More sophisticated cyberattacks against Ukraine to come, says Russian company

Russia’s offensives against Ukraine took over the digital medium even before Vladimir Putin’s troops advanced on the neighboring country’s territory. The cyberattacks seen so far, however, do not bring all the sophistication seen in Russian hackers during the last few years.

With the beginning of the wave of cyberattacks on Ukrainians in January, the fear of experts in the sector and authorities was of disruption to essential services and impact to other countries, intentional or not.

Russia is considered one of the most powerful countries for cyber attacks, alongside the US and China. Alert state is mainly based on campaigns that happened in the past.

Commonly cited are the offensive of the Sandworm hacker group, which in 2015 left thousands of people without power and, in 2017, released the NotPetya virus, which went out of control and caused damage to several countries, estimated in billions of dollars by the White House.

In the cybersecurity world, these sophisticated hacking groups like Sandworm are called APT (Advanced Persistent Threats). The Russian government has already been accused of covering up, and even recruiting, such groups operating in the country.

So far, in this series of attacks, the attacks seen are reminiscent of some of those from the past, but far from the same level of destruction. The yellow light, however, should remain flashing because, in recent days, threats of greater complexity have been found.

“We’ve never seen anything like this in the history of cyberattacks, but at the same time, more sophisticated activity is yet to come,” says Costin Raiu, director of research at Russian cybersecurity firm Kaspersky. He participated in an online seminar this Thursday (10) to analyze the threats found in Ukrainian virtual space.

In the US and Europe, there is concern about Putin’s reactions after trade sanctions on Russia and expectations of new waves of attacks, possibly targeting the West.

The US government continues to update the “Shields Up”, a statement urging companies to pay attention to cyberattacks and guide defenses.

“We’ve been talking with some alarm for weeks, maybe months, about the Russian threat and the fatigue is real. The sense of normalization in activities [hackers] it’s real,” Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency, told the Washington Post.

several fronts

According to Kaspersky’s Costin Raiu, the mix of different components makes the cyberwar scenario between Ukraine and Russia unique.

In addition to the offensives of known groups, there are threats coming from unknown APTs, as well as hacktivism (digital hacker activism) and cybercriminals taking advantage of the situation.

“And, at the heart of all this, there is still an intense information war, including data leaks, some true and some false”, notes Raiu.

From least to most complex, most attacks seen so far fall into three categories: virtual graffiti, denial of service, and data destruction mechanisms.

As a step in these attacks, there are phishing attempts: sending fake messages (such as emails) to try to steal information from users or infect machines.

Virtual graffiti (known in technical circles as “defacing”) was among the first attacks seen in this wave, against Ukrainian government websites. In this mode, hackers take advantage of flaws in websites to change their appearance and, for example, display political messages instead of the expected content. There is not necessarily an invasion or theft of information.

Denial of Service (or “DDoS”) attacks attempt to overload systems to make them slow or inoperable. In these cases, several machines connected to the internet connect to a service at the same time so that it cannot handle the demand.

according to Ukrainian government communications and information protection servicethe country has been countering DDoS attacks from Russian sources “non-stop”.

Lastly, a number of different wiper-type viruses, which focus on erasing data, have been found on Ukrainian computers. One measure that has become common among these viruses is to try to disguise themselves as ransomware.

Ransomware is the trending virus among cybercriminals. They block access to data and systems and charge a ransom to release them. By disguising themselves in this way, wipers try to make it look like the onslaught comes from a group trying to make money, not another state looking to destroy services.

So far, at least three wipers have been found in operation in Ukraine. All of them had compilation dates (when a computer program is ready to run) within the last year—that is, they were ready in advance.

They resemble the performance of other viruses used by Russia in the past, including NotPetya, but with a lower scope and technical level.

According to Ivan Kwiatkowski, a senior researcher at Kaspersky, one of these wipers, however, stands out. Called HermeticWiper, it disguises itself as a legitimate program to avoid detection on the computer.

It “breaks” the saved data into several parts before erasing it, a process known as shredding. With this, recovering the files becomes even more difficult. “It’s a technique I’ve never seen before,” says Kwiatkowski.

The HermeticWiper was detected in Ukrainian organizations shortly before the Russian invasion on February 24th. According to cybersecurity firm Symantec, the targets include organizations in the financial, defense, aviation and IT services sectors. The company says the virus was also found on machines in Lithuania.

On the same date, a cyberattack targeting the satellite network of the telecommunications company Viasat left some of its customers without internet. The impact was also felt in Germany, where wind turbines lost connection, according to the Reuters news agency. US, French and Ukrainian officials are investigating whether the outage was caused by Russian hackers. .

In the last week, failures were recorded in at least two other Ukrainian internet providers, according to The Record website.

‘End of the world’ misspelled

According to Kaspersky’s analysis, the most active APT active in Ukrainian cyberspace in recent weeks is the group known as Gamaredon or Armageddon, linked to Russia.

This is a group that uses attacks that are much less technically powerful than those from the Sandworm, linked to the Russian military, and that has appeared little in recent weeks.

Gamaredon has been active since at least 2013, according to a report by Trend Micro, a company specializing in information security, already targeting Ukraine. “It’s been ten years of activity using little [sofisticação na] technology, but efficient”, evaluates Kurt Baumgartner, researcher at Kaspersky.

A report by Palo Alto Networks, also from the cybersecurity sector, mapped the infrastructure of Gamaredon, which uses phishing (fake messages) to try to install viruses in order to gain control of machines linked to the Ukrainian government.

The APT’s name comes from the group’s documents that have been analyzed by experts. The Word files indicated that they were last edited by a user named “Armageddon” (or “end of the world”), but with a typo (one D, in English the spelling is with two).

It’s common for APTs to have multiple names, so reading up on the subject can get a little confusing. This can happen for a variety of reasons, such as the group itself choosing to change its name or cybersecurity companies adopting different terms. “Primitive Bear” and “Actinium” are a few among several other ways of referring to Gamaredon. The Sandworm also goes by “Hades”, “Telebots”, “Voodoo Bear”, “Unit 74455” and others.

we just want money

Gamaredon joins a number of other APTs and hacktivist groups that have taken up virtual arms in the war between Russia and Ukraine. And support appears on both sides.

For the Ukrainians, famous hacker activism groups such as Anonymous have taken to attacking Russian entities. Onslaughts by these groups spanned DDoS attacks and hacking into organizations to leak data or disrupt operations. In addition, defacing attacks brought messages of support for Ukraine to Russian screens.

Likewise, the cybercriminal group Conti (which specializes in launching ransomware attacks) was one of those that said it supported the Russian invasion. The statement led to a rift in the gang, and some of its members even leaked internal documents exposing the team’s workings.

In the virtual underworld, the confusion is such that there was even a cybercriminal group declaring neutrality in the war. Lockbit, Conti’s competitor in ransomware, issued a statement saying it was apolitical because it had members of different nationalities. “For us, it’s all about money,” they declared.

The swapped lead scenario creates additional risk, experts reckon. Attacks from these groups can spill over to third parties such as companies. In addition, hacktivism activities can also impact intelligence activities by drawing attention to a vulnerable system that was being surreptitiously exploited by government hackers.

“Hacktivism, by nature, is always very noisy. And intelligence is very quiet. A hacktivist group can unintentionally lead to a thorough analysis of a system that was being quietly observed by an intelligence operation,” says Jake Williams. , a former NSA (US National Security Agency) hacker, told Wired magazine.