From the Front Lines of the Cyberwar

The battle in cyberspace is so heated that this post can only capture some of the major developments. Most of the information given here is found on deep web sites, hacker forum sites, or sites dedicated to hacking and cybersecurity, most of which are not frequented by mainstream media. Most of the cyber attacks against Russian sites are orchestrated by individual hackers or hacker groups, while those against Ukraine and its allies are undertaken by both hacking groups and government affiliated hackers. These, therefore, are often more devastating. According to cybersecurity firm, Check Point, cyberattacks on Ukraine increased 196% in February.

Russian Cyberattacks on Ukraine and Its Allies

Most of these attacks are by Russian government affiliated hackers, but not all. Some are from hackers who have legitimate IT jobs by day but moonlight with other hackers to make extra money. Here is one such hacker that was interviewed by the BBC.

“Considering everyone is attacking Ukraine servers. I am thinking we should cause some disruption too?” He and his team of six hackers then took down a number of Ukrainian government websites with DDoS attacks. “If my employer found out I would not have a job.” He said. Well, maybe, it depends on the political stand of the employer. However, what is clear is that the group wasn’t that worried about getting in trouble. The hacker claims to have conducted numerous “DDoS attacks, emailed 20 bomb threats to schools, hacked into the live dashboard feeds of an unidentified Ukrainian ‘rapid response team’ and found a way to set up official emails using a Ukrainian government email service.”

Attacks on Ukrainian Universities

Another hacking group, known as, theMx0nday, specialized in hacking Ukrainian universities to coincide with the military attack  

They apparently attacked and stole information from at least 30 universities. Of course, this information can form the basis for spearphishing and other attacks.

Phishing Attacks from Legitimate Ukrainian Military Members

According to Proofpoint, these spearphishing emails targeted individuals in European government agencies. The subject line read, “IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022”. The emails had a malicious attachment, “list of persons.xlsx”. This seemed to hint at names on a ‘kill list’ that was reportedly issued by the Russian government. It appears the sender accounts were legitimate but compromised. Here is the notice about this from the Ukrainian government.

The malicious attachment establishes a connection to the malware’s command and control (C2) center, which enables the perpetrators to load whatever malware they want surreptitiously on the infected machine.

Wiper Attacks

As I reported in my last post, ESET security researchers discovered wiper malware that hit multiple sites hours before the physical invasion of Ukraine. This malware, named, HermeticWiper, destroys a computer’s ability to reboot. A day later, another wiper malware appeared, called by the researcher’s IsaacWiper, which targeted Ukrainian government sites. As can be seen in the following diagram, these wipers were already installed in the government networks well before they were actually deployed.

This seems to indicate that the invasion of Ukraine was being planned for a considerable time. That said, it is impossible to say with 100% certainty that Russia is behind the attack but…

Infrastructure Attacks?

Many experts predicted that a Russian invasion would be accompanied with infrastructure attacks. Russia has the capability to take out the power grid or disrupt water supplies. It was also believed that they would take out cell phone towers. However, they appear to have been quite circumspect in destroying the communication network, only taking out one TV tower. Others have wondered why there hasn’t been a more widespread air offensive. However, the answer to both of these questions may be the same.

According to many strategists, Putin expected to be welcomed in Ukraine, much as he was welcomed in Crimea. He would bathe in the sunshine of their gratitude. He expected a relatively straightforward advance on Kiev followed by the replacing of the current government with people more supportive of Russia. Most experts expected this to happen within a few days. In that scenario, they would need an in tact infrastructure to form the new government. The last thing they would want to do would be to destroy and then undertake the huge expense of rebuilding the infrastructure. After all, infrastructure is expensive. Putin may still be hoping for a non-infrastructure-destroying strategy, but if this fails, anything is possible. His self-image of the heroic, wise, and benevolent leader is on the line.

Ukraine Cyberattacks on Russia and Belarus

A Call to Arms

Ukraine was overwhelmed with cyberattacks and, at first, could offer little in terms of a counter offensive. This, however, did not last as worldwide sentiment was in their favor.

The call to arms came on Twitter on February 27th.

If you follow the links, you will be led to a Telegram site where you are encouraged to send a video or photo of the true situation in Ukraine to people in Russia and Belarus.

The rationale is that most Russians would be shocked if they learned the truth about what their countrymen and leaders were doing. For the time being, most Russians get their news from the state-controlled media, which is telling them that Ukrainians are participating in genocide against Russian speakers in Ukraine.

The call to arms stimulated an outpouring of support. There is now a list of companies and individuals who are offering their services for free to Ukraine.

The complete list can be found here.

According to a March 4th article from Reuters, over 400,000 people have volunteered to digitally disrupt the Russian government’s invasion efforts. In other words, the hearts and mind of the world are clearly on the side of Ukraine.

But not everyone supports Ukraine. Here is a list of hacking groups showing which side they are supporting. You can see that those supporting Ukraine are more than twice the number that support Russia, but quantity does not always supersede quality.

Somewhat amusingly, the DDoSecrets leak site lists itself as a hacking site. Yeah, that might be more information than you want to give out.

In order to be effective, Ukraine needs to organize their cyber supporters into divisions similar to an army’s division. Each division should have an offensive and defensive component as well as an assortment of cyber weaponry. The appropriate cyber weapons must be fine-tuned to the site or infrastructure that needs to be attacked.  But maybe this is already being done. For the moment, the Russian attacks seemed more clearly designed while the Ukrainian attacks seem more scattergun. They may be irritating but they do not seem to be causing major damage. This could all change, especially if allied governments get involved. However, for the moment, there is no evidence that the U.S. or NATO has done anything on the cyber front. They may be afraid that Putin would consider such an attack as an act of war that would result in retaliation, as if Putin needs any excuse.

Strengthen Your Cyber Defense. Secure Your Endpoints.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s