As Ukraine reels from cyberattacks, Russian missile strikes overshadow them
Russian cyberattacks during the November 23 attack on Ukraine: SSSCIP officials lost their jobs in Ukraine and they will likely be shut down in the next few months
Russian troops burned cities to the ground, raped and tortured civilians, and committed scores of potential war crimes during its brutal war in Ukraine. European lawmakers called for ties with Russia to be reduced further after labeling the country a state sponsor of terrorism on November 23. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.
By Monday, 40% of Kyiv residents were left without water, and widespread power outages were reported across the country. On Thursday, Ukrainian President Volodymyr Zelensky accused Russia of ‘energy terrorism’ and said that about 4.5 million Ukrainian consumers were temporarily disconnected from the power supply.
According to researchers at several firms, in a year’s time, Ukraine will see far more of the so-called “wiper” worm than any other country. That doesn’t necessarily mean Ukraine has been harder hit by Russian cyberattacks than in past years; in 2017 Russia’s military intelligence hackers known as Sandworm released the massively destructive NotPetya worm. But the growing volume of destructive code hints at a new kind of cyberwar that has accompanied Russia’s physical invasion of Ukraine, with a pace and diversity of cyberattacks that’s unprecedented.
A senior US official said after the explosion on the bridge that Putin was trying to go for a big showy public response to the attack.
Ukrainian cybersecurity officials have for months had to avoid shelling while also doing their jobs: protecting government networks from Russia’s spy agencies and criminal hackers.
Four officials from one of Ukraine’s main cyber and communications agencies — the State Service of Special Communications and Information Protection (SSSCIP) — were killed October 10 in missile attacks, the agency said in a press release. The four officials that did not have cybersecurity responsibilities lost their jobs and the loss has weighed on the cybersecurity officials at the agency.
Russia wouldn’t measure the success in cyberspace by a single attack but by their cumulative effect of trying to wear the Ukrainians down, according to a Western official.
The justice department and private investigators say that NotPetya was created by the Russian military intelligence agency as the war in eastern Ukraine went on, wiping computers out at companies around the world. It cost the global economy billions of dollars because of the incident.
The operation involved infiltrating widely used Ukrainian software, injecting malicious code to weaponize it, and identifying it, according to the director of threat intelligence at Talos.
All of that was just as effective as the product, according to a team who has responded to cyber incidents for years. “And that takes time and it takes opportunities that sometimes you can’t just conjure.”
Turla’s Cybercriminal Malware Attacks and the Russian Cyber Security Arsenal: A Call to Strengthen the Security of Russia, Or Why We Don’t Want It
Zhora, the Ukrainian official who is a deputy chairman at SSSCIP, called for Western governments to tighten sanctions on Russia’s access to software tools that could feed its hacking arsenal.
“We should not discard the probability that [Russian government hacking] groups are working right now on some high-complexity attacks that we will observe later on,” Zhora told CNN. “It is highly unlikely that all Russian military hackers and government-controlled groups are on vacation or out of business.”
The ambassador-at-large for cyber affairs told CNN it is possible that the Russians would use a new wave of cyberattacks.
The main goal of Sepp is to get Russia isolated as much as possible, he said, adding that there has been no talks about the cybersecurity issues in months.
Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla’s hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. Turla was able to take over the command-and-control server for that malware and sift through it’s victims to find those worthy of espionage targeting.
“We used the data to compare the timing of attacks for groups we think are based out of Russia and groups based everywhere else,” Nershi told WIRED ahead of her talk. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups, we see an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.”
The data set was culled from the dark-web sites that ransomware gangs maintain to name and shame victims and pressure them to pay up. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers breach a target network and exfiltrate data before planting ransomware to encrypt systems. Then the attackers demand a ransom not only for the decryption key but to keep the stolen data secret instead of selling it. The researchers may not have captured data from every single double-extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and that the groups typically have an interest in publicizing their attacks.
The unsophisticated attack—which involves flooding a website with traffic to make it inaccessible—disrupted the Parliament’s website offline for several hours. The attack was claimed by the pro-Russian hacktivist group Killnet. The hacktivist group has targeted hundreds of organizations around the world this year, having some limited small-scale successes knocking websites offline for short periods of time. It was one player in a bigger surge of hacktivism.
“I’m not going to say that hacktivism was dying, but it was definitely withering for some time,” says Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne. For the past four or five years hacktivism has seen low-level disruptions and more sophisticated attacks that may be used to cover for a nation-state’s hacking. A lot of players are in the space and there is a lot of middle ground between those two extremes.
There are some pro-Russian hacktivist groups on the other side of the conflict, according to the group manager at Check Point. Killnet, Noname 057, From Russia With Love, and Xak Net are also known as Killnet. Killnet is probably the most active of these groups, Shykevich says. “Since April, they have targeted around 650 targets—only about 5 percent of them were Ukraine.” Its targets, like the European Parliament, have largely been countries that oppose Russia. The group, which mostly uses DDoS attacks, is proactive on Telegram, media friendly, and appeals to Russian speakers.
There’s still an outsize place fordistributed denial of service attacks in hacktivism. An FBI notification, issued in early November, says those behind DDoS attacks have “minimal operational impact” on their victims. The FBI says that hacking targets are perceived to have a greater impact than an actual disruption of operations. In other words: The bark is often worse than the bite.
Rajan Menon, a director in the Defense Priorities think tank, says that if Russia messes with the system, it will put it out of whack. It’s an enormous economic cost, and it’s not only an annoyance. It’s an effort to create pain for the civilian population, to show that the government can’t protect them adequately.”
Red flags for Mandiant when Andromeda was reregistered and it was a red flag for the use of wipers
When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample—whose name was a vulgar taunt of the antivirus industry—had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. Turla was able to find subjects worthy of his spy work thanks to the various domains connected to hundreds of Andromeda infections.
Since 2013), Andromeda is a very common banking scam that has been used to steal victims’ credentials. The Andromeda sample quietly downloaded two other pieces of Malware when it was on one of the machines. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.
The use of wipers is the most intense use of them in all computer history according to a senior security researcher from ESET.