to the heightened risk for cyber attacks, Optiv’s gTIC recommends organizations implement multi-factor authentication (MFA), implement a patching program, disable all non-essential ports and protocols, create an incident response plan and ensure backups are in place and can be effectively used in the event of an incident.

Recommendations and Findings

Mitigation Recommendations

Optiv gTIC makes the following mitigation recommendations for the threats highlighted in this report:

Key Findings

Optiv gTIC Analysis and Comments

Ukraine and Russia have had a tumultuous relationship since the dissolution of the Soviet Union in 1991; however, open conflict did not ensue until the pro-Russian president of Ukraine, Viktor Yanukovych, was toppled in the Revolution of Dignity in February 2014. Immediately following this revolution, Russia invaded and annexed the Crimean Peninsula. Shortly after, in April 2014, a series of military clashes began that would continue intermittently until the present day; these conflicts are responsible for the deaths of approximately 13,000 people. In addition to traditional military operations, Russia and several of its intelligence organizations have used cyber operations both as a tool of their own accord for purposes of espionage and destabilization and to supplement kinetic military attacks against several nations in their geo-political landscape.

In October of 2021, Russia began massing troops along the border with Ukraine and currently has approximately 100,000 troops stationed there. Russia has denied all accusations that they intend to invade Ukraine and states that they are mobilizing troops only in reaction to Ukraine procuring foreign weaponry and aspiring to join NATO. Naturally, discussions between Russian and U.S diplomats have been ongoing, including talks in Geneva on January 10 and January 21, 2022. Integral to Russia’s demands has been a permanent exclusion of Ukraine and Georgia from NATO. The U.S. has denied willingness to discuss any restrictions to NATO’s membership policies but has expressed willingness to discuss arms control and military exercises as a means of compromise to maintain diplomacy.

On January 11, the CISA, the National Security Agency (NSA) and the Federal Bureau of Investigations (FBI) issued a Joint Cybersecurity Advisory discussing the capabilities of Russian state-sponsored actors, including their tactics, techniques and procedures (TTPs) and a list of recommendations for detection, response and mitigation.

Starting two days later on January 13, approximately 80 Ukrainian websites, including several government sites, were attacked by destructive malware. The malware used in the cyber attacks targeting Ukraine on January 13 and 14 was dubbed “WhisperGate.” Approximately 80 total websites were affected, including the Ukrainian Foreign Ministry, the Ministry of Education and Science and several state services. According to security researchers, WhisperGate malware uses two wipers in order to destroy the master boot record and to eradicate any recovery options. The attack was delivered disguised as ransomware; however, it is evident that it is not an actual ransom attempt as there is no recovery mechanism for victims to pay the ransom. Researchers believe that the actors likely gained initial access through the use of stolen credentials and had access for several months prior to the actual attack. Reports also suggest evidence of the malware being deployed to victims as early as October 2021, aligning with the initial influx of troops from Russia to the Ukrainian border. The lengthy reconnaissance period indicates that the threat actor that conducted these attacks is highly sophisticated.

Three attack vectors for this campaign resulted in either webpage defacement, installation of the wiper or credential theft. The attack vector of defacements was a direct exploitation of a vulnerability in the content management system (CMS) platform, OctoberCMS. Based off investigative findings, an authentication bypass vulnerability from August 2021 was likely exploited and leveraged to gain full access to the websites hosted on vulnerable instances of OctoberCMS.

A Ukrainian IT managed service provider (MSP) named Kitsoft was compromised through an employee’s account and was likely a vector for the WhisperGate installation. Kitsoft provides IT services to multiple Ukrainian government entities. Based on the techniques described for this attack vector, Optiv’s gTIC considers this to be a supply-chain attack (i.e., a third-party vendor or supplier was compromised to attack its customers).

Additionally, the Log4Shell vulnerability in Log4j (CVE-2021-44228) was also reported as an attack vector. It is likely Log4Shell was leveraged to deliver WhisperGate as well, as other adversary groups previously exploited this vulnerability to deliver ransomware and other malware since it was first disclosed in December 2021.

During this time, Russia has continued to send troops and military equipment, including ballistic missiles and air defense systems, to the border of Ukraine, particularly through Belarus. In response, a group of activists in Belarus, called the Belarusian Cyber-Partisans, encrypted the railway system to prevent Russia from being able to move through easily. They are refusing to decrypt the railroad system until 50 political prisoners have been released and Russian troops stop moving through Belarus.

At this time, geo-political discussions and posturing are ongoing. The U.S. has announced that some military personnel will be sent to Eastern Europe, but no details were released on this mission yet.

Image

Figure 1: Russian Military Build-Up Along Border of Ukraine

EIM Intelligence Comments:

Most Likely Course of Action: Optiv’s gTIC assesses with high confidence that Russian threat actors will continue targeting political, military and critical infrastructure objectives over the next 12 months. It is very likely that Russian state-sponsored actors will continue utilizing cyber attacks in conjunction with military shaping operations over the next 30 to 90 days for espionage and destabilization to achieve political aims, as witnessed in the most recent attacks on Ukrainian civilian and state organizations in January 2022. Additionally, it is very likely that Russian threat actors will utilize cyber attacks to destabilize Ukrainian political systems, as witnessed in numerous examples of election tampering over the last five years throughout Europe and the U.S.

Most Dangerous Course of Action: Optiv’s gTIC assesses with moderate confidence that Russian state-sponsored actors will increase the use of destructive malware in conjunction with kinetic military operations as part of their campaigns over the next 30 to 90 days as witnessed in the Russo-Georgian War in 2008 and the annexation of Crimea in 2014. It is very likely that Russian advanced persistent threats (APTs) will target Government, Utilities, Energy and Telecommunications sectors, as these are the sectors that have been targeted in the past and have the greatest impact on social and political stability.

Historical Examples of Russia Supplementing Kinetic Military Operations With Cyber Attacks

As mentioned previously, Russia has demonstrated its ability to conduct coordinated cyber attacks in conjunction with kinetic military operations and military shaping operations numerous times previously. Several notable examples of cyber attacks supporting kinetic military operation spring to mind in relation to the most recent attacks on private and public Ukrainian businesses.

Russo-Georgian War

The earliest notable example of a Russian cyber attack in conjunction with a kinetic military action took place in the Russo-Georgian War in 2008. To understand this conflict, it is important to understand some of the ethnic and political tensions at play at that time. Within the borders of the modern-day state of Georgia are two ethnic enclaves known as Abkhazia and South Ossetia. The central Georgian government is unable to directly assert their control over these regions. In fact, the Russian government not only recognizes them as independent, but has Russian soldiers stationed in both locations as peacekeeping forces.

When Georgian forces clashed with South Ossetian forces in 2008, the Russians reacted in support of their Ossetian allies. What resulted was a rout of the Georgian army within the borders of Georgia itself. Preceding this military action was a cyber attack against Georgian government and public websites. The cyber attack was allegedly carried out by “patriotic Russian hackers.” The fact that the attack immediately preceded a kinetic military action, and degraded the digital capabilities of the Georgian government, aligns with Russian goals. The fact that the attacks were carried out by non-state actors gives the Russian government plausible deniability.

Crimea

Crimea was the second time that cyber operations occurred in concert with kinetic military operations. Russian military forces occupied the Crimean Peninsula and instigated ethnically Russian Ukrainian rebels to take up arms against the government in Kyiv. All this was caused by the fall and exile of the pro-Russian president of Ukraine, Viktor Yanukovych. As Russian forces entered the Crimean Peninsula in March 2014 to annex it from Ukraine, Russian cyber actors likely associated with the Russian Military Intelligence group, or GRU, had already conducted a distributed denial-of-service (DDoS) attack against Ukraine’s (and particularly the Crimean Peninsula’s) telecommunications sector, many major websites and the cell phones of key Ukrainian officials. This cyber attack isolated the Crimean Peninsula and Ukraine as a whole, preventing a coordinated response or request for support from outside nations.

Russia’s control of Crimea’s communications sector also allowed them to broadcast messages of fear and persecution to the ethnically Russian citizens of the Crimean Peninsula. These messages inculcated fear against the Ukrainian government and, therefore, made Russian movement through the region easier.

Historical Examples of Russia Supplementing Military Shaping Operations With Cyber Attacks

Russia has a long history of utilizing cyber attacks to achieve political gains, but the majority of those are for the purposes of espionage and disruption and not tangible military gain. However, the attacks in Georgia and during the annexation of Crimea occurred directly in concert with kinetic military activities. Several other attacks occurred in coordination with military operations, if not directly supporting military movements.

As discussed previously, an ongoing series of clashes between Russia and Ukraine has occurred surrounding the Donbas region since the Spring of 2014. Approximately one-and-a-half years after the annexation of Crimea in December 2015, Russian threat actors remotely accessed the control centers of three Ukrainian electricity distribution companies, causing power outages for approximately 200,000 consumers. A similar attack disrupted a power distribution station in northern Kyiv in December 2016. These attacks represent some of the largest and most disruptive attacks on critical infrastructure systems ever seen globally. It is very likely that Russian threat actors will continue to implement cyber attacks on critical infrastructure systems on Eastern European countries to destabilize those countries and demonstrate their power while creating plausible deniability for the Russian government.

Image

Figure 2: Locations of Major Attacks on Ukrainian Electrical Grid

 

Many experts are comparing the most recent Russian attacks using WhisperGate malware to the NotPetya attack of 2017. The NotPetya attack of 2017 has been described as the worst cyber attack ever, and it earned this title due to both its severity and extremely wide distribution. Like WhisperGate, NotPetya disguised itself as ransomware while aiming to encrypt the hard drives of infected computers. The attack was attributed to Russian state-sponsored actors targeting Ukraine; however, the malware affected far more than just Ukrainian companies. NotPetya spread so destructively that it affected companies worldwide, including Russian oil company Rosneft. According to Tom Bossert, a senior cybersecurity advisor to President Trump, the attack resulted in more than $10 billion in damages. It is likely that the effects of these attacks in Ukraine resulted in destabilization that allowed Russia to maintain an upper hand in the ongoing skirmishes and attacks occurring along the Donbas region and preventing Ukraine from focusing its attention on efforts to join NATO.

 

Historical Examples of Russian Influence Operations on Political Elections and Campaigns

Over the last five years, Russian threat groups have attempted to influence and undermine Western countries through election manipulation and tampering, particularly by pushing the balance towards far right or nationalist parties. Some of the most notable examples of cyber attacks impacting elections that have been attributed to Russian-backed state-sponsored threat groups were the European Union Referendum, otherwise known as the Brexit, and the 2016 U.S. presidential elections.

 

In what the American Department of Homeland Security and FBI are calling “GRIZZLY STEPPE,” suspected Russian threat actors broke into email servers belonging to the Democratic National Committee prior to the 2016 U.S. presidential elections. The emails they exfiltrated were filtered through an online persona called “Guccifer 2.0,” a name which invokes an earlier cybercriminal who called himself “Guccifer,” and publicly released the copied emails of prominent personalities. Guccifer 2.0 was likely a fake construct, masking sophisticated intelligence operations. Multiple reports around the GRIZZLY STEPPE activities of 2016 implicate the Russian GRU and Russian civilian and military intelligence services (RIS). Attribution to specific named APT groups has been convoluted, but reports suggest GRIZZLY STEPPE should be attributed to “EnergeticBear” and “Dragonfly.” The efforts around GRIZZLY STEPPE are assessed with moderate confidence to overlap with the activities of two other distinct named Russian cyber APT groups, APT28 (aka Fancy Bear, Sofacy) and APT29 (aka Cozy Bear).

 

The graphic below illustrates the Optiv EIM Intelligence Threat Actor Metric^™ calculated for the GRIZZLY STEPPE cyber adversary group. See Appendix B: Assessments and Probability Statements for an explanation of the Threat Actor Metric^™ .

 

Image

Figure 3: Threat Actor Metric^™ Score for GRIZZLY STEPPE

^© 2023. Optiv Security Inc. All Rights Reserved.

 

Another notable example of a cyber attack that has been attributed to Russia with high confidence was the collapse of the British government’s voter registration website on June 7, 2016, less than two hours before the deadline to register to vote in the referendum on European Union membership. The attack was determined to be a DDoS attack and was linked to historical examples of Russian approaches to cyber attacks. In addition to the possible direct attack on the voter registration site, U.K. researchers identified over 400 Twitter accounts connected to the Russian Internet Research Agency (IRA) attempting to influence U.K. politics regarding the Brexit vote. Although not a typical example of a cyber attack, the use of media to spread disinformation is very likely to be evidenced in the current situation in Ukraine, as Russia has utilized this technique in the past (including in the Russo-Georgian war discussed earlier).

 

Several other examples of Russian impact on elections can be seen in the table below. This list is not exhaustive but covers notable elections with strong attribution to Russian threat groups. These examples show evidence of Russia’s penchant for sowing discord and disruption through election and campaign tampering. Optiv’s gTIC assesses with high confidence that Russia will attempt to impact Ukrainian political systems through espionage and disinformation in the next 3-12 months to destabilize Ukraine and sway the balance towards pro-Russian beliefs and far-right policies.

 

Date	Location	Election
June 2016	United Kingdom	European Union membership referendum (“Brexit”)
Nov. 2016	United States	Presidential election
May 2017	France	Presidential election
Sept. 2017	Germany	Federal elections
Oct. 2017	Spain	Catalan independence referendum
Sept. 2021	Germany	Federal elections

 

Table 1: Elections with Possible Russian Influence Operations

 

 

Conclusions

Over the last 15 years, Russia has exhibited sophisticated cyber threat capabilities, of which only a handful are discussed in this report. Russian state-sponsored actors have used many different types of cyber campaigns to achieve political objectives while maintaining plausible deniability. The Russian government continues to assert that it does not use cyber or hybrid warfare despite evidence from recent incidents and campaigns that pointed to Russia-linked involvement. The latest example of Russia utilizing destructive malware against many Ukrainian websites earlier in January 2022 demonstrates Russia’s commitment to the use of hybrid warfare against its enemies. As the situation in Eastern Europe unfolds, it is very likely that Russia will continue to use cyber attacks for the purpose of espionage and disruption. If an escalation in tensions were to occur, it is probable that Russia would demonstrate its capability to execute DDoS attacks on Ukraine’s critical infrastructure. It is very likely that Russia will continue to use cyber attacks in conjunction with military shaping operations and kinetic military action in Eastern Europe to prevent the encroachment of Western ideology to Russia’s borders, particularly by preventing Eastern European countries from joining NATO, and preventing important regional energy resources from moving further out of Russia’s grasp.

 

 

Appendix A – References

(2022, January 10) FACT SHEET: U.S. Diplomatic Engagement with European Allies and Partners Ahead of Talks with Russia. https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/10/fact-sheet-u-s-diplomatic-engagement-with-european-allies-and-partners-ahead-of-talks-with-russia/

(2022, January 11) Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. https://www.cisa.gov/uscert/ncas/alerts/aa22-011a

Banerjea, Aparna (2018, August 27) NotPetya: How a Russian Malware Created the World’s Worst Cyberattack Ever. https://www.business-standard.com/article/technology/notpetya-how-a-russian-malware-created-the-world-s-worst-cyberattack-ever-118082700261_1.html

Booth, Robert and Weaver, Matthew, and Hern, Alex and Smith, Stacee and Walker, Shaun (2017, November 14) Russia Used Hundreds of Fake Accounts to Tweet About Brexit, Data Shows. https://www.theguardian.com/world/2017/nov/14/how-400-russia-run-fake-accounts-posted-bogus-brexit-tweets

Brown, David (2022, January 28) Ukraine: How Big is Russia’s Military Build-Up? https://www.bbc.com/news/world-europe-60158694

Buresh, Donald (2021, August 19) Russian Cyber attacks on Estonia, Georgia, and Ukraine, Including Tactic, Techniques, Procedures, and Effects. https://openaccesspub.org/jafs/article/1686

Greig, Jonathan (2022, January 19) Biden Warns of US ‘Cyber’ Response After Ukraine Says Computers Wiped During Attack. https://www.zdnet.com/article/biden-threatens-cyber-response-after-ukraine-says-computers-wiped-during-attack/

Herb, Jeremy and Hansler, Jennifer and Kaufman, Ellie (2022, January 28) Biden Says He’ll Move Troops to Eastern Europe as Top General Warns of ‘Horrific’ Outcome if Russia Invades Ukraine. https://www.cnn.com/2022/01/28/politics/us-russia-ukraine-invasion-warning/index.html

Hincks, Joseph (2017, April 12) British Lawmakers Say Foreign States May Have Interfered in Brexit Vote. https://time.com/4735665/brexit-vote-foreign-cyber-attack/

Johnson, Tanner (2022, January 24) A Level-Set on Russia-Borne Cyber Threats. https://www.darkreading.com/omdia/a-level-set-on-russia-borne-cyber-threats

Kovacs, Eduard (2022, January 24) Ukraine Attack: Hackers Had Access for Months Before Causing Damage. https://www.securityweek.com/ukraine-attack-hackers-had-access-months-causing-damage

Miller, Christopher (2019, February 26) Death Toll Up to 13,000 In Ukraine Conflict, Says UN Rights Office. https://www.rferl.org/a/death-toll-up-to-13-000-in-ukraine-conflict-says-un-rights-office/29791647.html

Osborne, Charlie (2022, January 24) Researchers Break Down WhisperGate Wiper Malware Used in Ukraine Website Defacement. https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/#ftag=RSSbaffb68

Park, Donghui and Walstrom, Michael (2017, October 11) Cyberattack on Critical Infrastructure: Russia and the Ukrainian Power Grid Attacks. https://jsis.washington.edu/news/cyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks/

Unwala, Azhar and Ghori, Shaheen (2015) Brandishing the Cybered Bear: Information War and the Russia-Ukraine Conflict. https://digitalcommons.usf.edu/cgi/viewcontent.cgi?article=1001&context=mca

Windrem, Robert (2016, December 18) Timeline: Ten Years of Russian Cyber Attacks on Other Nations. https://www.nbcnews.com/storyline/hacking-in-america/timeline-ten-years-russian-cyber attacks-other-nations-n697111

 

 

Appendix B – Assessments and Probability Statements:

The Threat Actor Metric^™ is a multi-faceted, qualitative approach developed by Optiv EIM Intelligence to determine an adversary’s or campaign’s potential risk to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. Similar in function to the United States Department of Defense’s CARVER targeting scale.

 

Most Likely Course of Action (MLCOA) – The expected and probable tactics, techniques and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.

 

Most Dangerous Course of Action (MDCOA) – Tactics, techniques or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

 

Words of Estimated Probability – Optiv EIM Intelligence employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, Optiv EIM Intelligence leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

 

Image

 

Confidence statements, as defined by Optiv EIM Intelligence, apply to reliability and relevance of information reported and are as follows:

 

Confidence Level	Optiv EIM Definition	Factors	Quantitative Relevance
High Confidence	Information and/or intelligence is assessed to be of high reliability and value to drive operations and decision.	Established history, repeated observations and patterns, strong precedence to form professional assessment and prediction/extrapolation.	75%+
Moderate Confidence	Information and/or intelligence is reasonable and warrants consideration or action or response where applicable.	Sporadic observations, limited historical references (too recent or too long of a gap to be considered “established”).	45-65% (+/- 10%)
Low Confidence	Information and/or intelligence is unreliable or less relevant and provided as situational awareness.	Lack of established history or observations, unreliable or circumstantial evidence.	< 35%

 

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.