It’s been 100 days since Russia invaded Ukraine, and we look back at the various cyber attacks associated with the conflict.
January 14M This year, a crackdown by Russian law enforcement authorities Has made headlines Around the world, 14 members of the infamous Sodinokibi / REVIL ransomware gang have been arrested. The crackdown comes after a series of talks between US and Russian officials, including Geneva in June Meeting Between President Biden and Putin. Russia’s foreign intelligence service has denied the allegations in a statement issued Friday stating “Similar, baseless allegations concerning Russia’s intelligence have been made more than once.
At a time when there was a real possibility of Russian aggression in Ukraine, Something He described the development as “a huge setback” Others even It is called “Russian ransomware diplomacy” is a kind of message to the United States about the willingness of Russia to exchange light sanctions for future attacks on Ukraine.
The night before (January 13)MOn the eve of the Orthodox New Year), a number of Ukrainian government agencies, NGOs and IT companies were targeted. Whispergate, Destructive malware that, according to Microsoft, was “designed to look like ransomware but lacked a ransom recovery system”. This type of misleading ransomware, as ESET researchers have also classified it, has the ultimate goal of disabling targeted devices, thus advising them to connect with national-state actors rather than cybercrime gangs.
January 14MThere were websites of several Ukrainian ministries and government agencies Distorted for display Anti-Ukraine image and read a message, “Fear and fear is the worst”. Both government and non-government organizations Target set In the days leading up to the attack, including a series of distributed denial-of-service (DDoS) attacks that ripped through several important Ukrainian websites. At the same time, clients of a major Ukrainian bank were at the end of an SMS campaign warning of a fake disruption to their bank’s ATM network.
Just one hour before the attack, a major cyber attack on Viasat’s satellite KA-SAT Disrupted broadband internet service For thousands of Ukrainians as well as other European customers, leaving thousands of bricked modems. Both United States And EU Condemned the attack and blamed Russia, which believed it was intended to undermine Ukrainian command communications during the first hours of the attack.
The first hour
The attack did not stop there either. In contrast, the cyber-attacks in January and early February are just the beginning of what is to come. On the evening of 23 FebruaryrdAfter the DDoS attack that brought several important Ukrainian websites offline, ESET Detected New data-wiping malware – HermeticWiper – on hundreds of machines from various organizations in Ukraine. Meanwhile, Viper’s time stamp shows that the malware was compiled on December 28M2021, suggesting that the attack has been working for some time.
The next day, as the military invasion of Ukraine was unfolding, ESET researchers found more data-wiping malware in the Ukrainian system. IssacWiper was much less sophisticated than that, and had no code matching with HermeticWiper and was ultimately less successful in deleting data on the target machine.
In many smaller installations, ESET researchers have also observed hermetic ransoms used at the same time as hermetic wipers. HermeticRansom was the first Report Early 24 FebruaryM And the wrong is ransomware. In other words, it had no financial purpose and was deployed as a decoy when the wiper was damaged.
Figure 1. Redemption note on HermeticWiper, complete with apparent reference to US election
The next 99 days
ESET researchers believe that those involved in various data deletion attacks CadywiperWhich was discovered March 14M, Were intended to target specific organizations in order to weaken their ability to respond adequately to attacks. The ESET has identified victims in the financial, media and public sectors, and has blamed both HermeticWiper and CaddyWiper for the sandworm, which has been identified by the United States as part of Russia’s GRU military intelligence agency.
The same notorious group was also responsible for attempting to deploy Industroyer2 against a high-voltage electrical substation in Ukraine, thanks to a timely discovery. Collaboration Between ESET and CERT-UA. The malware is a new version of Industroyer, the dangerous malware used to attack the Ukrainian electric power grid in 2016, leaving thousands without power.
Several Others The campaign continues with DDoS attacks, malware-compromising media networks, NGOs and telecom providers and government agencies. The Russian invasion of Ukraine had a profound effect not only on Ukraine but also on the ransomware landscape.
Figure 2. Attacks detected by ESET researchers before and after the Russian invasion of Ukraine
Taste your own medicine
In the first few months of 2022, according to ESET Telemetry, Russia was the top target country for all ransomware attacks, with 12% of total detection. This development is in stark contrast to the situation before the invasion, when Russia and some members of the Commonwealth of Independent States (CIS) avoided many ransomware attacks, probably because of criminals living in those countries or for fear of Russian retaliation.
Some of the attacks were carried out by Russian companies, including the space agency Roscosmos and the state-owned TV and radio network VGTRK. The attacks on Roscosmos and VGTRK were carried out by the NB65 hacking group, which took advantage of Leaked The code that led to the split of the County Hacker group came after disagreements among members over the gang’s promised support for Russia.
Russia targeted 40% of all screen-locking ransomware incidents (11% in Ukraine). Not surprisingly, as we have seen with the Hermetic Ransom display of political messages, some of these Russian attacks included the Ukrainian national salute, “Slava Ukrainian” (“Pride of Ukraine”).
Exploiting fear and solidarity
Not only are the countries involved in the war that have seen a spike in spam detection, with a total increase of 5.8% between February 24 and April. Shortly after the war began, ESET warned the scammers of danger Shamelessly Utilizing the global movement in support of Ukraine through fictitious charities and false appeals for grants.
And as a result of the war, Ukrainians were worried about accessing their money, or Russians were not able to use their bank cards abroad, ESET has found that cryptocurrency platforms are increasingly targeted and crypto-related malware is spreading.
Conclusion
The latest ESET threat report, published last Thursday, sheds light on the threat landscape in the first four months of this year. Above all, however, the described attacks show the destructive potential of cyber warfare in parallel with a conventional, dynamic warfare. At the same time, the growing cyber threat facing Ukraine since January is also a warning sign that future conflicts could escalate.
As ESET Senior Detection Engineer Eger Kabina observes, “We expect that attacks on a particular party will continue in the coming months and even ideology and war propaganda will become the central driving force for their spread.”
