What Does the Ukraine Invasion Mean for Cyber Warfare?

Cyber warfare is here to stay. The Russia/Ukraine conflict underscores the long-held fear that kinetic warfare can and would be combined with organized, sustained cyber warfare to be used asymmetrically against a militarized adversary and its’ country’s critical infrastructure.

Ukraine’s History of Russian Cyberattacks

Looking back, it is relatively easy to determine that the Russian invasion of Ukraine started long before Russian troops crossed into sovereign Ukraine territory last week. Dating back to 2014 & 2015, Russian state-sponsored threat actors, or groups operating with the tacit approval of the Russian Federation, have been testing their capabilities against Ukraine’s government, critical infrastructure and Ukrainian people.

Following economic sanctions against Russia for the first invasion of eastern Ukraine and the annexation of Crimea in 2014, a Russian-sponsored advanced persistent threat (APT) group known as Sandworm (aka VOODOO BEAR) successfully took down portions of the Ukrainian power grid for up to six hours in several locations in 2015 & 2016.

In 2017, several global governments, including US, Canada, United Kingdom, Australia, New Zealand and others, attributed the destructive malware masquerading as ransomware, known as NotPetya, to Russian military’s GRU for the attack that targeted Ukraine’s power grid, financial sector and government institutions. NotPetya’s indiscriminate design allowed it to spread further into European, Russian and US businesses.

In addition to directed attacks targeting the Ukraine, Russian botnets and disinformation / misinformation campaigns have been targeting global elections and high-profile events for years, especially in Ukraine.

Present Day Russian Aggression

Fast forward to the current Russian invasion of Ukraine and it is quite clear that Russia has identified a strategic advantage to coupling cyber warfare with kinetic warfare to varying degrees of success. Cyberattacks targeting Ukraine have continued unabated against financial and state institutions, culminating in 135 attacks in December 2021 and more than 260 registered in January 2022.

In the immediate run-up to Russian ground forces invading Ukraine in 2022, large scale distributed denial-of-service (DDoS) attacks targeted Ukrainian Armed Forces, the Defense Ministry, Public Radio and Ukraine’s two largest banks, Privatbank and Oschadbank, taking them offline from hours to days. In addition to intentionally targeting critical infrastructure with less than complex tactics (DDoS), at least two different types of destructive malware, wiping malware, masquerading as ransomware were found in circulation.

Incident analysis indicates that in January 2022, Russian state-sponsored actors were found to be using WhisperGate wiping malware, reminiscent of Sandworm’s NotPetya malware. And as early as November 2021, traces of Hermetic Wiper, also attributed to Sandworm, appeared to use similar ransomware masquerading techniques when combined with Party Ticket to distract responders from recognizing that data was being wiped, instead of encrypted.

Information attacks targeting civilian financial institutions were conducted in conjunction with targeted critical infrastructure attacks and destructive malware meant to disable or impair Ukrainian response capabilities. In one such attack, Russian bots leveraged SMS messaging capabilities to masquerade as Ukraine’s largest bank, Privatbank, informing customers that ATMs would be offline. It is believed the information attacks were designed to sow chaos and a potential for a run on Ukrainian banks, adversely affecting the financial system in Ukraine.

Ukraine also experienced significant website defacements and more than 18,000 social media bot accounts heralding a Russian propaganda campaign that claimed Russian military activities were necessary to rid Ukraine of Neo-Nazis and to liberate Russians from the grips of the Ukrainian government.

Security researchers and Threat Intelligence practitioners have indicated that in addition to state-sponsored threat actors, many cybercriminal gangs are permitted to operate within the borders of the Russian Federation, with the tacit approval of the Russian military, intelligence services, law enforcement and the Kremlin. Indicators of this coordination began appearing on the ‘Darkweb’ where advertisements for large datasets specific to Ukraine military service members and government agencies began appearing as early as January 2021.

Where state-sponsored threat actors tend to operate, there are also scores of ‘Hacktivists’ and affiliate groups that have begun choosing sides in the conflict. For instance, UNC1151, known to be affiliated with the Belarusian government, expressed its support by engaging in mass phishing emails targeting Ukrainian military members with ‘i.ua’ and ‘meta.ua’ email addresses.

To date, several APTs and threat actor groups not affiliated with the Russian Federation have publicly expressed support for Russia’s actions, lending their services and capabilities:

• UNC1151
• Conti Ransomware Group (over 700 known ransomware attacks, globally)
• The Red Bandits
• Cooming Project

Alternatively, groups are also lining up behind Ukraine in the war, notably ‘Anonymous’ and ‘Ghostsec’. Recent Twitter posts indicate that ‘Anonymous’ appears to be taking the fight directly to military forces and government agencies in both Russia and Belarus, targeting critical infrastructure and logistics capabilities, while ‘Ghostsec’ has launched DDoS attacks “in support of the people of Ukraine” against Russia.

Threats to NATO-Allied Countries

At this point, no direct threats have been made on targeted countries outside of Ukraine as a result of the Russian invasion. However, Vladimir Putin threatened retaliation against anyone that interferes with his invasion of Ukraine with “consequences you have never seen.”

Global governments are weighing the veracity of that threat and whether it includes nuclear warfare. It is almost certain that any “consequences” would include cyberattacks against all NATO-Allied countries, should they get involved.

Does this mean it is time for the rest of the world to get serious about protecting critical infrastructure and economic systems from attacks related to not only Russian threat actors, but other nation-state actors that are quietly observing the global response to Russia — namely China, Iran and North Korea?

Specifically, US Cybersecurity & Infrastructure Security Agency (CISA) advised on February 24, 2022, that Iranian government-sponsored threat actors were actively conducting cyber operations against global governments and commercial networks and should be actively monitored.

Impacts, GoSecure Guidance and Conclusions

Russian cyber activities appeared to be rather limited in scope and capability immediately preceding the ground invasion of Ukraine. Analysts are unsure whether threat actors no longer had access to take down power grids or inflict severe damage on the Ukrainian critical infrastructure, or if those capabilities were being held back for a later campaign.

GoSecure is keeping a very close eye on the current situation in Ukraine and any potential impacts it might have on our customers. We are diligently monitoring current threat intelligence to ensure that we have the most up-to-date information on exploits and attack vectors being utilized by APTs or other threat groups associated with current geopolitical events. The GoSecure Titan Labs team is actively working to develop new detection signatures as more information becomes available.

Additionally, our analysts are remaining vigilant in their monitoring of client assets, particularly for clients in industries such as utilities and other industries that are in greater risk of being targeted for an attack. We believe the following industries are at greater risk:

• Energy
• Government/Mass Transit
• Defense
• Finance/Insurance
• Healthcare
• Technology
• Media

As noted above, no direct cyber threats have been made towards NATO-allied countries supporting Ukraine’s fight against Russian invasion. However, we are actively tracking multiple Russian state-sponsored and/or affiliated threat actors that have expressed material support for the Russian Federation. GoSecure Titan Labs have also ensured we have detection for the tactics, techniques, and procedures (TTPs) related to recent Ukraine wiper malware including, PowerShell execution bypasses, LSASS Minidumps, suspicious Discord CDN traffic and more.

Understanding the tactics, techniques, and procedures (TTPs) of the following threat actors will better prepare organizations to defend against emerging threats:

• Berserk Bear aka Dragonfly2.0
• Cozy Bear aka APT 29
• Fancy Bear aka APT 28
• Primitive Bear aka Gemeradon Group
• Venemous Bear aka Turla
• VOODOO Bear aka Sandworm
• UNC1151 (Belarus)
• Conti (Ransomware Group)
• The Red Bandits
• Cooming Projects

We also recommend the following cybersecurity activities to all organizations who want to elevate security awareness and posture:

• • Ensure visibility and increased auditing of logs, network, and endpoint assets
  • Immediately remediate any at-risk or exposed vulnerabilities known to be actively exploited
    • CISA Known Exploited Vulnerabilities Catalog
  • Test or confirm Incident Response Plans
  • Test/validate offline backups and Disaster Recovery Plans
  • Ensure ongoing monitoring for common threat actor tactics
    • Phishing and Disinformation Campaigns
    • Living off the Land (LOL)
      • PowerShell Execution Bypass
      • LSASS Minidumps
    • Lateral Movement
    • Malware
    • Disruption of Industrial Control Systems (ICS)
    • Distributed Denial of Service (DDoS) Attacks

And be sure to check in on the GoSecure blog as the threat intelligence experts at GoSecure Titan Labs continue to monitor events and investigate risks to ensure that GoSecure customers, and the cybersecurity community in general, are aware of the latest updates. As always, if you have any questions or concerns related to this matter, please don’t hesitate to reach out to the security experts at GoSecure for more information. (Contact Us | Support)