By Kathy Gibson – The very visible war between Russia and Ukraine is taking place on the ground, but a fierce battle is also taking place in the cyber environment.
And there’s a danger that these attacks – which vary widely in terms of complexity and sophistication – may spill over to organisations in other countries.
In fact, Ukraine has always been a hotspot for cyberattacks, says Costin Raiu, director of the Global Research and Analysis Team (GReAT) at Kaspersky.
Between 2019 and 2022, there has been a spike in Gameredon and Armageddon operations. These followed the 2018 Hades cyberespionage, the 2017 BadRabbit attack and the FlowerDandy framework as well as the NotPetya supply chain attack that year.
Ukraine was first heavily targeted in 2014 with the BlackEnergy APT router hack around elections, and the CyberBerkut leaks and DDoS attacks targeting the Ukraine Central Election Commission.
Ukraine also suffered a Powergrid attack in December 2015 with BlackEnergy3 and KillDisk, following the December 2016 Industroyer attack against ICS functionality.
Indeed, a number of historic Russian-language threat actors are currently active in the Ukraine, Rau adds.
The situation today sees a complex mix of different threats targeting the country, including known APT activities like Gamaredon as well as a number of unknown technologies, wielded by ransomware actors, cybercriminals and hacktivists.
An interesting trend is the use of commodity malware, possibly in an attempt to prevent attribution.
“We are also seeing a pretty intense information war, including misinformation, disinformation, fake leaks, real leaks – the picture is quite complex,” Rau says.
“At the same time, the most intense activity is probably still to come and we are on the lookout for more sophisticated cyberattacks.”
Some of the malware activated, including WhisperGate, HermeticWiper and IsaacWiper, deployed in February was first seen in December 2021.
At the network level, Kaspersky has seen 23 000 unique new attacking IP addresses over the last three to four weeks, with 11 000 of these on sensors located in Ukraine.
Currently, attacks in Ukraine appear to be coming mainly from devices in China, the US and the Russian Federation – although this could simply be because there are a lot of infected devices in those geographies.
Interestingly, the network attacks appear to be quite focused.
Rau points out that any of them could let threat actors gain a foothold in the victim’s network and then launch attacks.
On the APT front, there has been a significant uptick in Gamaredon activity in Ukraine during the last three or four weeks.
“This group is not very sophisticated, but there has been a massive increase in command and control attacks which might be considered as a sign that something is going to happen, that attacks are going to increase,” Rau says.
A number of other threats highlighted by international monitoring groups could be related to the Gamaredon activity, he adds.
Pandora RAT or PandoraBlade spear phishing campaigns have been seen in Ukraine we well. This is commercially-available malware, and Rau suggests it could be employed to hinder attribution efforts.
The MicroBackdoor tool, created by same person responsible for the BlackEnergy malware, has been used with some success in Ukraine as well.
A number of fake ransomware wipers have been identified over the last weeks, including WhisperGate, HermeticWiper, IsaacWiper and HermeticRansom.
These tools appear to be ransomware, but instead of encrypting data, they delete it. They range in levels of sophistication and complexity, but HermeticWiper is not only extremely sophisticated, it is also the most high-profile wiper seen so far.
One of the high-profile attacks that has hit Ukraine in the last couple of weeks was against Viasat satellite modems, causing the network to lose 20% of its capacity on 24 February.
While most of the affected terminals were in Ukraine, it also interrupted services in other parts of Europe – including dropped communication with close to 6 000 turbines in Germany.
“I believe the timing of this makes it unlikely to be a random occurrence,” Rau says, adding that the most likely cause was a remote hack or zero-day operation via satellite link.
“In scope this kind of attack extends well beyond Ukraine. While many attacks are in Ukraine, this one did affect devices throughout Europe.”
Meanwhile there has been an uptick in hacktivist and cybercriminal activity, with groups and forums springing up in support of either Ukraine or Russia. There are also groups that “just want to make money, not take sides”, as Rau says.
“When we have these projects targeting each other there is a risk regular businesses will be affected, including those outside Ukraine and Russia,” he adds.
“We expect that cyberattacks in Ukraine will increase, and the risk of conflict spilling into the West is medium-high,” Rau warns. “As operations escalate there is a risk of more reckless attacks that could affect other businesses.”
He cautions that organisations should take measures against DDoS attacks and network connectivity issues, ransomware, destructive malware, phishing, targeted attacks, supply chain attacks and firmware attacks.