A small recap of the cyber threats targeting Ukraine: Putin’s invasion of Ukraine has taken place both on and offline, blending physical devastation with escalating digital warfare. Since January, Ukraine’s cyberspace has been marked by:
- Significant web defacement effort targeting at least a dozen government websites.
- Two destructive wiper malwares: ‘WhisperGate‘ and ‘HermeticWiper‘ aimed at government, non-profit, and I.T. organizations, mimicking the NotPetya attacks.
- Another trojan malware dubbed ‘Cyclope Blink‘ and developed by Russia-backed Sandworm APT group.
- DDoS attacks which took the Ukrainian defence ministry and two state-owned banks offline for several hours.
- Disinformation and “hybrid warfare” tactics including a bot farm that hosted 18,000 fake mobile accounts which were used to send fake bomb threats and spread online disinformation about mines being laid in public spaces.
Allegiance and positioning of cybercrime groups: Hacking groups have taken to social media to announce where their allegiance lies in the Ukrainian invasion.
- The Anonymous collective officially declared themselves in cyber war against the Russian government and conducted several DDoS attacks against Russian state websites and TV channels.
- Siding with Russia, several cybercrime groups threatened of potential attacks against critical infrastructures: this is the case of the Conti ransomware group, which is highly sophisticated and known for being the first group to weaponize the Log4Shell vulnerability and operate a fully-developed attack chain. The domino effect of hacker announcements prompted Ukraine’s Defense Ministry to send a call to action to the Ukrainian underground hacker community.
Risks of spillover cyberattacks: Many countries such as the US, the UK, Australia, Germany, and New Zealand, have warned their private sector about the risk of potential spillover from any cyberattack conducted by Russian hackers. Some countries have also taken into consideration the possibility that Russia may respond to any economic sanctions via destructive cyber-attacks.
International cyber aid: the support of cyber infrastructure has been recognised as an important aspect of international aid. Six European Union countries (Lithuania, Netherlands, Poland, Estonia, Romania and Croatia) agreed to send cyber security experts to help Ukraine deal with these threats. Australia also committed to providing cyber security assistance to the Ukrainian government, through a bilateral Cyber Policy Dialogue. This will allow for exchanges of cyber threat perceptions, policies and strategies.
RIP Trickbot? The TrickBot malware operation, which dominated the threat landscape since 2016, has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families. Over the last year, Conti has become one of the most resilient and lucrative ransomware operations, responsible for numerous attacks on high-profile victims and amassing hundreds of millions of dollars in ransom payments.
AdvIntel explained last week that the shift in development is because the TrickBot trojan is too easily detected by security softwares, making it less lucrative.
A newly-discovered Iranian espionage malware: US and UK cybersecurity and law enforcement agencies identified a new malware deployed by the Iranian-backed MuddyWatter hacking group in attacks targeting critical infrastructure worldwide. The malware, dubbed Small Sieve, provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection. Last January, MuddyWatter was officially linked to Iran’s Ministry of Intelligence and Security (MOIS).
A 5-weeks long Internet outage: The major submarine cable key to Tonga’s online access was recently repaired, restoring data access to many of its people five weeks after a volcanic eruption disconnected the Pacific island nation from the rest of the world.
Chinese hackers linked to months-long attack on Taiwanese financial sector: The APT10 hacking group affiliated with the Chinese government is believed to have carried out a months-long attack against Taiwan’s financial sector by leveraging a vulnerability in a security software solution used by roughly 80% of all local financial organizations. The operation was dubbed Cache Panda and leveraged the Quasar RAT malware which allowed the attackers persistent remote access to the infected system.