CybelAngel Analyst Bulletin: Tensions in Eastern Europe’s Cyberspace
In advance of the physical build-up of Russian military forces just outside of Ukraine, a number of cyber attacks have been launched in Eastern Europe.
Around 70 Ukrainian government websites were defaced along with ransomware attacks by unknown hackers in the beginning of 2022. The first attacks took place during the night from the 13th to the 14th of January. The pages of multiple ministries were replaced with the following message:
“Ukranian! All your personal data was uploaded on the Internet. All the data of this computer is destroyed, it is impossible to restore it. All the information about you became public, be afraid and wait for the worst. This is for your past, present and future. For Volhynia, OUN UPA, for Galicia, for Polesia and historical territories.”
A message published by hackers on victim’s computers – Image credit: Valentyn Ogirenko/Reuters
On January 18th 2022, the CISA issued a warning to organizations regarding the current situation in Ukraine. The note was sent in response to malicious cyber incidents in Ukraine advising to be particularly attentive to the potential intrusions that companies and institutions might suffer.
The political situation and current tensions in the relationship between the Russian and Ukrainian governments are the suspected motivation for the destabilizing attacks. Much of the world watches in anticipation that Russia might attack Ukrainian borders in the near future.
Intel on the Malware
The distributed ransomware, first detected in Ukraine on the 13th of January, has a final goal of wiping data off the machines. It is not clear whether data was exfiltrated, but according to the Ukrainian government “no confidential or personal information was stolen”. The actors are still unknown to this day, although some experts believe they could be related to pro-Russian groups.
According to the Ukrainian government, the attack could have been made possible through the prior hack of a “commercial company that had access to administrator rights of the affected web resources”.
According to Microsoft researchers, this distributed malware is not true ransomware, because it does not have a recovery option for files even if the ransom is paid. Besides, the “ransomware gang” created a single bitcoin address which is not the modus operandi of the usual threat actors group, who tend to create multiple addresses (one for each payment).
The virus belongs to the “WhisperGate” family, which destroys data and by its technical nature does not allow any repair. The security researchers among Ukrainian CERcT indicate that the attackers have used vulnerability CVE-2021-32648 discovered in August 2021. This vulnerability impacts the Content Management System OctoberCMS used by the government agencies to update websites. This vulnerability allows unauthorized access using the attack pattern of Password Recovery Exploitation.
- No other ransomware attacks from famous ransomware gangs on Ukrainian firms were made in the last few days. That might confirm the hypothesis that this attack was not conducted by traditional ransomware groups but by more sophisticated hackers or an APT.
- On Russian-speaking dark web forums, topics related to CIS countries have long been forbidden. This is due to the historical events tying all of these countries to the USSR, and the fact that today all of these countries share more or less the same language and culture, thus showing mutual respect. Although Ukraine was officially removed from the CIS in 2018, following tensions with Russia, dark web forums still don’t encourage sharing or selling data of this country. As such, the discussions are very limited. Learn more about Dark Web Monitoring here.
- CybelAngel has not noticed any significant drop or increase in unprotected connected storage protocols located in the Eastern Europe region.
- However, the Cybelangel experts believe that port scanning might be increased in the next weeks, especially on file-sharing protocols as they remain a low-hanging fruit for threat actors. Learn more about our Asset Discovery and Monitoring solution here.
“As tensions increase in the region due to the increased presence of Russian forces along the border and NATO deployments in support of Ukraine, we believe the same is happening in cyberspace. Any further escalations resulting in physical engagement will be responded to by multiple actors in support of either side of the conflict in cyberspace. We anticipate a massive disruption in communications and availability of the internet during this resulting impact to commerce, supply chain, and transportation in the region.” – Todd Carroll, Vice President of Cyber Operations CybelAngel, Retired FBI Deputy Special Agent in Charge