Cyberattacks in Ukraine: Could It Lead to a First World Cyberwar?
When the US needed a place to test its Cold War atomic weapons, it used an isolated atoll named “Bikini” in the Marshall Islands of the Pacific. The 25 mile long ring-shaped coral atoll witnessed more than 20 tests from 1946 into the 1960s. Today several foreign actors could be using the war in Ukraine as a test site for their cyber warfare techniques, tactics and procedures (TTPs). Cyberattacks can quickly cross borders, so it’s critical that governments and corporations have the proper defenses in place for these evolving threats.
Ukraine’s infrastructure is similar to Western Europe, Canada and the US and though its cyber defenses are more limited than that of the Five Eyes (FVEY) intelligence alliance (Australia, Canada, New Zealand, UK and US). This makes it an attractive target for countries such as Iran, N. Korea and China to test their own cyber capabilities.
What form have the cyberattacks in Ukraine taken so far? The first attacks seemed pro-Russian. They took down government websites with the message “Be afraid and expect the worse.” This useful advice was then followed by false claims that “All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered.” though the country’s State Bureau of Investigations – similar to US FBI – denied that any data was actually stolen. At one point Ukraine’s deputy secretary of their National Security and Defense Council attributed the attacks to a hacker group linked to the Belarusian intelligence service.
In mid-January Microsoft reported wiper malware disguised as ransomware (tracked as DEV-0586) on several Ukrainian governmental agencies and organizations systems. Activation of the wiper malware would have killed the systems. Had it been placed in anticipation of the Russian invasion, like land mines waiting to be remotely activated?
The US Dept. of Homeland Security (DHS) shortly thereafter issued an intelligence bulletin to critical US infrastructure operators and state and local governments warning of a possible Russian counter cyberattack if Moscow believed the US or NATO response to a potential invasion of Ukraine “threatened [Russia’s] long-term national security.”
February brought a distributed denial of service (DDOS) attack on the Ukrainian defense ministry, military sites and two banks. There was evidence of Russian penetration of their military, energy and other critical networks to collect information needed to support the imminent invasion.
In late February, researchers from ESET and Symantec reported new malware called HermeticWiper spreading across Ukraine, Lithuania and Latvia. The Canadian Centre for Cyber Security issued its Alert regarding this malware on February 23rd referencing the following articles:
- HermeticWiper – New Destructive Malware Used In Cyber Attacks on Ukraine
- HermeticWiper – New data‑wiping malware hits Ukraine
- Hermetic Wiper & resurgence of targeted attacks on Ukraine
- Ukraine – Disk-wiping Attacks Precede Russian Invasion
One of the more visible attacks was against Viasat, the world’s largest commercial satellite company. In late February, Sky News reported the multifaceted cyberattack against its KA-SAT network interrupted service to several thousand broadband customers in Ukraine and tens of thousands across Europe. Ukraine’s response included a program that signed up 184,000 civilian developers and hackers for its IT Army of Ukraine. This new group significantly increased the Ukrainian anti-cyberattack resources.
Evidence that the Ukrainians and their allies were not purely defensive in the ongoing cyberwarfare was seen in early March when Russia’s National Computer Incident Response & Coordination Center published a massive list of IP addresses and domain names it claimed were involved in ongoing nationwide DDOS attacks on Russian systems.
When Russia finally invaded Eastern Ukraine, a group of purportedly vigilante hackers compromised a website associated with Russia’s Space Research Institute to post vulgar anti-Russian messages.
Another hacktivist collective known as Anonymous claimed credit for taking down Russia’s Federal Security Service (FSB) and 2,500 websites in Russia and Belarus in support of Ukraine. They also hacked into Russian broadband streaming services Wink, Ivi, and TV channels Russia 24, Channel One, and Moscow 24 to broadcast alleged war footage.
Google’s Threat Analysis Group reported widespread phishing attacks by someone in Belarus against Polish military personnel and Ukrainian officials. A hacktivist crew “International Information Technology Battalion 300” (ILIT300) was particularly creative in its use of phone bombing software developed by Ukrainian hacktivists to bypass Russian TV censors and send messages directly to Russian citizens in hopes that they would speak out against the conflict. Telegraph Moscow correspondent Nataliya Vasilyeva confirmed receipt of one of these calls.
Russia was again on the receiving end of a malware attack that compromised several of its federal agency websites in a supply chain attack. The malware hacked the stats widget used to track visitor numbers and used it to publish invalid content. The affected websites included the Energy Ministry, the Federal State Statistics Service, the Federal Penitentiary Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Culture Ministry, and other Russian state agencies.
Unsurprisingly, cyber criminals were discovered by Cisco Talos researchers to be trying to exploit the war and Ukrainian sympathizers by selling them supposedly offensive cyber tools that were in fact malware designed to steal credentials and cryptocurrency-related information back to the gangs. The criminals have also collected money from well-meaning donors under the pretext of supporting refugees when in fact the money was going into their own coffers.
In late March, Sberbank – Russia’s largest bank – warned users against updating their banking software due to the threat of “Protestware”; open source projects whose authors modified their code to protest the Ukraine invasion with antiwar messages and in one case, wiper code. Such protestware against Russia and Belorussia was reported by Ars Technica on March 18th.
Finally, Google’s Threat Analysis Group reported in late March that government-backed actors from China, Iran, North Korea and Russia, plus various unaffiliated groups, were using Ukraine war-related themes to get targeted users to activate malicious emails or links.
Bottom line: The cyber tactics and tools being used today in Ukraine will likely show up closer to home in the near future and any company that believes itself immune won’t be properly prepared to respond. The attack could entail any of the following:
- Temporary denial-of-service (DOS)
- Crippling ransomware
- Wiper malware
- Deliberate sabotage of operational software causing permanent damage by overloading systems to destruction or by altering the function of cooling pumps or centrifuges (think Iranian Stuxnet incident)
If it can be imagined, it will eventually happen. You need someone on your side who knows what to look for and not coincidentally, that’s why Ardent-Security exists. We have the experience, training and certifications needed to prepare your company for whatever comes next.
Call Ardent Security today.
We can help.