Nixu Threat Intelligence Bulletin #1–2: Russia's War in Ukraine
This blog is based on the bulletins by Nixu Threat Intelligence Team. The blog will be updated as the situation in Ukraine develops.
Threat Intelligence Bulletin #2. 28-02-2022
Russia's war of aggression continues in Ukraine with the situation fluctuating every hour. The cyber threat landscape is also experiencing changes of its own.
Cyberattacks against Ukraine have thus far been more limited than expected. This contradicts what many came to expect from a Russian kinetic invasion. To date, we have not made any observations that would cause us to fear the type of damage that resulted from NotPetya in 2017.
Ransomware
Ransomware activity has been present since the beginning of the war. It is now suspected of being used as a decoy to cover for simultaneously released destructive wiper malware attacks against Ukrainian targets. While unique, this is not the first time ransomware has been used as a decoy. There are some parallels to previous attacks against Ukraine in the form of the WhisperGate wiper attacks.
Malware
The most notable form of cyberattack thus far has been a new wiper malware, dubbed Hermetic Wiper. The malware first appeared hours before Russia invaded Ukraine and targeted financial institutions and government contractors. Early analysis of the malware shows that it renders the system disk inoperable. Thus far the malware has been found on hundreds of systems in Ukraine, but also on systems in Latvia and Lithuania where two companies doing contractor work for the Ukrainian government were impacted.
Threat Actors
Cybercriminal groups have openly chosen sides in the war. The Conti ransomware group has threatened strikes against the critical infrastructure of any nation that attacks Russia, and Minsk-based UNC1151 has stated its intent to compromise the personal email accounts of Ukrainian military personnel. This is being attempted in the form of password-stealing phishing emails. Other groups that have stated their pro-Russian stance include Cooming Project, The Red Bandits, and SandWorm.
Interestingly, there are signs of infighting among those groups expected to support the Russian cause. A member of the Conti ransomware group objected to the group's pro-Russian stance and released a large set of the group's data online. The LockBit 2.0 gang, which has been prolific amongst all sectors over the previous quarters and is suspected of operating from Russia, has conversely distanced itself, saying it would "...not take part in cyberattacks on critical infrastructures...or engage in any international conflicts."
On the Ukrainian side, the government has openly canvassed support from cyber groups or individuals with experience in joining Ukraine on the cyber front. It has even released a listing of the targets it wants to see attacked on the "IT ARMY of Ukraine's" official Telegram channel.
The number of participating threat actors and cybercriminal groups is expected to grow by the hour.
Hacktivism
We reported on Friday that Anonymous had declared itself at war with Putin's regime, and the group has already claimed ownership of multiple attacks. Anonymous is believed to have used DDoS attacks to bring down Russian government websites, including that of the Kremlin. Anonymous has said that it has hacked the databases of both the Russian and Belarusian Ministries of Defence. The Russian database appears to contain officials' phone numbers, emails, and account credentials. Anonymous has also claimed to be behind the hacking of several Russian news websites where they have listed the number of Russian war casualties and asked for Russians to end the war.
Other hacktivist groups are also believed to be playing a role, including a Belarusian group called Cyber-Partisans, which seem to have had some success in compromising railway systems to prevent Russian troop movements in Belarus.
It is important to note that the situation is highly fluid with multiple cyber groups active and playing a role in the war. It is difficult to confirm at this time if the claims made by all groups are accurate. This may become clearer at a later stage.
Assessment
Of the attack types seen thus far, we believe that ransomware attacks are the most likely risk to our customers. Ransomware groups could target critical infrastructure or private organizations if they believe doing so could damage a nation's willingness to support or assist a participant in the war.
At this stage, however, we assess with low confidence that it is likely cyberattacks will only take place against Ukrainian, Russian, and Belarusian organizations. Nonetheless, collateral damage outside these nations cannot be excluded.
Recommended actions for organizations
All organizations are urged to ensure that their cyber defenses are running at optimum when it comes to actionable intelligence and advice.
-
Ensure that your layered cybersecurity defenses are in place and that adequate staff is available to action everything from alerts to patches. This does not necessarily mean changing your existing practices but is a reminder of the importance of how a cyber incident could impact the rest of your business.
-
Practice breach or compromise scenarios with all relevant stakeholders within the organization, including public relations or communications teams.
-
Ensure that your cybersecurity providers have updated communication lists and the most up-to-date listing of your assets. The higher quality of assets you provide, the better the service provided.
-
If you have operations within the impacted regions, review how your organization could be affected if relevant infrastructure or financial services were down. It is recommended to have a potential backup plan ready on how to keep relevant business processes running in case of a prolonged attack.
-
The majority of suspected Russian attacks to date have been DoS and/or destructive (wiper) in nature. Organizations should ensure that they possess offline backups and that disaster recovery plans are in place. Follow CISA's latest advice on practical steps to safeguard your organization from destructive malware. This includes network segmentation, MFA, and security log monitoring.
Threat Intelligence Bulletin #1, 25-02-2022
Europe has found itself at war, and the cyber arena is more involved than ever before. The fifth domain has experienced a series of attacks with Russia, Ukraine, and other neighboring countries impacted. While these are still early days, Russian cyberattacks have taken down Ukrainian government and media websites with DDoS attacks. Wiper malware attacks have also been observed; they can be used to destroy critical information on computer disks, rendering them unusable. These attacks have caused undetermined damage to Ukraine's systems along with collateral damage to Latvian and Lithuanian companies performing contractor work for the Ukrainian government.
Not verified in all cases, though highly suspected, Russian threat actors have also conducted similar attacks on prominent online journalists, reporters, and activists such as those providing news to the Ukrainian people or those documenting Russian troop movements.
On the side of the invader, Russian government websites have been impacted, including the Kremlin's webpage. Information is too limited at this time to make a judgment on the actor, whether external or internal, and the reason behind these incidents. Ukraine, though, is fighting back, not just on the streets but also in the cyber domain. There has been a general call out from the Ukrainian government to its people, not just for fighters but also cyber defenders.
While we cannot yet say whether Western governments have taken retaliatory cyber strikes against Russian websites or infrastructure, we believe this is likely to occur. The Russian invasion has also stimulated the involvement of outside actors, the most notable thus far being the infamous hacktivist group Anonymous, which announced they were declaring themselves at war with Russia.
We believe it is likely that the level of activity thus far seen in the cyber domain is only just getting started, and there will be more actions to come from all sides involved. It is particularly concerning and unpredictable what a great state-level cyber conflict could mean for uninvolved parties and countries. The risk of spillover into the civil landscape could be high, especially as we see amateurs and other non-country affiliated cyber actors getting involved.