Numerous clashes have continued in the country over the past week, with Ukrainian armed forces resisting, while the Russian army officially seized the cities of Melitopol and Kherson, before announcing the expansion of its offensive against Ukraine despite a growing international outcry. On Sunday, February 27, Vladimir Putin ordered his army chiefs to put Russia’s nuclear deterrent on high alert, in response to what he said were aggressive statements by NATO and EU countries and economic sanctions against Moscow.
While the military conflict continues, the cyber one is intensifying. A new series of offensive and destructive cyberattacks against Ukraine’s infrastructure, as well as responses targeting Russian assets, are being observed.
Wiper payloads and DDoS attacks constitute major component of the conflict in the cyber sphere, with several spear-phishing campaigns and malware packages associated to these campaigns being newly identified and analyzed by security researchers. Various state, criminal and hacktivist actors are involved on both sides of the conflict, with coalitions being created.
Ukrainian and Russian targets are the first to be affected during this conflict, but allies on both sides – and by extension their assets – could be the next potential targets (as illustrated by a recently identified spear-phishing campaign targeting European government personnel assisting Ukrainian refugees).
- Russian-linked group Gamaredon launches several attacks on Ukrainian organizations.
- Ukrainian security service announces a wave of cyberattacks.
- Ukrainian defense agency and two banks are victims of DDOS.
- The White House and the British government attribute the DDOS attacks to the GRU.
- HermeticWiper campaign hits multiple Ukrainian organizations: Ministry of Defense, Ministry of Foreign Affairs and the Ministry of Internal Affairs. Large volume of telecom data is also stolen.
- IsaacWiper campaign targets Ukrainian governmental network.
- Several Russian government sites go offline due to the suspected hacktivists’ cyberattack.
- Massive spear-phishing campaign targets Ukrainian armed forces personnel and is linked to the Belarus cyberespionage group UNC1151.
- Ukrainian border is hit by a wiper cyberattack that slows the process for Ukrainian refugees to cross into Romania.
- The CISA issues an official alert on WhisperGate and HermeticWiper campaigns.
- Hacktivists get increasingly involved: Ukrainian universities hacked by pro-Russian hacktivists and Anonymous breaches over 300 Russia-affiliated targets.
- Ukraine recruits an army of cyber volunteers with the goal of attacking a specific list of Russian entities.
- First Conti leaks are published.
- New cyberattacks against Ukrainian targets detected: malware package traced as “FoxBlade” is identified.
- Facebook detects two attack campaigns against Ukrainian targets using its network, and promptly blocks the accounts associated.
- Satellite internet provider KA-SAT victim of a cyberattack, seemingly of Russian origin and affecting German wind farms and the French ISP NordNet.
- The Anonymous deface websites of several Russian state news agencies.
- New Conti leaks are published.
- Spear-phishing campaign “Asylum Ambuscade” targets European government personnel aiding Ukrainian refugees and is attributed to UNC1151.
- Large fraud campaign targets Microsoft users with the lure of “unusual sign-on activity from Russia”.
- New Conti leaks are published.
- New phishing campaigns appear: sanctions-themed-emails targeting cryptocurrency marketplace credentials, humanitarian-aid-themed scams and advance-fee frauds.
- “ID 5” threat actor launches a DDoS attack against the Ukrainian Ministry of Defense.
- Another hacktivist confrontation: the pro-Russian hacktivist group KillNet takes Anonymous’ servers offline.
- New Conti leaks are published.
Threat actors/Intrusion sets involved
|Threat Actor/Intrusion set
|Belarusian Cyber Partisans
|Low to medium
|IT Army of Ukraine
|KelvinSecurity Hacking Team
|Anon Liberland & PWN-BAR Hack Team
|Conti ransomware operators
|The Red Bandits
|Medium to High
|IT Army of Ukraine Psyops
|Stormous ransomware operators
|Digital Cobra Gang
|Unknown Threat Actors
Credits to Cyberknow for the regular update on all the threat actors involved : https://cyberknow.medium.com/update-7-2022-russia-ukraine-war-cyber-group-tracker-march-6-7a4e40baa748
- Banking institutions
- Government and administrations
- Defense industry
- Financial organizations
- Medias and audiovisual
- Nuclear power (civilian use)
- Rail transport
- Air transport
- Agriculture and agribusiness
- Internet Service providers
- Religious organizations
- Military personnel
DDoS and defacement
Risk level: low
Threat actors listed above, considered as “hacktivists”, are conducting reconnaissance phases on their targets before they deploy DDoS attacks. They often share publicly a list of targets through websites like Pastebin or AnonPaste. We have also identified some actors sharing pieces of code and scripts, inviting other members to conduct DDoS attacks on designated targets. Some groups even indicate their targets level of exposition by sharing Shodan information about vulnerable equipment. We have also identified actors sharing known tools like Reaper or GitHub hosted tools to help their community perform their own attacks. According to our observations, the level of sophistication and their capabilities to develop custom tools is quite low. Moreover, the impact of these attacks do not last long. Indeed, the “infrastructures” used to launch this kind of attacks are usually self-hosted and not sophisticated. Cybersecurity researchers consider small group’s DDoS attacks as “symbolic actions”.
We observed that hacktivist groups claiming successful DDoS attacks shows their targets names on Social Media (mostly on Twitter and Telegram). Links to “down websites” are published, sometimes with screenshots as “proofs” of compromission. For example threat actors from pro-Russian group called XakNet published a list of Ukrainian public “gov.ua” domains, claiming they manage to take them down (even though most of them remain up and running).
We must emphasize that we are aware that VIASAT has been recently « experiencing a partial network outage-impacting internet service for fixed broadband customers in Ukraine and elsewhere on our European KA-SAT network ». A partial network outage-impacting internet service for fixed broadband customers in Ukraine and elsewhere on KA-SAT network has been confirmed as a cyberattack against VIASAT (although unattributed for the moment). The hypothesis of a DDoS attack is being discarded, as the clues point rather to a firmware attack.
Why the risk for French entities is assessed as low?
Although these threat actors are mostly targeting institutional and critical infrastructures websites, the impact of their DDoS attacks don’t seem to be impactful. Based on the TTPs employed and the level of sophistication, we assess with moderate confidence, that the impact and the potential for lateral movement remain quite low.
However, some hacktivists combine DDoS with network intrusions and data exfiltration. For example, organized group such as GhostSec, AgainsTheWest or KelvinSecTeam seems to be capable of hitting large organizations. For example, organized team AgainsTheWest was observed on RaidForums, selling sensitive information such as RDP or VPN access. Today, the group claims to be in possession of the Ministry of Agriculture and Food of Belarus’s data.
Risk level: medium to high
Since the beginning of the war in Ukraine, we have identified several criminals and activist’s actors specialized in the leak of sensitive information such as RDP, VPN access and database. At the moment, the majority of the targets are Ukrainian and Russian government institutions.
For example, we have observed the activity of a threat actor called AgainsTheWest (ATW) in affiliation with BlueHornet (BH) group. Despite a name that could suggest a support for Russia, ATW targets in contrast countries that they perceive as a threat against western societies, such as Russia, Belarus and China.
On their Telegram channel, ATW claimed the compromise of several Russian and Belarus institutions like Russian Space Forces, the Ministry of Transport of Russia or the Russia Air. For a majority of successful hacks, ATW publishes a link to download the database. If ATW remains rather discreet about the techniques used to carry out their attacks, they still revealed on Telegram to use a “custom-made ransomware” and a “wiper malware to kill all network data and information stored on companies within the Russian federation”. According to an interview conducted by Cyberknow on Medium, ATW is a team of at least 6 who operate out of Western Europe and at least one member of the team of 6 are from France and seem to have plans to target North Korea, Belarus and Iran in the future.
In the same way, another group named KelvinSecurity seems to target Russian entities. Indeed, on Telegram, KelvinSecurityTeam also claims the compromise of Russian institutions or entities like the Federal Agency For State Property Management or the Joint Institute for Nuclear Research. As opposed to ATW, the KelvinSecurity team shares some tools on GitHub to his community in order to attack Russian companies.
Finally, other groups like TheRedBanditsRU support the Russian government and target Ukrainian entities. These groups echo the official narrative by stating that they see Ukraine citizens as family.
Why the risk for French entities is assessed as medium to high?
Although these threat actors are mostly targeting Russian and Ukrainian institutions or companies, we assess with moderate confidence that the impact remain quite medium/high.
Indeed, many Russian companies are linked to European companies either through subsidiaries or partnerships. Thus, some databases can contains data about European customers. Moreover, all countries that support the sanctions against Russia are now potential cyber targets. Therefore, there is a high risk that data leakage attacks will increase in NATO member countries.
Risk level: high
On February 25, the ransomware group Conti published a message threatening to target the critical infrastructures of states that would go against Russia. However, shortly after displaying its pro-Russian stance, the group was itself hacked: the Twitter account @ContiLeaks has begun to publish regular leaks containing highly sensitive data belonging to the gang. The political motivation behind this hack is clear, although it remains unconfirmed whether the author of the leak is an external threat actor or a pro-Ukrainian member of the gang itself.
These leaks include internal messages exchanged among the members of the gang (from jabber XMPP and RockerChat servers), raw data files, new TTPs and strategies of victim targeting, accesses to Conti storage servers, and, most notably, the ransomware source code itself (with a decryptor but that does not work for most recent versions).
While the incident illustrates the political divergence reigning within the ransomware gangs, it is to be noted that the loss of credibility of this scope, the Conti “brand” may result in some of its affiliates leaving for other ransomware groups in the following months.
For the moment, Conti remains the only group who had openly claimed its stance within the conflict, compared to the relative silence of other ransomware gangs, excluding the announcement of LockBit 2.0 who claimed to remain strictly apolitical in its activities.
Why the risk for French entities is assessed as high?
To be noted that whatever the political stance of the ransomware groups, this threat is not new and remains traditionally high for French entities, since the ransomware gangs represent sophisticated actors counting French companies among their victims. Although paralyzed, Conti specifically remains a major threat who, despite the leak, continues compromising and publishing on its website new victims.
N.B: As far as Hermeticransom is concerned (mimicking a ransomware behaviour while other systems are wipped) Crowdstrike found a vulnerability in the encryption mechanism and share this finding with other AV/EDR vendors, as such that Avast could quickly compile a more user friendly decryptor binary with a GUI.
Risk level: high
According to available information on Gamaredon group (aka Actinium or Shuckworm), this intrusion set is known to be active since at least 2013 and has been attributed to Russia. Gamaredon would have been involved in the conflict with Ukraine since potentially summer 2021. Analysis by Palo Alto, Microsoft and Symantec all point to cyber espionage activities conducted by the group for at least 6 months against Ukraine.
- The first malicious activities were observed from July 14, 2021 to August 18 by Symantec and Microsoft indicates that it has identified an activity since October 2021
- In each of the campaigns analysed, the initial access vector seems to be the same: the attackers use spearphishing emails. In some case, these emails embed a Word document that upon opening would execute a malicious VBS file. In other cases observed by Microsoft and Palo Alto, the emails downloads a document template remotely, which contains a macro that would then drop the malicious VBS script. The technique allows to bypass the defense systems that automatically scan attachments with macro. The emails in question impersonate legitimate organizations such as the World Health Organization in the case mentioned by Microsoft.
- Gamaredon would obtain persistence via scheduled tasks.
- The downloaded payloads would allow attackers to deploy tools known to be associated with the group such as the custom backdoor of the group named Pterodo (also known as Pteranodon). This would be used to deploy additional loads on the victim’s computer such as variants of the backdoor or a VNC client communicating directly with the command and control server controlled by the attackers. Microsoft analysts have also observed other malicious binaries downloaded by the attackers: DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry, and PowerPunch. Analysis conducted on Pterodo backdoor revealed that it contains a binary called QuietSieve used for exfiltration and monitoring. QuietSieve would indeed be used to enumerate files on the host, take screenshots every 5 minutes and would also serve as a loader for other payloads.
- Microsoft and Palo Alto also analysed the infrastructure of the group, which was described as particularly volatile. Indeed, several hundred domains and IP addresses could be associated with the modus operandi, suggesting particularly frequent changes in their infrastructure over a short period of time. DNS records also change approximately once a day. In addition, most of the IP addresses were registered with a Russian registrar: ASN 197695 – REG.RU (joint observation by Microsoft and Palo Alto). Blocking IP addresses to prevent Gamaredon is therefore not very relevant and it is more interesting to focus on the ASN (197695), physically located in Russia.
Microsoft and Symantec state that they have not detected any information indicating a link between Gamaredon’s activities and WhisperGate’s or wiping operations. Various analyses of the group’s recent campaigns suggest that the intrusion set targeted Ukrainian government entities, as well as NGOs and law enforcement. Palo Alto says it has detected evidence of targeting the Ukrainian migration service. The group is believed to be operating out of Crimea with objectives consistent with cyber espionage. More generally, it seems that the group’s objective was to target various critical actors that could intervene in an emergency context in Ukraine.
Sandworm Team is a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009.
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. A report by the ANSSI, published on February 15, 2021, attribute a campaign targeting Centreon servers, to Sandworm Team.
On February 23, the NCSC, CISA, NSA and FBI have published a joint advisory, alerting that Sandworm is using a new malware, referred as Cyclops Blink. It is believed to be active since 2019, replacing their previous malware, VPNFilter, disrupted in 2018. According to NordVPN and Talos, this malware has been identified in cyberattacks against Ukrainian networks and devices, including MikroTik routers. While it is unclear if Sandworm Team is currently active in the conflict, there is a high risk that it will be in the near future.
Cyclops Blink (Sandworm)
Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian) architecture, associated with a large-scale botnet targeting WatchGuard Firewall appliances (Small Office/Home Office (SOHO) network devices).
The latter, being active since at least June 2019, is actually a variant version of the VPNFilter virus that had plagued 2018 Cyclops Blink and is primarily used by the APT Sandworm (aka Fancy Bear) group, known for its recent cyberattacks in Ukraine.
Cyclops Blink is generally deployed as part of a firmware ‘update’. This achieves persistence when the device is rebooted and makes remediation harder. Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.
At the end of the document is provided relevant references for detection tools, IOCs, TTPs and recommendations thanks to a joint work of FBI, CISA, DOJ and UK NCSC teams.
UNC1151, also known as GhostWriter, has been identified as a group orchestrating long-running campaign across various east European countries focused on compromising governments’ communications systems and gathering data that can be used in ongoing information warfare campaigns. The cybersecurity firm Mandiant first identified GhostWriter in 2020, and linked its activities to the Belarusian government in November 2021. In August 2020, FireEye uncovered a campaign active since March 2017, which aimed to discredit NATO, by spreading fake news content on compromised websites or via spoofed email accounts. This threat actor is also believed to be behind a defacement campaign, in January 2022, affecting tens of Ukrainian government websites.
On February 25, 2022, the CERT-UA alerted on an ongoing campaign attributed to this threat actor, targeting Ukrainian military personnel and civilians, as well as various Belarusian and Polish organizations, via phishing emails. Proofpoint detected, on February 24, 2022 another phishing campaign that uses compromised private Ukrainian military emails to target European governments personnel in an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and peoples within NATO member countries. While attribution for this last attack to UNC1151 is unclear, it is likely, as Ukrainian military personnel appear to have been compromised by UNC1151. This could then represent a second stage to this campaign. On February 28, 2022, Facebook announced that they have seen increased targeting of Ukrainian social media users by GhostWriter, and blocked some domains associated with phishing attacks leveraged by the threat actor.
The phishing campaign currently ongoing targets various Ukrainian government and military accounts in order to compromise them via a malicious URL. Some phishing emails can for example ask to provide information to avoid the permanent suspension of the email account. After a successful compromission, the attackers get access to all the victims’ message with the IMAP protocol. UNC1151 then uses the contact details from the address book to send other phishing emails and further enhance their campaign. The address mail responsible for sending the malicious emails uses the “.space” top-level domain (TLD), which shares a common registrant “Apolena Zorka”, primarily hosted behind Cloudflare infrastructure. According to SecureWorks, the “Apolena Zorka” cluster is a mix of generic email validation and domains spoofing popular Ukrainian information services, which suggests a specific creation for Ukrainian targets. Another cluster leveraging the “.space” TLD is named “Radka Dominika” and has similar generic email and spoofed domain, but with polish names, including the legitimate domain of the Polish Ministry of National Defense. These domains were continuously created between December 15, 2021 and February 26, 2022.
The phishing campaign targeting European government entity leverages themes pertaining to the Emergency Meeting of the NATO Security Council held on February 23, 2022. The day after this meeting and the publication of a news story about a Russian government “kill list” targeting Ukrainians, these phishing emails were sent with a macro enabled XLS file attached named “list of persons.xlsx” and a topic related to the NATO meeting. The sender address is linked to a Ukrainian military unit, which could suggest that it represents the second stage of the campaign compromising military personnel.
When the macro of the XLS attachment is enabled, it executes a VB macro named “Module1” which creates a Windows Installer (msiexec.exe) object invoking Windows Installer to call out to an actor-controlled staging IP and download a malicious MSI package. It also sets a Microsoft document UILevel equal to “2” which specifies a user interface level of “completely silent installation.” This hides all macro actions and network connections from the user. The actor accesses the delivery IP via the Microsoft Installer InstallProduct method which is intended to obtain an MSI install file from a URL, save it to a cached location, and finally begin installation of the MSI package. This MSI package can install a series of Lua-based dependencies, execute a malicious Lua script named SunSeed, and establish persistence via an LNK file installed for autorun at Windows Startup. Notably, the legitimate Windows Lua interpreter sppsvc.exe can be modified so it does not print any output to the Windows Console. The LNK file executes the malicious SunSeed Lua script “print.lua” that attempts to retrieve additional malicious Lua code from the actor command and control (C2) server. The SunSeed malware appears to be a simple downloader which obtains the C Drive partition serial number from the host, appends to a URL request via a Lua socket, consistently pings the C2 server for additional Lua code, and executes the code upon receiving it within a response.
Why the risk for French entities is assessed as high?
The risk for French entities is assessed as high, as these threat actors are active for several years and have launched various large scale campaigns with significant impact. With their implication in this conflict, they could potentially target enemies of Russia and States and organizations that support Ukraine. By rebound, they could impact European organizations by targeting direct support of Ukraine, such as refugee logistics, military organizations, political movement and enterprises that have activities or partners located in Ukraine or Russia.
In red are TTPs shared by more than 2 of the threat actors analysed in this report. In green are the TTPs used by the threat actors, but not shared with others.
|Active Scanning: Vulnerability Scanning
Gather Victim Network Information
Compromise Accounts : Email Accounts
Establish Accounts : Email Accounts
Code Signing Certificates
|External Remote Services
Spear phishing Link
Valid Accounts: Domain Accounts
|Command and Scripting Interpreter
Windows Command Shell
System Services: Service Execution
Windows Management Instrumentation
|Boot or Logon Auto start Execution: Registry Run Keys/Start-up Folder
Boot or Logon Initialization Scripts: RC Scripts
External Remote Services
Pre-OS Boot: System Firmware
|Hide Artifacts: Hidden Window
Impair Defense: Disable or Modify System Firewall
Masquerading: Match Legitimate Name or Location
Obfuscated Files or Information
|Account Discovery: Email Account
Remote System Discovery
System Information Discovery
SMB/Windows Admin Shares
Distributed Component Object Model
|Command and Control
|Application Layer Protocol: Web Protocols
Data Encoding: Non-Standard Encoding
Encrypted Channel: Asymmetric Cryptography
Ingress Tool Transfer
Remote Access Software
Data encrypted for impact
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service: Service Exhaustion Flood
Network Denial of Service
CVE known to be exploited by Russian state sponsored APT actors for initial access in past years
- CVE-2018-13379 FortiGate VPNs
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-7609 Kibana
- CVE-2019-9670 Zimbra software
- CVE-2019-10149 Exim Simple Mail Transfer Protocol
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2020-0688 Microsoft Exchange
- CVE-2020-4006 VMWare (0-day)
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-26855 Microsoft Exchange (often chained with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
CVEs known to be exploited by Conti ransomware
- CVE-2021-1675 (Windows Print Spooler RCE)
- CVE-2022-21882 (Win32k privesc)
- Cyclops Blink
IT Army of Ukraine
- Reaper (malware shared by IT Army of Ukraine to conduct DDoS attacks)
Against the West
- Wiper (suspected)
Unknown threat actors
- Tool shared on Raidforums2 to conduct DoS attacks: https://github.com/jseidl/GoldenEye/
- Tool shared by ITArmy to perform penetration : https://github.com/UkraineSecOps/PenTestingTutorials
- Tool shared by KelvinSecurityTeam to perform penetration :
How to pre-empt threats
• SHA256: fa74335c09c138eab6256c1fbb176aee9a8334aac65cff3bf9b602d9dc9dd554
• SHA1: 9f4b88c179ab1485f94bc13551d33aca4d80e18a
• MD5: 9e3b4a2ed171ea1c888d569c7d98b944
Stub.exe (AsyncRAT client likely dropped by previous webshell)
- MD5: E38BD39CCF08393442179FF40A504584
- SHA1: 3CA5E89AEDAD3E54200C4D4CD35C6315193679DD
- SHA256: 430578774AC0571E51F0903801185C232AB799178013BDD94F14DA2482453B44
Cyclops Blink, a sophisticated state-sponsored botnet
Threat Intell recommendations
- We recommend to conduct threat hunting campaigns (ideally from September 2021) while prioritizing cranking up defenses against pinpointed TTPs and CVEs.
- Phishing and spear-phishing is another important entry point often encountered since the beginning of the conflict and thus must be tackled by rising awareness to employees with custom sessions depending on employee’s roles into the company. We emphasize that attachments are sometimes mimicking the download of the ISO file, which we anticipate to become a more often leveraged technique since Microsoft introduced a default change for five office apps that will block VBA macros obtained from the internet.
- In accordance with the position of ANSSI, if your teams use a Russian antivirus (Kaspersky, Dr.Web, etc.), we recommend that, in the medium term, you consider a strategy of diversifying your cybersecurity solutions.
Detection & protection recommendations
- If you have not already done so, deploy Web Application Firewall (WAF) tools, use a Content Distribution Networks (CDNs) or load balancers.
- Strengthen perimeter filtering :
- Email attachment analysis with sandbox detonation;
- URL analysis with dynamic filtering and sandboxing;
- Set up filtering for equipment with and without VPN (SaaS proxy solution recommended).
- Regularly raise awareness among employees with network access
- With phishing awareness campaigns for example.
- In general, we recommend that you increase your vigilance with regard to your subsidiaries or supply-chain providers located in Ukraine or in regions bordering Russia, and that you identify all of the interconnections that you may have with them in order to limit the risks in the event of a compromise.
- As with every major event of this type, stay alert for potential cybercriminal exploits associated with this kind of event: disinformation campaign, phishing, fraud (fake fundraising campaign to support the country etc) or malware distribution.
- It is still too early to tell if ransomware operators known to avoid targeting the Commonwealth of Independent States will be mobilized alongside Russian forces, but regardless, we recommend that you maintain your current level of vigilance on the ransomware threat and maintain your detection efforts on the TTPs used by these threat actors.