Threats of Russia Cyber Attacks Following Invasion of Ukraine

This blog was originally published by BlueVoyant here.

In the wake of Russia’s invasion of Ukraine, cyber experts predicted a surge in cyber activity. While BlueVoyant has observed an increase in reported adversarial activity associated with Russia-based threat actors, cyber attacks to date are mostly contained within the geographical borders of the conflict area. The expected advanced persistent threat (APT) groups have proven worthy of their reputations; however, there has been little-to-no escalation of reported attacks outside of those involving Ukraine, Russia, and their allies. Moreover, even though previously unseen malware has surfaced as a result of the conflict, the tool types and the tactics used thus far are not uncommon for the actors involved.

The Conflict has Yielded Fodder for Phishing Campaigns

As phishing has generally trended downward lately, the noted “increase” of war-related phishing campaigns directly related to the Ukrainian conflict may be a result of increased cyber community scrutiny following the invasion. That is to say, there are more cyber analysts reporting on events rather than an actual notable increase in activity. It has been clear for some time that Russian threat actors have been highly active in phishing campaigns in Ukraine for at least the past year.

That notwithstanding, the conflict has given threat actors new subject matter to use as lures, such as the credential harvesting campaign mimicking related messages from UKR.Net, and known Russian and Belarussian APT campaigns using cybersecurity lures to deploy back door and stealer malware against Ukrainian targets.

New Malware Names/Same Results

New wiper malware and pseudo ransomware identification in the conflict area is on the rise; however, these types of tools are not new and are, in fact, well within the standard toolset of the threat groups attributed to the observed attack campaigns.

Wiper malware may masquerade as ransomware, even including a ransom note in some cases, but actually deletes computer data. Some versions wipe the master boot record rendering the device unusable; other variants look for disk drives or removable media to destroy the data within.

Similarly, pseudo ransomware is a form of malware that follows all the nuances of standard ransomware, but there is no actual ransom. The malware encrypts the victims’ data with no form of recovery. In one example, a pro-Ukraine operative created a pseudo ransomware variant, dubbed AntiWar, which insists on an end to the war, rather than a monetary demand. But even in this example, there is no method of decryption even if the war were to end tomorrow.

Pick a Side, Any Side

Some criminal hacking organizations have chosen sides in the conflict and others have chosen to remain apolitical. Wizard Spider, the APT behind the infamous Conti ransomware, originally proclaimed their allegiance to Russia and later walked back that statement. The group reissued a statement indicating they remained apolitical; however, they would use their arsenal of tools to fight back against “western warmongering.”

Days later, an individual who claimed to be a security researcher currently within the borders of Ukraine released more than 60K internal messages from Conti’s operations team. The data contained various information about the gang’s activities, including previously unreported victims, private data leak URLs, bitcoin addresses, and discussions about their operations. On March 20, the same individual released a more recent version of the Conti ransomware source code, subsequently providing links to the data on VirusTotal and on Twitter.

Supply Chain a Potential Concern Outside Conflict Borders

Supply chain attacks have also been observed – another common attack vector among the APTs known to be actively involved in the conflict. As companies’ internal networks become better defended, their supply chain is often the weak link or the way they get attacked. Nearly all organizations these days have third-party vendors on which they rely. If one of the vendors in a supply chain falls victim to a cyber attack, organizations that rely on that vendor may also find themselves compromised. This was clearly evidenced by the Russian APT breach of SolarWinds in early 2020. Even companies with no ties to Russia should be on alert for this type of activity.

Additionally, last week, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued an alert on Russian state-sponsored cyber actors attacking a Non-Governmental Organization (NGO) through multi-factor authentication protocols and a critical Windows Print Spooler vulnerability known as “PrintNightmare.”

Hacktivists on Both Sides Get in on the Action

The conflict has brought unity to high numbers of hacktivists on both sides of the conflict. Anonymous, Cyber Partisans, The IT Army, FreeCivilian, and many others have publicly joined the fray, mostly in the form of DDoS attacks, data theft, defacement, and disruption campaigns. An Anonymous-associated group calling themselves “Squad303” has even created a short message service (SMS) spam application to send anti-war messages to Russian phone numbers.

How Companies Should Protect Themselves

Companies everywhere should remain on high alert and ensure they’ve bolstered their cyber defense operations. Most likely, traditional criminal groups are working harder than ever to gain a foothold into target infrastructure – possibly even benefiting from the hyper focus on Russia and Ukraine. Others may simply be pausing normal operations while shifting tactics to the war effort, or until global anxiety regarding the conflict in Ukraine retreats and they can resume business as usual.

The possibility also exists that the new malware strains that have arisen as a result of the conflict could later be reworked (if necessary) and used against more traditional targets as the attention on the war fades.

Companies should also be aware of the third parties and vendors on which they rely. Security leaders must understand that partner assets in the area of potential hostilities may fall victim to degradation, either from targeted cyber activity or physical destruction of carrier equipment. Understanding your own capacity, and that of the partners you rely on, is critical to ensuring business continuity.

Organizations should regularly check recently-published advisories by CISA and the National Cyber Security Centre (NCSC) for guidance on how to prepare your organization for cyber attack. In addition, you should ensure endpoint solutions are up to date, work to rapidly identify any critical alerts, and implement new detection efforts. Organizations should anticipate increased cyber activity in the form of malware or other destructive attacks as geopolitical events evolve. Preparation is key. Reviewing and testing incident response as well as backup and recovery plans is crucial to ensure continuity of operations.

Lessons for the Future

President Biden recently disclosed that the government has “evolving intelligence that the Russian Government is exploring options for potential cyber attacks.” Biden emphasized the previous warning that Russia may employ cyber attacks against the U.S. specifically. No one can predict exactly what the future holds, but organizations anywhere in any industry should keep their guard up. Cyber attackers could be using the current geopolitical situation to change their tactics, or retooling to conduct more advanced operations.

In addition, organizations should consider better prioritization of their third-party security. This continues to be an area with which organizations struggle. It is imperative that organizations also look externally when creating cyber defense plans.