Digital attacks in Ukraine: A Timeline | News item

Timeline

Expand overview

1. November 2022

   1. Around 16.20 a DDoS attack rendered the website of the European Parliament temporarily unavailable. According to the European Parliament President Roberta Metsola, a pro-Russian hackers’ collective claimed responsibility for the cyberattack.

   2. ESET tweeted that it had detected digital attacks on various Ukrainian organisations involving the use of RandomBoggs ransomware. According to ESET, the observed characteristics are in line with previous cyberattacks by the Russian actor Sandworm.

   3. The Belarusian Cyber Partisans, an activist group, claimed on Twitter to have access to the network of the Russian General Frequency Control Center (GRFC). They claimed to have encrypted the systems and obtained sensitive information.

   4. At the Aspen Cyber Summit, Mieke Eoyang (Deputy Assistant Secretary of Defence for Cyber Policy) said that Russian cyber staff are under-performing. Part of the reason for this is that Moscow was ‘not prepared for the fact that this conflict would last as long as it has,’ Eoyang remarked. 

   5. The Microsoft Threat Intelligence Center (MSTIC) attributed the cyberattacks using ‘Prestige’ ransomware to the Russian actor IRIDIUM. The observed activity, as described on 14 October in this timeline, has overlapping characteristics with cyberattacks carried out by IRIDIUM, also known as Sandworm.

   6. The FBI published security recommendations warning about activist, pro-Russian DDoS attacks. This guidance was issued following various observed DDoS attacks on vital infrastructure in the US. Although these attacks often have a limited impact, the FBI nevertheless recommend taking mitigating measures to reduce the likelihood that such attacks can occur.

      The NCSC website contains more in-depth information (in Dutch) on how to ensure that online services are not rendered inaccessible by DDoS attack:

      – Factsheet on ensuring the continuity of online services

      – Factsheet on technical measures to ensure the continuity of online services

      – Anti-DDoS coalition

   7. Shortly after the Russian invasion, the British government announced that it had made a cyber support package of £6.35 million available to help Ukraine protect its critical infrastructure. This cyber support package came in the wake of an increased number of Russian cyber activities against Ukraine a day after the invasion.

2. October 2022

   1. CERT-UA observed that there are fraudulent emails in circulation claiming to be from the press office of the General Staff of the Ukraine’s armed forces. The email contains a link to an external website, which instructs the user to perform a software update. This user interaction then launches the download of an executable file. When the file is run, the system will become infected with RomCom malware. Partly on account of the use of this particular type of malware, CERT-UA believes it is possible to attribute the activity to the actor behind the Cuba ransomware.

   2. Microsoft Threat Intelligence Center (MSTIC) flagged a new ransomware campaign which targets transport and logistics organisations in Ukraine and Poland. The type of ransomware being used was referred to as ‘Prestige’ ransomware.

      According to MSTIC there are a number of striking aspects to this campaign that distinguish it from other ransomware campaigns being monitored by Microsoft:

      – There is a certain degree of overlap with the victims of the HermeticWiper malware.

      – MSTIC could find no links between the characteristics of this new ransomware campaign and the 94 ransomware groups being actively monitored by Microsoft.

      – Company-wide deployment of ransomware is not common in Ukraine.

   3. FortiGuard Labs published a technical analysis of the spread of a Cobalt Strike beacon malware. The malware is deployed by means of an Excel file designed to look like a tool for calculating the salaries of Ukrainian military personnel. This malware campaign shows how malicious parties are using the war in Ukraine to carry out cyberattacks.

   4. The websites of several American airports, including Atlanta (ATL), Los Angeles (LAX), Chicago (ORD) and Orlando (MCO), were hit by a DDoS attacks.As a result they were temporarily inaccessible. The attacks, which have been attributed to the hackers’ group Killnet, apparently had no effect on flights to or from the airports.

   5. The hackers group Killnet claimed to have taken a number of US state government website offline (Colorado, Mississippi and Kentucky). The group had previously announced on Telegram that it was targeting US government sites. Most of the affected sites were back online the same day.

   6. According to Kyiv Post, a Ukrainian news platform, Russian hackers from the National Republican Army (NRA) carried out a ransomware attack on the Russian company Unisoftware. The platform claimed that customers’ personal data was stolen. The Kyiv Post writes that the Russian government is also a client of Unisoftware. The mobilisation of Russian citizens was allegedly the motivation for the digital attack.

3. September 2022

   1. The Finnish security and intelligence service SUPO warned of a possible increase in Russian cyber espionage activities in the upcoming winter. This warning was presumably rooted in Russia’s lack of human intelligence (humint), due to the expulsion of many Russian diplomats from Western countries. Western sanctions may be another push factor, motivating Russia to gather intelligence about developments in the realm of high tech, the agency reports. In light of this, SUPO will be keeping an extra close eye on industrial espionage from Russia.

   2. The Ukraine Ministry of Defence warned of large-scale Russian cyberattacks on critical infrastructure in Ukraine and on its allies. According to the Ministry, Russia is also seeking to ramp up the intensity of its DDoS attacks. These attacks are reportedly mainly targeting Poland and the Baltic States.

   3. Hackers from the Ukrainian army reportedly hacked the website of the Wagner Group, a Russian mercenary organisation. According to the Ukrainian Minister of Digital Transformation, the hackers were able to steal the personal data of all mercenaries affiliated with the organisation.

   4. Recorded Future published an analysis about the actor UAC-0113, which may have links to the Russian APT Sandworm. The actor poses as a Ukrainian telecom organisation and uses HTML smuggling to spread malware. According to Recorded Future the cyberattacks are probably aimed at targets in Ukraine.

   5. Cisco Talos warned of a campaign by the Russian APT Gamaredon. In this campaign the actor is deploying information-stealing malware. The malware, which targets Ukrainians, is spread by means of phishing emails about the war.

   6. In a blog post Google stated that it was seeing an increasing number of financially motivated hackers groups specifically targeting organisations in Ukraine. One of these groups, UAC-0098, which previously specialised in ransomware attacks (as an initial access broker), is now targeting Ukrainian organisations, including government bodies, and European non-profits. This actor has carried out various phishing attacks, posing as the Ukrainian National Cyber Police, Microsoft and Starlink.

   7. The hackers’ collective Anonymous claimed to have hacked the largest taxi service in Russia, Yandex Taxi. A number of traffic jams were caused in Moscow by sending multiple taxis to the same location.

4. August 2022

   1. Ukrainian nuclear agency Energoatom reports a Russian cyberattack against its website. According to the agency, the People’s Cyber Army hacker group used 7.25 million bots to take down the website. Energoatom says the attack had no impact on the functioning of the website.

   2. Microsoft warns of phishing attacks by Russian hacker group SEABORGIUM. According to Microsoft, espionage is the likely motive behind the attacks. SEABORGIUM primarily targets NATO member states, Scandinavia and Eastern Europe, including Ukraine. This group is also using the war in Ukraine as a subject in its phishing emails.

      Symantec publishes a blog about the activities of the Russian APT Gamaredon group. According to Symantec, between 15 July and 8 August Gamaredon launched cyberattacks on Ukrainian organisations with ‘info stealer’ malware. The blog follows a warning from CERT-UA about phishing emails from Gamaredon (see update of 26 July).

   3. The pro-Russian hacker group Killnet claims to have launched a DDoS attack on defence corporation Lockheed Martin. The group is also said to have stolen staff’s personal data during a cyberattack and has threatened to publish this information.

   4. Latvia’s national CERT, CERT.LV, reports on Twitter that a DDoS attack was carried out against the Latvian parliament, the Saeima. The cyberattack took place after the Saeima adopted a statement designating Russia as a state sponsor of terrorism. According to CERT.LV, the work of the Saeima was not affected.

   5. CERT-UA recorded 203 cyberattacks in July. The Ukrainian CERT reports that the number of attacks on representatives of the Ukrainian state and financial institutions increased in July. The two most widely hacked sectors were national and local government, targeted by 56 cyberattacks in July, and the security and defence sector.

   6. Finnish public broadcaster Yle reports that the website of the Finnish parliament was hit by a DDoS attack. A Russian hacker group calling itself NoName057(16) claimed on its Telegram channel to be behind the attack. The attack started around 14.30 on Thursday 9 August. The website was accessible again at 22.00.

      The Telegraph reports that the British authorities are investigating cyberattacks against the British cryptocurrency platform Currency.com. According to The Telegraph, since April hackers have been conducting daily cyberattacks on the company following its withdrawal from Russia because of the war.

   7. In its annual Global Incident Response Threat Report VMWare mentions a rise in cyberattacks since the start of the war in Ukraine. Sixty-five per cent of the cybersecurity professionals surveyed had observed more cyberattacks since the Russian invasion.

   8. Meta publishes its Quarterly Adversarial Threat Report (Q2 2022). Meta states in the report that in April it shut down a troll factory in St Petersburg. The troll factory was purportedly supplying pro-Russian commentary on the war on social media.

   9. On its website the Security Service of Ukraine (SSU), reports that it has dismantled a bot farm. The bot farm was distributing disinformation in order to destabilise the sociopolitical situation in Ukraine. The disinformation related to activities of Ukraine’s most senior military and political leaders. According to the SSU, the bot farm operators used more than a million fake online accounts and social media groups with more than 400,000 users.

5. July 2022

   1. CERT-UA warns of phishing emails, sent in the name of the Red Cross, asking for donations for Ukrainian refugees. The messages contain a link to a phishing website that mimics that of a Ukrainian bank. Login details entered on this website then fall into the hands of the attackers.

   2. CERT-UA warns of cyberattacks by the Gamaredon hacker group. The perpetrators deploy phishing emails with a malicious attachment. Interacting with this attachment results in GammaLoad.PS1_v2-malware being downloaded and installed.

   3. According to the Ukrainian State Service of Special Communication and Information Protection, SSSCIP, a cyberattack was carried out against the TAVR media group. Nine major Ukrainian radio stations belong to this media group. On the radio the perpetrators spread disinformation about the state of President Volodymyr Zelenskyy’s health.

   4. Following a rise in cyberattacks connected to the war between Russia and Ukraine, the European Council warns about unacceptable risks of spillover effects, misinterpretation and possible escalation. The most recent DDoS attacks on various EU member states and EU partners (responsibility for which was claimed by pro-Russian hacker groups) are an example of the heightened and tense cyber threat landscape. The EU calls on member states to raise awareness of cyber threats and take preventive measures to protect critical infrastructure.

      In conjunction with the Ukrainian security service, the U.S. Cyber Command shared indicators (IOCs) on malware observed in Ukraine. Mandiant also published a blog post on this topic, with additional details.

   5. Following Microsoft and Mandiant , Palo Alto Networks’ Unit 42 also warns of spear phishing attacks by APT29, a Russian-based threat actor. The phishing emails are sent in the name of an organisation and contain a malicious HTML file or a link to an HTML file in a cloud storage service such as Dropbox or Google Drive. Interacting with this HTML file executes a JavaScript code that installs an ISO file or IMG file on the system. A shortcut is visible in the IMG or ISO file. Other files, such as EXE and DLL files, are rendered invisible. Opening the shortcut ultimately infects the system with Cobalt Strike Beacon malware.

      In a blog post Google reports that it has observed cyber activity by various threat actors in relation to the war in Ukraine.

      According to Google, the Russian-based threat actors APT28 and Sandworm carried out several phishing attacks, exploiting vulnerability CVE-2022-30190 (Follina). In a security advisory, the National Cyber Security Centre, NCSC, warned about this vulnerability.

      The organisation observed activity from the Russian-based threat actor COLDRIVER. According to Google, the actor had allegedly made phishing attempts against various targets, including government staff, politicians, NGOs and journalists.

      The Russian-based actor TURLA temporarily offered a fake ‘anti-ddos’ app, posing as the Ukrainian Azov Regiment.

      Finally, Google reports that the Belarusian threat actor Ghostwriter actively launched phishing attacks aimed at Polish nationals.

   6. Ukraine’s Computer Emergency Response Team, CERT-UA, warns of cyberattacks against Ukrainian government authorities using emails with malicious attachments. The attachment is an XLS file containing a macro. Activating the macro executes the ‘baseupd.exe’ file. This ultimately infects the system with Cobalt Strike Beacon malware.

   7. Latvia State Radio and Television Center, LVRTC, reports that it sustained a prolonged distributed denial-of-service attack (DDoS). To limit the attack, LVRTC temporarily restricted access to certain services, rendering them unavailable.

   8. NCSC UK warned organisations to prepare for a heightened cyberthreat over an extended period, on account of the Russia-Ukraine conflict. In the view of the NCSC the cyberthreat to the UK will continue to rise as a result of the conflict. Organisations are urged to keep their guard up and to have their cybersecurity experts prepare for longer-term resilience .

6. June 2022

   1. A disinformation campaign was used to spread a rumour that male Ukrainian refugees in Poland would be identified and sent back to Ukraine for military service. Researchers from cybersecurity firm Mandiant have attributed this to the Belarusian-linked threat actor GhostWriter.

      According to the Ukrainian state service SSSCIP the intensity of cyberattacks on Ukrainian targets continues unabated. There have been almost 800 cyberattacks since the beginning of the war on 24 February 2022.

   2. CERT-UA warned of cyberattacks using emails with a malicious attachment targeting telecom companies in Ukraine. The emails contain a password-protected RAR file as an attachment with an Excel file and macro. When the file is opened, a PowerShell command is launched, resulting in the download and execution of an EXE file. The system is then infected with DarkCrystal malware.

   3. After Lithuania banned the rail transportation of Russian goods (with the exception of foodstuffs and people) to Kaliningrad, various activist groups used platforms such as Telegram to urge cyberattacks on Lithuania’s critical infrastructure.

      Cert-UA warned of cyberattacks against Russian research institutions, technical organisations and government bodies by Chinese-linked actors. The attackers use phishing emails with malicious attachments, which, if opened by the user, will eventually result in infection by Bisonal malware.

      Microsoft published a report entitled ‘Defending Ukraine: Early Lessons from the Cyber War’, offering five conclusions after the first four months of the conflict between Russia and Ukraine.

   4. Cert-UA warned of two types of attack. One involves delivery of a malicious xxx.doc file, the other an xxx.rtf file. Both attacks prompt t hedownload of an HTML file and exploitation of the CVE-2022-30190 vulnerability. In the case of the .doc file, Cobalt Strike malware is used, and in the case of the .rtf file, CredoMap malware is deployed. The NCSC recently published an advisory warning about the CVE-2022-30190 vulnerability.

   5. Threat actor Killnet appealed on Telegram to various ransomware actors, such as Conti and Revil, to launch cyberattacks on joint organisations in the United States, Italy and Poland. According to a Kremlin spokesman, a DDoS attack on Friday delayed President Putin’s speech at the International Economic Forum in St Petersburg by an hour.

   6. Hacktivist collective Belarusian Cyber-Partisans claimed to have gained access to wiretapped conversations, including some from the Russian embassy in Belarus. The recordings are said to have been made between 2020 and 2021.

   7. Hacking group Anonymous claimed to have hacked a Russian drone manufacturer. They also published images of some of the information obtained.

   8. Following a cyberattack, the web address for the Ministry of Construction, Housing and Utilities of the Russian Federation was redirected to a pro-Ukrainian message: ‘Glory to Ukraine’. The hackers also demanded a ransom in order to prevent the leaking of site users’ personal data. According to RIA, a Russian state news outlet, a ministry representative confirmed that the site was offline but that user data had not been compromised.

   9. The broadcasting of the World Cup qualifier between Wales and Ukraine was interrupted by a cyberattack in Ukraine directed at OLL.TV. According to the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), hackers had gained access to a content delivery network (CDN) and had then managed to reroute traffic. As a result, various Ukrainian broadcasters displayed Russian propaganda. OLL.TV confirmed the attack on Facebook.

   10. CERT-UA warned of cyberattacks using malicious email attachments targeting various Ukrainian government organisations. The emails deliver a document containing a malicious URL redirecting unsuspecting victims to the HTML file with a JavaScript code embedded. If executed, CVE-2021-40444 and CVE-2022-30190 vulnerabilities are exploited to launch a PowerShell command, download an EXE file and infect the targeted system with Cobalt Strike Beacon malware. The National Cybersecurity Centre (NCSC) has published an advisory regarding the CVE-2022-30190 vulnerability.

   11. In an interview with Sky News, US General Paul Nakasone confirmed that the United States had conducted offensive cyber operations in support of Ukraine.

7. May 2022

   1. Hacking group Anonymous claimed to have attacked Belarusian government websites in retaliation for Belarus’s alleged support for the Russian invasion.

   2. Researchers at security company SEKOIA.IO have observed cyber reconnaissance activities by Russian threat actor Turla. This observation is based on previous findings by Google’s Threat Analysis Group (TAG) (see also the entry for 3 May 2022 on this timeline). The activities targeted the Baltic Defence College, the Austrian Economic Chamber and NATO’s e-Learning platform known as JADL. The Austrian Economic Chamber was involved in the imposition of sanctions against Russia.

   3. Pro-Russian hackers launched cyberattacks on various Italian government organisations. On Friday 20 May, the Italian embassy in London tweeted that access to the website of the Italian Ministry of Foreign Affairs and its embassies was limited as a result of cyberattacks.

   4. The Italian authorities managed to thwart DDoS attacks by the actor Killnet. These attacks were launched during the Eurovision Song Festival’s live performances and voting rounds. In response to this failed attack, the actor declared its intention to launch cyberattacks on websites of organisations in the United States, the United Kingdom, Germany, Latvia, Romania, Estonia, Poland, Ukraine, Lithuania and Italy.

   5. Threat actor Killnet directed DDoS attacks against various Italian government and commercial websites.

      The same day, CERT-UA warned about emails with the subject ‘Щодо проведення акції помсти у Херсоні!’ (‘Re: retaliatory action in Kherson!’) which contain an HTM file. Once the file is clicked on, GammaLoad.PS1_v2 malware is downloaded and executed on the victim’s computer. CERT-UA has attributed this attack to the Russian threat actor UAC-0010 (Gamaredon).

   6. The European Union and its international partners strongly condemned the cyberattack on the satellite KA-SAT network. The attack was attributed to the Russian Federation. It took place shortly before the Russian invasion of Ukraine on 24 February 2022 and had a significant impact on various public authorities, businesses and citizens in Ukraine. Spill-over effects were also felt by several members of the European Union.

   7. Several media outlets reported that as a result of a cyberattack, Russian satellite TV menus had shown various anti-war slogans just before the Victory Day parade in Moscow.

   8. CERT-UA warned of emails with the subject ‘хімічної атаки’ (chemical attack). The emails contain a link to an XLS document with a macro. When the macro is activated, it downloads and executes a piece of malware. The victim’s computer is then infected with the malicious programme JesterStealer, which steals sensitive information and transmits it to the attacker.

   9. Google reported in a blog post that it had observed cyber activities by various actors in relation to the war in Ukraine:

      • The Russian-based actor APT28 (aka Fancy Bear) has been targeting users in Ukraine with a new malware variant, which is distributed via email attachments inside password-protected zip files.
      • The organisation has again observed activity by the Russian-based threat actor COLDRIVER (see update of 31 March in this timeline). According to Google, phishing emails have been sent to targets including government officials, politicians, NGOs and journalists.
      • The Chinese-based actor Curious Gorge is continuing its long-running campaigns against multiple government, manufacturing, military and logistics organisations in Russia and Ukraine.
      • Google has observed cyberattacks by the Russian-linked actor Turla, which targets the Baltic states and attempts to compromise defence and cybersecurity organisations in the region.
      • Lastly, Google reported that the Belarusian threat actor GhostWriter was still active and was targeting Ukrainian citizens with its phishing attacks.

   10. The UK’s Foreign, Commonwealth & Development Office (FCDO) claimed on the basis of government-funded research that Russian disinformation about the war in Ukraine was being spread by means of a troll factory. According to the FCDO, the accounts of various politicians and specific audiences in the UK, India and South Africa are being targeted. According to the UK experts, the research shows how the Kremlin’s large-scale disinformation campaign is designed to manipulate international public opinion of the war in Ukraine.

8. April 2022

   1. In collaboration with the Computer Security Incident Response Team of the National Bank of Ukraine (CSIRT-NBU), Ukraine’s Computer Emergency Response Team (Cert-UA) has observed distributed denial-of-service (DDoS) attacks on various Ukrainian government and other organisations. Compromised websites have been used for this purpose. The websites are compromised by inserting malicious JavaScript code (BrownFlood) into the site structure. As a result, website visitors generate large numbers of requests to specific targets, in this case various Ukrainian government and other organisations.

   2. Microsoft issued a report containing details about Russian cyberattacks observed during the war between Russia and Ukraine. Since the Russian invasion, Microsoft has observed over 200 cyberattacks against Ukrainian organisations and individuals. A number of these attacks appeared to be coordinated with kinetic military operations, according to Microsoft. The report, which includes a detailed timeline of the Russian cyberattacks, was released in order to help boost the resilience of organisations including critical providers and central government.

   3. After introducing a new postage stamp, Ukraine’s national postal service, Ukrposhta, was hit by a DDoS attack. The stamp shows a Ukrainian soldier making an offensive gesture to the Russian warship Moskva, which has since sunk.

   4. On the CISA website, the United States, Australia, New Zealand, Canada and the United Kingdom posted a joint warning regarding cyber activity by Russian criminal and state actors aimed at critical infrastructure. This activity may be a form of retaliation for the sanctions imposed on Russia and the material support provided to Ukraine by the Western allies and partners.

   5. Shuckworm (aka Gamaredon and Armageddon), a malicious actor linked to Russia, continues to target organisations in Ukraine. For this purpose it uses various versions of the malware Backdoor.Pterodo. The frequency of the attacks means that it remains one of the main cyber threats facing organisations in the region.

   6. CERT-UA issued a warning about phishing emails that claim to originate from them, with the subject heading ‘Srochno!’ (urgent). The emails, which target Ukrainian organisations, include an .xls attachment which contains a macro. When the macro is activated, it downloads and runs a file that infects the computer with Cobalt Strike Beacon malware.

   7. The activist hacker group KillNet carried out DDoS attacks on various websites belonging to airports, government bodies and transport organisations in Europe. These attacks rendered the sites of some organisations temporarily unavailable.

   8. Analysing an attack on a Ukrainian energy company, cybersecurity firm ESET and the Ukrainian CERT-UA discover new malware, Industroyer2, which targets industrial control systems (ICS). Other pieces of malware, including various wipers, were also used in the attack. For more details about this malware, you can visit the ESET and CERT-UA websites. According to ESET and CERT-UA, the attack was successfully averted.

   9. A denial-of-service attack rendered the websites of the Finnish ministries of Defence and Foreign Affairs temporarily unavailable. The attack started around noon, as Ukraine’s President Zelenskyy was addressing the Finnish parliament.

   10. Microsoft announces that it has been able to disrupt cyberattacks targeting Ukraine. These attacks were launched by Strontium, a Russian state actor with ties to the intelligence service GRU. Strontium was attempting to compromise Ukrainian government institutions and media organisations and was also targeting EU and US government agencies and foreign policy think tanks. In order to gain access to the victims, Strontium used seven malicious internet domains.

   11. CERT-UA reports the discovery of various malicious files that could be used in a spear-phishing attack. The files had English names and were targeting a government organisation in Latvia. CERT-UA has attributed this attack to UAC-0010 (Armageddon).

       The same day, CERT-UA also reports that Ukrainian government organisations have been targeted by Armageddon, once again via a spear-phishing attack. Targets received malicious files that purported to contain personal details of suspected war criminals.

9. March 2022

   1. Google publishes a blog post about the Russian-based threat actor COLDRIVER, alleged to have launched phishing campaigns against various targets, including a NATO department. Google has no evidence that these attempts were successful. The group has been active since 2015 and has in the past attacked various targets such as ministries, NGOs and journalists.  

   2. Due to a major distributed denial-of-service (DDoS) attack on the Ukrainian internet service provider Ukrtelecom, services are temporarily unavailable to its clients.

   3. A Russian internet provider launches a brief BGP hijack of Twitter’s address space. The BGP announcement had little effect in the end because Twitter’s BGP announcements are RPKI-protected.

   4. Three Russian spies spent five years targeting energy infrastructure in 135 countries, in an effort to enable the Russian government to gain remote control of power plants, the US Department of Justice alleged in an indictment unsealed on Thursday.

      On Twitter hacking group Anonymous calls upon businesses to withdraw from Russia, giving them 48 hours to do so, otherwise they will be targeted by Anonymous. The group has previously published details of Russian companies.

   5. CERT-UA reports new wiper malware known as Double Zero, which is spread through .zip files.

   6. American president Joe Biden warns businesses in his country about potential Russian cyberattacks, including as a response to sanctions imposed by the West against Russia.

   7. CERT-UA warns of attacks by InvisiMole, a hacking group with ties to the Russian advanced persistent threat (APT) group Gamaredon.

   8. Hacking group Anonymous warns Western companies to sever ties with Russia and threatens targeted actions.

   9. Security Affairs posts about a destructive Node-IPC package (malware attack) targeting organisations in Russia and Belarus.

   10. Ukraine’s Computer Emergency Response Team (CERT-UA) reports a phishing campaign in which mass mailings are sent out in the name of the Ukrainian government. The attacks are being launched with the use of Cobalt Strike, GrimPlant and GraphSteel.

       ESET researchers in Ukraine have also discovered new wiper malware with the name Caddywiper. Wiper malware presents itself as ransomware, but the affected systems or files cannot be recovered.

   11. Anonymous leaks 20 terabytes of data following a cyberattack on the German subsidiary of the Russian oil company, Rosneft. In response, the German intelligence service, BSI, has issued a warning to vital sectors.

   12. Der Spiegel reports that Germany’s Federal Office for Information Security (BSI), a division of the German Federal Ministry of the Interior and Community, is warning of a cyberattack, which is expected to target critical infrastructure. This is in retaliation for the help offered to Ukraine by Germany since the beginning of the war.

   13. The Security Service of Ukraine, SSU, reports that hackers have posted messages of surrender on local government websites. The SSU announces on Twitter that this is disinformation and urges people to ignore the messages. The Ukrainian ambassador to the United Kingdom also tweets that the official website and email were not working because of cyberattacks.

   14. The Ukrainian government urges tech companies to sever their business ties to Russia. Various tech companies stop providing some or all services to Russia. Cybersecurity firm Proofpoint reports a spear-phishing campaign by various state actors targeting European government organisations. The campaign appears to be an attempt by threat actors to obtain information regarding the reception and migration of Ukrainian refugees.

   15. Wordfence researchers report hacks of numerous Ukrainian university websites coinciding with the start of the invasion. Wordfence attributes the attacks to a group known as ‘theMxOnday’. The group has openly expressed support Russia in its conflict with Ukraine.

10. February 2022

    1. The Belarussian Cyber-Partisans claimed that they conducted a cyber attack on the railways in Belarus, to obstruct the Russian transfer of troops. A recent overview of cyber groups that have mingled in the war, including state actors such as Sandworm, can be found here.

       Taking the latest developments into consideration, the NCSC has published a perspective for action and threat-specific measures.

       At this moment, there have been no observations of digital attacks on the Netherlands or its interests.

    2. Ransomware rival Lockbit, in contrast,reported that it remains neutral in the war and is exclusively motivated by financial purposes.

    3. The Ukrainian minister of Digital Transformation called for hackers worldwide to align with an “Ukrainian IT army”.

    4. Ransomware-group Conti declared in a public statement to align itself with Russia. To support Russia, Conti threatens with attacks on critical infrastructure of countries opposing Russia.

    5. After the invasion of Russian troops in Ukraine various non-state actors have mingled in the conflict. Already on the same evening, hackers-collective Anonymous declared the war on Russia. Volunteers connected to this collective then claimed to have taken down various Russian government- and media websites through DDoS-attacks. It was also claimed that sensitive data from the Russian Ministry of Defense was obtained. These claims cannot always be verified, which could cause uncertainty and confusion.

    6. Various parties reported a new wiper malware that they had observed in Ukrainian systems. Among others, ESET, Symantec and SentielOne published their analyses. The malware has been called HermeticWiper. There are functional similarities with the earlier observed WhisperGate wiper campaign of January 13th and 14th. The goal of the new wiper is to corrupt new documents and to prevent the startup of computer systems. This new malware seems to operate more thoroughly than the wiper malware used in the previous campaign. Thus far, there have been no indications that this new wiper has any functionality that could lead to a worm through which the network-coupled systems could be infected.

    7. The Ukrainian CERT-UA published a website report on malicious activities that they related to the actor Buhtrap. The malware campaigns would have been intended to acquire a position in the computer network of the victim. On February 23rd, severe DDoS-attacks were carried out on Ukrainian targets. Various government websites have been temporarily limited or fully unavailable. Among others, the websites of various ministries targeted. Simultaneously, multiple phishing campaigns were reported.

    8. Various cyber-attacks were conducted on different targets in Ukraine. Among others, DDoS-attacks (Distributed Denial of Service) were reported that target the capacity of online services or the supporting servers and network equipment. The Ministry of Defense and two national banks in Ukraine were hit.

       Another texting-campaign took place, that reported that ATMs were having a technical malfunction. Official authorities in Ukraine reported that this was disinformation. There would have been no existence of such malfunctions. At this moment, the NSCS has no concrete clues that targeted attacks on organizations in the Netherlands are related to the current situation in Ukraine.

11. January 2022

    1. CERT Ukraine (CERT UA) published part of the research on both the defacements as well as the attack with malware. In this research, large similarities were detected between the Whispergate-malware and WhiteBlackCrypt ransomware. These similarities would indicate that it was the intention of the attacker to prevent that Ukraine itself was behind the cyber-attacks.

    2. Microsoft published a blog on the Whisptergate-malware (also called Whisperkill) that had been deployed against various (governmental)organizations in Ukraine. Whispergate is a wiperware that pretends to be ransomware, but lacks any possibility to recover affected systems or documents, which means that documents are effectively erased or that the operating system becomes out of commission. In contrast to the NotPetya-wiper, that had a worldwide impact in 2017, the Whispergate-malware does not consist of the possibility to spread itself without a human intermediary. As a result, the observed Whispergate-malware forms a significantly lower risk for the Netherlands.

    3. The Ukrainian security service SSU published a statement about an attack on the websites of various governmental actors. The messages that were published on the websites reported in threatening language in Polish, Ukrainian and Russian that personal data of Ukrainian citizens had been stolen and that citizens should “prepare for the worst”. These kind of attacks where a website is being daubed are also called ‘defacements’. In a subsequent statement by the SSU, it became evident that there had most likely been a supply chain attack on the supplier who maintained the websites, possibly in combination with a vulnerability in OctoberrCMS (CVE-2021-32648) and Log4j. The supplier had elevated permissions in the environment so that websites could be modified.

       After the large attacks the national CERT of Ukraine issued multiple warnings for other campaigns that target governmental agencies. Moreover, several cybersecurity companies published a research following the cyber-attacks in Ukraine. For instance, Palo Alto Networks Unit42, Symantec and Microsoft conducted a research on the activities of Gamaredon, also known as ACTINIUM. Thus far, the activities of Gamaredon have not been related to the cyber-attacks of January the 14th. Gamaredon is a well-known actor that thus far has focused on Ukrainian targets.

Expand overview