Customer Advisory | Cyber Attacks in Ukraine: What You Need to Know
Published January 28, 2022 | Updated February 22, 2022
Prepared by Deepwatch Threat Intel Team
On February 22, the Associated Press reported that Russian President Vladimir Putin requested parliament’s permission to use military force outside the country, a step that might foreshadow a larger attack on Ukraine after the US said an invasion had already begun.
Prior to Tuesday’s request, significant DDoS attacks occurred on February 15, when threat actors attacked Ukraine’s armed forces, defense ministry, public radio, and the country’s two main national banks, taking certain services offline for two hours and informing some Privatbank customers that the bank’s ATMs were not operating. The DDoS assaults have rendered certain essential services unavailable to Ukrainians, causing confusion and concern as Russian soldiers continue to mass on the Ukrainian border. The SMS messages were not sent by Privatbank, and Ukrainian cyber police stated that “it was an information attack.” Since then, there has been more DDoS activity, including an attempted targeted attack on Ukraine’s Government Services Portal, which had little effect on the website, according to reports.
Based on prior Russian APT campaigns that were likely intended to target just Ukraine but expanded far beyond, the Deepwatch Threat Intel Team believes that, in connection with a Russian military invasion of Ukraine, Russian state-sponsored cyberattacks could be undertaken against groups outside of Ukraine. Furthermore, it’s probable, but less likely, that Russia might try to divert attention away from the invasion of Ukraine by launching cyberattacks against NATO members.
Furthermore, it is very likely that cyber-offensive activities against Ukraine would most likely be in the form of DDoS attacks and website defacements aimed at the Ukrainian government and media institutions, internet infrastructure, and e-services utilized by Ukrainian residents, such as digital banking. In addition, it is likely that Russian state-sponsored threat actors would use wiper/encrypting malware in preparation for an invasion of Ukraine.
The Deepwatch Threat Intel Outlook:
In light of these events, the Deepwatch Threat Intel Team recommends following the guidance from CISA on vulnerability management for the updates on the latest CVEs and Significant Cyber Events. For more information on prevention strategies, read the original “Threat Intel Outlook” section below.
- On January 13, several Ukrainian government websites were vandalized or taken offline as tension with Russia escalated. The SBU, Ukraine’s security service, indicated that these attacks were associated with “hacker groups linked to Russia’s intelligence services.”
- A new malware family known as WhisperGate, used in the attacks against Ukraine, is a file wiper class that disables Windows Defender Threat Protection and is intended to destroy data. It has been discovered on the various Ukrainian government, non-profit, and information technology organizations systems.
- Researchers with Cisco’s Talos threat intelligence said the malware that wiped dozens of government computer systems in Ukraine has some strategic similarities to the NotPetya wiper that was used to attack Ukraine in 2017 and caused nearly $10 billion in damages worldwide.
- Deepwatch Threat Intel Team assesses with moderate confidence that as the Russia – Ukraine conflict escalates, more cyber attacks within that region will likely occur that could potentially impact organizations that have business partners or affiliations in that region due to collateral damage of these escalating attacks. Therefore, it is recommended that customers take proactive steps to harden their networks against potential threats stemming from these events in Ukraine.
According to numerous reports, a wave of cyberattacks against multiple Ukrainian government websites began on January 13. According to these reports, several government websites were vandalized or taken offline due to these attacks. As a result, the Ukrainian government formally accused Russia of orchestrating the assaults on their websites.
In an article published by the Associated Press, they state that the SBU, Ukraine’s security service, claimed that their preliminary investigation suggested the involvement of “hacker groups linked to Russia’s intelligence services,” adding that most of the websites had reopened and that no personal data had been compromised. Instead, according to the SBU, the perpetrators “hacked the infrastructure of a commercial company that had access, with administrator privileges, to websites affected by the attack.”
On January 15, Microsoft revealed a new malware family known as WhisperGate, first discovered on January 13, 2022. This malware is a file wiper class that disables Windows Defender Threat Protection and is intended to destroy data. It has been found in the various Ukrainian government, non-profit, and information technology organizations. According to Microsoft, the usage of this unique malware family has been officially traced to a threat actor they track as DEV-0586.
On January 21, researchers with Cisco’s Talos threat intelligence said the malware that wiped dozens of government computer systems in Ukraine starting on January 13 has some strategic similarities to the NotPetya wiper. It was used to attack Ukraine in 2017, causing nearly $10 billion in damages worldwide. Additionally, Cisco stated that any organization with connections to Ukraine should “carefully consider how to isolate and monitor those connections to protect themselves from potential collateral damage.”
Through their analysis, they “assess that attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations.”
Mandiant stated on January 20 that they “have been anticipating this activity, and we are concerned that, unlike the recent defacements and destructive attacks, future activity will not be restricted to Ukrainian targets or the public sector.” They go on to assess that they “are likely to see more aggressive information operations and disruptive cyber attacks within and outside of Ukraine.”
In light of the growing escalations in Ukraine, the CISA Insights that was published (PDF) on January 18 and covered in Deepwatch’s Threat Intel Team’s Cyber Intel Brief released on January 24, The Insights provides organizations with steps and guidance to mitigate threats posed by the cyber incidents in Ukraine.
The most recent developments in the Ukraine-Russia conflict revolve around hacktivist attacks. On January 25, the Guardian reported that Belarusian Cyber Partisans, an anti-Belarusian government hacktivist group, hacked the computer system of Russia’s state-run railway, threatening to halt trains carrying Russian soldiers and weaponry to the nation in preparation for a possible invasion of Ukraine.
According to a member of the Cyber Partisans, the hacktivist group has encrypted or damaged internal databases used by Belarusian railroads to handle traffic, customs, and stations, causing delays for commercial and non-commercial trains as well as “indirectly affect [sic] Russia troops movement.”
In light of these recent developments, the Deepwatch Threat Intel Team continues to monitor the ongoing cyber conflicts in Ukraine and inform customers of any new outcomes. In addition, the Threat Intel Team will notify customers of any steps customers need to take to mitigate the potential risk associated with these events.
Deepwatch Threat Intelligence Outlook
Deepwatch Threat Intel Team assesses with moderate confidence that as the Russia – Ukraine conflict escalates, more cyber attacks within that region will likely occur that could potentially impact organizations that have business partners or affiliations in that region due to collateral damage of these escalating attacks. Past destructive malware such as NotPetya and now WhisperGate shows that threat actors are masquerading as ransomware to encrypt files on the system with no way to decrypt them thus making these systems inoperable. Therefore, customers are recommended to take proactive steps to harden their networks against potential threats stemming from these events in Ukraine. Deepwatch recommends customers follow guidance from CISA as well as the publication by Mandiant titled “Proactive Preparation and Hardening to Protect Against Destructive Attacks.”