Massive cyberattack on websites in Ukraine & Wiper malware (Feb. 23, 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]The armed conflict with which Russia is threatening Ukraine is also spreading to the Internet. After websites in Ukraine were already attacked in mid-February 2022, a massive attack on various government sites in Ukraine, banks, etc. has been taking place since February 23, 2022. In addition, a destructive malware (wiper) is circulating in Ukraine's computer systems. Here is a brief overview of what is known.


Advertising

Cyberattack on Ukraine (02/23/2022)

German blog reader Bolko has  already touched on it in this comment – pro-Russian cyber groups have been driving massive cyberattack on Ukraine state websites since 14:00 UTC. Bolko has indicated the following websites here:

Cyberangriff auf Webseiten der Ukraine

On the wholeserv.com website there is a notice that the EU has activated a rapid cyber response team (CRRT) with 12 experts from Estonia, Lithuania, Poland, Croatia, Romania and the Netherlands to support Ukraine. Currently (23:28, CET), the websites are accessible again, but NetBlocks clearly shows the attack on Twitter.

Ukraine: Cyber attack Feb. 23, 2022

The attacks seem to have been massive, so that even sites protected by Cloudflare were no longer accessible. The news site Forbes.com has published this article about it.


Advertising

DDoS attack on Ukraine

The colleagues from Bleeping Computer have collected some details in this article. On Twitter I read statements that they have not seen such a massive DDoS cyberattack before.

Cyberattack on Ukraine (15.02.2022)

Already on Feb 15, 2022 there was a massive cyberattack on websites in Ukraine (Reuters reported on it here) – Bolko pointed it out in his comment above. CERT-UA addressed it in this article. The White House (US) and the UK accuse Russian intelligence (GRU) hackers of having carried out these attacks – details can be read by colleagues here. I have received the following statement from security vendor Vectra AI:

Russia has considerable resources in terms of offensive cyber capabilities. The attack on 70 Ukrainian government websites in January of this year served as a warning of what could happen in a future conflict between the two countries. It is also worth recalling that in 2015, Russia proved it was capable of taking control of parts of Ukraine's power grid by knocking out substations at will, causing blackouts for some 230,000 residents.

If relations deteriorate further, attacks on critical national infrastructure in Ukraine, particularly in the telecommunications and energy sectors, can be expected-perhaps even before an invasion. This would serve to disrupt Ukraine's ability to organize, protect itself, and also inhibit the flow of information within the country and to the outside world, which would support any propaganda campaign.

This assessment has since been overtaken by reality. Cybersecurity analysts from Palo Alto Networks' Unit42 team identified the state-backed Russian hacker group Gamaredon (Primitive Bear APT) as responsible for the cyberattacks on Ukraine back in early February. This is a hacking group led by 5 Russian FSB officials – this is reported by Ukrainian domestic intelligence (SSU, Sluschba bespeky Ukrajiny – Ukrainian), see this article from Bleeping Computer. From Palo Alto Networks, I have the following assessment from an analysis by Team Unit42: 

Since 2013, shortly before Russia's annexation of the Crimean Peninsula, the Gamaredon group has targeted its cyber campaigns primarily against Ukrainian government officials and organizations. In 2017, Unit 42 published its first study documenting Gamaredon's evolving toolkit and giving the group a name, and over the years several researchers have found that the group's operations and targeting activities are consistent with Russian interests.

This link was recently confirmed on November 4, 2021, when the Security Service of Ukraine (SSU) publicly attributed the group's leadership to five Russian Federal Security Service (FSB) officials assigned to posts in Crimea. At the same time, the SSU also released an updated technical report documenting the tools and craftsmanship used by this group.

Unit 42 security analysts found evidence that Gamaredon targeted the Ukrainian government and other organizations, and even a Western government agency in Ukraine over the past 3 months, as part of widespread attacks. The security researchers identified:

  • 700 dangerous domains
  • 100 malware patterns
  • 215 dangerous IP addresses

that could be attributed to this APT. The complete analysis was updated with new findings as of February 16, 2022. Thus, the total number of indicators of compromise (IOCs) has increased to about 1,200. Here is an excerpt of compromised domains. 

Domains associated with Gamredon APT

While monitoring these APT group activities, Unit 42 observed an attempt to attack a Western government agency in Ukraine on January 19, 2022. In this attempt, instead of emailing a downloader directly to their target, the attackers instead used an internal job search and placement service in Ukraine. In doing so, the attackers searched for an active job posting, uploaded a Word document marked as a resume, and submitted it to a Western government agency through the job search platform. Given the steps and precise malware delivery associated with this campaign, this appears to have been a targeted, deliberate attempt by Gamaredon to target this Western government organization in Ukraine.

ESET discovers Wiper

In a series of tweets, security vendor ESET points out a newly discovered Wiper malware currently circulating in Ukraine. The company receives information about its virus scanner telemetry data. The Wiper is installed on hundreds of machines, with the operation having been prepared for months (first samples date back to December 28, 2021).

Wiping Trojan in Ukraine

The wiper was signed with a Hermetica Digital Ltd certificate and abuses legitimate drivers of EaseUS Partition Master software to corrupt data. As a final step, the wiper reboots the computer. In one of the affected companies, the wiper was delivered via the default GPO (domain policy). This means that the attackers likely took control of the Active Directory server.

Similar articles:
axis.com (IP security camera vendor) is down (Feb. 21, 2022)


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).