Skip to main content
ArticlesThreat Analysis

Cyber implications of the conflict against Ukraine

By cybelangel Fri Feb 25, 2022

Update – 25th April 2022

As the second month of the conflict in Ukraine comes to a close, CybelAngel is releasing our latest analysis of cyber activity in the conflict. As part of our responsibility as a cybersecurity company, we are taking action to prevent the conflict from spreading into a broader cyber war that could have global consequences. Interested parties can learn more here.

CybelAngel insights

  • Hacker groups get more and more organized on both sides. In retaliation to the pro-Ukraine IT Army of Ukraine, Anonymous or NB65, groups such as Killnet and Xaknet Team have been shifting from generic cybercrime activities to support Russia.
  • People around the world are influencing this war by protesting, boycotting, hacking and showing their support to one or the other side.
  • Ukraine is heavily supported by non governmental groups and individuals across the world.
  • Pro-Russia groups claim to have no links with the Russian government.
  • The conflict reveals the weakness of certain areas of Russia’s cybersecurity. In the last two months, big Russian corporations and governmental entities suffered from attacks which led to the leak of several dozens of terabytes of data.
  • The risk for companies having activities in Russia, Ukraine, Estonia, and Poland remain
    high.

Pro-Russian activities

  • Ukrtelecom, Ukraine’s national internet provider suffered an attack from Russia, disrupting their services to 13% of pre-war levels.
  • According to preliminary data, the night of the invasion, the organization of cyber sabotage was carried out by the Russian special services, and specialized hacker groups (APT28, ART29, Sandworm, BerserkBear, Gamaredon, Vermin, etc…) to take down the entire cybersecurity infrastructure of Ukraine.
  • Armageddon conducted phishing attacks against the UE and Ukrainian institutions.
  • UAC-0094 targets Telegram users via SMS phishing, stealing session data, the list of contacts and conversation history.
  • Killnet, a leading group of pro-Russian hacktivists, have been seen targeting infrastructures of Ukraine, Poland and Estonia (for NATO’s CCDCOE), mostly through DDoS attacks.

Pro-Ukrainian activities

  • In collaboration with ESET, CERT-UA has successfully avoided a massive cyber-attack on Ukraine’s electricity grid by the Russian state sponsored group Sandworm. Had it been successful, it would have been the biggest blackout due to a cyber attack in history, potentially affecting 2 million people.
  • Ukraine has taken down 5 botfarms amounting to more than 100,000 fake accounts spreading misinformation and panic among citizens.
  • BlackRabbit, hacker group, associated with #OpRussia allegedly broke into the Kremlin CCTV system.
  • Microsoft took down the infrastructure of Strontium, a nation-state Russian group, used to target Ukrainian institutions including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy.
  • Since the beginning of the conflict, the journalist non-profit collective DDoSecrets has released 27 Russian datasets amounting to a total of 5.8TB of information. Various groups and individuals such as NB65 (which used Conti’s infrastructure against Russia) and Porteur provided these datasets. Most of the victims are energy companies, financial services and government institutions.

Neutral/Miscellaneous

  • The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory (CSA) to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.
  • The Yale list is a publicly available list of foreign enterprises doing business in Russia. It is divided into multiple categories depending on the involvement of these companies and their status regarding the war. It serves as a basis to identify and launch boycott campaigns against those brands.
  • Several boycott groups are active, especially on Telegram, and are distributing assets like slogans, verbatim, individual targets for the users to boycott or harass the brands.
  • The impact on these brands may be significant. Several brands claimed they would “stop” or “limit” their activities in Russia, at least temporarily, following public discontent.

 

Update – 18th March 2022

Pro-Russian activities

  • CERT-UA warns against mass phishing campaigns against Ukrainians.
  • DDoS attacks continue, with a peak at 100Gbps.
  • FancyBear (APT28) conducted several large credential phishing campaigns targeting ukr.net users.
  • Ghostwriter (UNC1151) conducted phishing attacks against the Polish and Ukrainian military.
  • XakNet hacking team targets Ukrainian websites (defacing banks website).
  • A third wiper, CaddyWiper, was deployed in Ukraine.

Pro-Ukrainian activities

  • A new malware wiper, dubbed RURansom targets Russia.
  • Activists have started attacking companies from the Western world who are still making business in Russia. A list was shared by Yale and is being used as a target list by pro-Ukrainian actors.
  • Ukraine Security Service arrests hacker routing phone calls for Russian troops.
  • Twitter account trickleaks started publishing doxs on alleged Trickbot members.

Neutral/Miscellaneous

  • Russia is urging government entities to move to sovereign IT infrastructure (DNS, hosting, domains…)
  • The electricity grids of Ukraine & Moldova have been successfully synchronized with the Continental European Grid.

Key takeaways

  1. Cyber Operations are slowly ramping up on both sides.
  2. Targets of pro-Ukrainian actors are shifting from… “strictly Russian” to “cooperating with Russia”. To the pro-Ukrainian actors, that’s defined as companies or organizations not reducing or continuing operations in Russia.
  3. Russia tries to be as autonomous as possible on the cyber side (infrastructure).

Update – 4th March 2022

Pro-Russian activities

Pro-Ukrainian activities

  • Pro-Ukraine hackers attack the JINR (Joint Institute for Nuclear Research).
  • Hackers have compromised a website connected to Russia’s Space Research Institute (IKI), which designs and builds scientific instruments for space experiments, according to screenshots and archived data.
  • Ukraine’s ‘IT army’ continues directing DDoS and naming targets.
  • “Anonymous” is believed to have hacked the websites of three major news agencies in Russia and replaced their homepages with anti-war messages accusing Putin of telling lies for his war.
  • AgainstTheWest claims to have hacked the CTV Belarussian TV and is slowly leaking the documents.
  • Lone hackers claim that they are helping Ukrainian companies to fix their vulnerabilities.

Neutral/Miscellaneous

  • French media reflets.info managed to access thousands of unsecured Ukrainian security cameras belonging to the police. The access was closed 4 hours after they reported it to the Ukraine Embassy in France.
  • The @RedBanditsRU affirmed supporting Russia but they now have released another more detailed statement indicating that they do not support the war and refuse to go against innocent people, as they are seeing Ukrainians as their brothers.
  • Russia is cracking down on its local media, pushing more and more censorship; few independent Russian-based media remain today.
  • The Moscow Stock Exchange has been closed all week.
  • Opportunist actors set-up fake donation pages for supporting Ukraine.

Key takeaways

  1. Ten days after the conflict began, the cyber field is more about resistance and guerilla rather than a “cyber war”.
  2. Both sides are starting to target ICS (Industrial Control Systems).
  3. As the war goes on, tensions increase along with the likelihood of Russian actors targeting foreign countries supporting Ukraine too.

Update- 28th February 2022

Non Exhaustive list, top-debated actions of the past few days.

Pro-Russian activities:

  • The Conti ransomware group has shown explicit support to Russia, stating full support for the Russian government, but has withdrawn its statement after criticism from the affiliates. Following this statement, an unknown security researcher has released the chat logs from the last 13 months from the Conti group and affiliates. In an updated statement, Conti explains condemning the ongoing war and not taking sides but will take actions in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.
  • Russian APTActinium” seems to be targeting Ukrainian infrastructure, although no more details can be found.
  • Disinformation seems to be spreading on social media, but it’s not clear whether it comes from an organized operation

Pro-Ukrainian activities

  • Mykhailo Fedorov, Vice Prime Minister of Ukraine, is setting up a Telegram group to enroll anIT army for Ukraine”. When this note was written, the group counted more than 200,000users.
  • Anonymous claims to have taken down major Belarus banks, along with the Russian SberBank.
  • Hackers from various countries and continents share vulnerable Russian assets, including video surveillance of sensitive premises, and attack the websites of Russian institutions and companies.
  • AgainstTheWest, a European group that is known for attacking Chinese infrastructure and allegedly discovered the Log4j exploit, is using a “wiper malware” to destroy Russian servers. Among the claimed victims were: the Russian Space Forces, the Ministry of Transport of Russia, the Federal Service for Labor and Employment, and the Central Bank of Russia.
  • Belarussian Cyber Partisans keep supporting Ukraine by attacking the Belarussian’srailway system.
  • Several Threat Intelligence companies have opened their services free of charge for Ukrainian officials.

Neutral/Miscellaneous

  • Some hackers, without being pro-Russian, have started attacking US infrastructure for“not sending troops in Ukraine”.
  • Lockbit, who is thought to be Russian-based, announced that it would stay neutral.

Key takeaways

  1. Malicious actors and hacktivists are taking cyber actions, on both sides.
  2. So far, it doesn’t seem to have a major impact on the evolution of the conflict.
  3. While actors around the world focus on Russian assets, we could expect repercussions from pro-Russian hackers against targeted countries.

This note may be updated with additional information, depending on the evolution of the crisis.

Foreward

On February 24th, 2022, Russia invaded Ukraine. This move followed weeks of tensions between the two countries, which was also reflected in the cyber world, although at a limited scale. The Cybelangel analysts follow the conflict in the cyber space, with a focus on dark web communities. 

This note may be updated with additional information, depending on the evolution of the crisis.

“While we haven’t seen a large cyber offensive in conjunction with the invasion of Ukraine, we must remain vigilant.  Putin sees cyber warfare as a tool to use in a new Cold War with the West.  When he says the West will face repercussions if they act against the invasion, he will use cyber weapons to strike back at the West, NATO, and other countries who do not outright support Russian efforts.  

Remember the intelligence collected from Snowden and the attacks on NSA tools? I expect those TTPs and cyber weapons, hoarded by the Russian Federation and groups under their influence, to be used in efforts to retaliate against the West.  Russia has shown its abilities and willingness to attack cyber assets for intelligence, use social media platforms to spread disinformation and amplify messaging in their favor, and use others to do their dirty work.

Cyber disruptions, attacks, and outages will come when our guard is down… holidays and weekends.  We need to make sure we are prepared and more aware now than ever of the potential events that may escalate as a result of this invasion by the Russians.

We are dealing with a cold and calculating leader and state.  They have prepared for this rainy day and it is pouring outside.  Are you ready?” –

Todd Carroll, Vice President of Cyber Operations CybelAngel, Retired FBI Deputy Special Agent in Charge

Key takeaways

  • A lot of threat actors are expressly showing their support for Ukraine, while Russian-speaking users remain silent.
  • Attacks against Ukraine have mostly targeted banks and the government, launched by unknown groups.
  • Attacks against Russian government websites have started by pro-Ukrainian groups, from actors around the world.
  • It is too soon to tell whether the targets will go beyond national Russian/Ukrainian infrastructures.

Facts

  • Distributed Denial of Service (DDoS) attacks against Ukrainian banks and government websites have been reported, prior to the invasion and after.
  • A new destructive malware dubbed HermeticWiper was detected by antivirus software company ESET, indicators of compromise (IOC) have been shared by multiple companies. This malware follows directly WhisperGate, the fake malware identified in January which aimed at paralyzing systems undercover of ransomware, and has the same effect.
  • An unknown group who goes by the name FreeCivilian continues their operation of data leakage of personally identifying information (PII) related to Ukrainian government websites. FreeCivilian has first been spotted by Cybelangel analysts by mid-January 2022.

A cropped view of FreeCivilian’s Tor website

On hacking/cybercrime communities

  • Popular cybercrime forum Raidforums is taking actions against Russian users, and claimed that users connecting from Russia would be instantly banned. Probably related to this announcement, moderators have banned the user FreeCivilian.
  • Russian-speaking communities haven’t elaborated much on the topic. The conflict is not likely to be of interest for Russian cybercriminals, who rarely attack Ukraine although it’s not a CIS country anymore.
  • The official Twitter account of the Anonymous group claimed that it would take sides with Ukraine, and appears to have already taken actions against several Russian websites.
  • The FSB (Federal Security Service of the Russian Federation) warned Russian companies against cyberattacks coming from pro-Ukrainian groups.
  • We’ve seen several actors sharing both Russian sensitive military data in retaliation for the Ukrainian invasion, and US sensitive military data in retaliation for their support towards Ukraine.

 

A Raidforums moderator’s warning against Russian users

This site is registered on wpml.org as a development site.