Debriefing Russia's Cyber Attacks Against Ukraine

As news continues to break about the ongoing crisis in Western Europe, Cyber Security professionals have been busy making sense of the role that presumably planned cyber-attacks have played in the conflict between Russia and Ukraine. A number of Russian cyber-attacks have served as a prelude to a physical invasion of Ukraine. There is a lot of information from the past two months to unpack and new events are continuing to be reported.

A quick review of the cyber events leading up to boots on the ground in Ukraine include Wiper Malware attacks, Distributed Denial-of-Service (DDoS) attacks, and website defacement attacks. After Russia established a physical presence in Ukrainian territory the cyber attacks continued to occur. Overall three different wiper malware samples have been used throughout the conflict.

WhisperGate, a destructive malware discovered by Microsoft was identified in attacks targeting organizations in Ukraine. The malware was observed 13 January 2022 and is considered a computer network attack (CNA) malware. The WhisperGate malware is like ransomware in the sense that it makes the system inoperable, however, the information cannot be decrypted or recovered once it is corrupted.

WhisperGate works in two stages, the first uses ransomware tactics to overwrite the master boot record and posts a note stating that the hard drive of the target machine has been corrupted. The second stage uses a beaconing implant to download a JPG file over an HTTPS connection to Discord’s content delivery network (CDN).[1] The malware makes use of an in-memory Microsoft Intermediate Language (MSIL) payload using Living Off the Land Binaries (LOLBINs). WhisperGate also evades detection by failing to detonate if certain monitoring tools are present in the system.

Unlike ransomware, the WhisperGate data wiper is not being deployed for financial gain, the sole purpose of this malware is to destroy data and disrupt the dissemination of information. Russian Advanced Persistent Threat (APT) actors have previously targeted operational technology (OT) and industrial control systems (ICS) making it likely that these attacks were carried out by Russian state-sponsored actors.[2]

The WhisperGate wiper malware was used to target government, non-profit and Information Technology organizations in the Ukraine. Attackers have used the malware to target Windows machines, however the Ukrainian government reported there could be a Linux variant of the malware.

Shortly after the discovery of the WhisperGate malware, on 14 January 2022, over 70 Ukrainian government websites were defaced. The sites displayed political statements written in Russian, Ukrainian, and Polish, along with political images. Typically, website defacement attacks are low-impact and high visibility attacks that can be quickly resolved.

What makes the defacement attacks interesting is the fact that the image displayed on the website has meta-data recorded in the image. Typically, meta-data from pictures will include the camera manufacturer and model, lens information, image sizing information and GPS coordinates. The image used to deface the website was not taken with a camera, but rather it was generated, so there would be no need for much of the metadata information. Polish investigators found that even though the image was generated, the attacker manually added GPS coordinates to the image. The coordinates lead to the location of the Warsaw School of Economics. Polish responders believe this to be an attempt at a false flag cyber-attack.[3]

Following the defacement attacks, Ukrainian banking, government, and military websites experienced the largest DDoS the country has seen to date. Similar to the web defacement, the DDoS was a high visibility attack, used to cause panic and unrest in the citizens of the Ukraine. This attack took place between the 15-16 of February 2022, with most of the affected sites recovering within a few hours. The DDoS attacks were compounded by the spread of false information through a widespread SMS campaign that took place 15 February 2022.

The following week on 23 February 2022 another round of DDoS attacks occurred. The targets for this round included Ukrainian banks and government departments including the Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, Security Service (SBU) and Cabinet of Ministers. The websites were back up in running within a few hours. Two notable targets include Ukraine’s largest banks, PrivatBank and Oschadbank. Speculation about whether this round of DDoS attacks was a distraction for a new wiper malware to be distributed are still being investigated.

Following the DDoS attacks Russian troops entered Ukraine on 24 January 2022 minutes after a speech by Russian President, Vladimir Putin, declaring war against Ukraine. On the same day a new wiper malware, titled the HermeticWiper, was used to delete data from Government and Banking. The HermeticWiper malware was discovered by security experts at ESET and Symantic, and has a creation timestamp for 28 December 2021, implying that the use of this strain of malware had been planned months in advance.[4]

The use of DDoS and wiper malware were used to spread panic and confusion among Ukrainian citizens while Russian troops moved in for a physical invasion. The new HermeticWiper has targeted financial, defense, aviation and IT organizations throughout Ukraine and neighboring countries Latvia and Lithuania.[5]

The new HermeticWiper malware makes use of legitimate signed drivers and is detected as Win32/KillDisk.NCV.[6] The malware is delivered through the benign EaseUS partition management driver and corrupts the first 512 bytes on the disk making the Master Boot Record inoperable. The malware then shuts the target machine down. With a corrupt Master Boot Record the machine is effectively bricked.[7]

Adding to the chaos, independent hacking collectives including Anonymous and the Conti Ransomware group have thrown their hat into the fight. Anonymous declared they are officially in cyber war against the Russian government through a tweet on 25 February 2022. The group declared the campaign #OpRussia and claimed to have taken down three hundred Russian government, state media, and bank sites as of 27 February 2022. This can be very dangerous for either foe, as it will cause additional confusion on who to retaliate against. Caution is urged to hacking groups bent on helping on side or another.

The Conti Ransomware gang declared their support for the Russian Government, which caused an internal stir among the members. The gang is made up of members from both Russia and the Ukraine. The turmoil of the gang and their differing opinions of geopolitical support led to data leaks beginning with internal chats and ultimately leading to the dissemination of the ransomware source code. The leaks also include the code for BazarBackdoor which has taken the place of the TrickBot Trojan. From a security standpoint the now public source code is both useful and a significant problem. Now that the code is available security analysts can develop ways to mitigate attacks using the code, however, new criminal groups can build custom ransomware using the Conti source code base which poses a significant problem. The visual to the right was taken from the Cyber Threat Analysis Center (CTAC) tool by Red Sky Alliance. It shows the dispersion of data collected from ransomware families in the past thirty days, note that nearly 50% of the data collected in this time frame was from the Conti ransomware family. Conti ransomware had been rapidly rising through the ranks in 2021 and early in 2022 so it will be particularly interesting to see how this influence their future campaigns.

As the hybrid war in Eastern Europe continues, security experts are keeping a weary eye on events occurring in the Pacific. The events between China and Taiwan are showing a parallel with the cyber events between Russia and Ukraine leading up to the invasion.

During the November 2021 attacks targeting Taiwanese supply chains have been attributed to APT 10, also called Stone Panda, and the MenuPass Group. Initially the attacks were thought to be cause by poor password management, but recent events and an investigation by CyCraft revealed that the attacks were not the result of credential stuffing, rather the exploitation of a zero-day supply chain attack targeting specific financial software.[8]

Operation Cache Panda exploits a vulnerability in the web management interface of a securities software with an 80% market share in Taiwan. Threat actors are using this vulnerability to implant a Remote Access Trojan (RAT) to steal sensitive information. The operation employs the Quasar RAT which is an open-source RAT written in .NET. Quasar RAT is capable of taking screenshots, recording with the webcam (if applicable), keylogging, credential stealing, and editing registries. Motivation for the attacks does not seem to be financial gain, rather the theft of brokerage information and personally identifiable information. Which will damage the reputation of financial institutions and influence the growing economy.

China’s cyber-attacks against Taiwan have not reached the level of the attacks from Russia on the Ukraine, as tensions have not yet boiled over. China could very well be the current blind opponent on the World stage. It is vital to understand the role that cyber-attacks play in terms of escalating tensions between nations. Looking to the future it is inevitable that cyber attacks will play a huge role in physical invasions and wars.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: