Ukraine Cyberwarfare: Main Threat Actors and attacks.

I’ve read with keen interest this HBR article and I would like to add from a Threat Intelligence point of view a description of the main Threat Actors, their capabilities so as to predict (in future posts) what can the rest of us expect, because Cyberwarfare knows no boundaries.

As you can clearly see Russian Federation’s cyberwar capabilities are perfectly mapped to their intelligence and military structure. These have been the most active Threat Actors so far:

GRU/MILINT

• Sandworm: Destructive attacks capabilities since 2009
• APT28 (“Fancy Bear”): data exfiltration and espionage capabilities since 2004

SVR/EXTINT

• APT29 (“Cozy Bear”): data exfiltration and espionage capabilities since 2008

FSB/INTINT

• APT Primitive Bear (Gamaredon): data exfiltration and espionage capabilities since 2013. Very active during Crimea annexation. Now operating from Crimea.

???/NEW

• DEV-0856: A new attack data cluster using wiper destructive attacks maskerading as ransomware. (HermeticWiper (Jan15), Whispergate (Feb22), IsaacWiper (Mar01). It’s interesting to note the cross development of a technique using legitimate signed device drivers to avoid Windows defense procedures, that was used previously on OT attacks. Even more worrying is the quick pace of retooling observed: In a few weeks, they have reused stolen certificates from Hermetica (now revoked) and EaseUS Partition Master. In this regard, the recent leak of NVIDIA certificates is not good news, because they will be weaponized soon.

FIN threat turned into APT???/Cybercriminals

• BuhTrap: Since 2014 is known to target Russian Banks and financial institutions, (hence its classification as a FINancial threat), but now, is targeting Ukranian interests. This points to an “unholy alliance” between State Actors and “hacktivists” and cybercriminal sindicates. We can only guess their mode of relationship (payed?, conscripted?, voluntary?) but this certainly adds a new dimension to Russian cyberwarfare capabilities.

DarkWeb/Hacktivists

• “Free Civilian” site is offering huge data dumps of data belonging to Ukraine citizens for sale, claiming that they have already done so. Data is unconfirmed but seems to point to a joint effort to make Ukraine look weak and distract from other cyberattacks.
• Conti Ransomware Gang: responsible for hundreds of ransomware attacks, the group expressed its support for Russia against “Western warmongering”. In a dramatic turn of events, shortly after the announcement, someone made public hundreds of files allegedly stolen from Conti and messages between its members. This gives an insight about their TTPs (Tactics, Techniques & Procedures: Emotet, Ryuk and the recently “adquired” Trickbot, infrastructure data, IPs used, etc…) and the scope of their operations as 200 bitcoin addresses holding more than 13M US$ in ransomware payments. It is not the first time that Conti gets hacked, so their resilience is already well stablished as far as they have been able to continue their operations.

OT Related Attacks

Since 2015 Ukraine critical infrastructure has been targeted by sophisticated malware attacks that have caused 350MW worth of outages in its electric grid. Industroyer and Crash Override have been the main weapons on these highly coordinated and orchestrated attacks. Why? Not taking in account the geopolitical situation, Ukraine has a more western-like infrastructure than the rest of Russia’s neighbors, but not the cyber defense capabilities of other western countries, so it is a perfect ground for testing attack capabilities.

We can observe a refinement on the TTPs. The first ones were focused on the traditional hacking method of gaining access, privilege escalation, and performing the action (data wiping) and the outage was triggered by manual interaction using the installed technologies on the target (“living off the land”). The later iterations of this malware use an autonomous and interoperable approach, being able of recognizing and categorizing the technology of the infiltrated system and executing the needed commands to achieve the intended action accordingly, thus reducing the time to impact. Is a swiss-knife approach, that includes numerous modules that can be deployed to carry out targeted attacks against additional organizations, so variants with added ICS protocols are likely to appear soon.

Other Attacks

· DDoS: PrivatBank, the largest private bank of Ukraine and several governmental websites were attacked recently. DDos is a classic attack to cause disruption but nowadays it is used to masquerade other type of attacks, so it can be used as a predictor.

· Supply chain attacks: Kitsoft, IT supplier for the Ukranian administration was targeted. Despite the company claims, it is not clear if the attackers were able to access Kitsoft supported websites by means of this infiltration.

· Web defacement: related to the previous attack and for propaganda purposes, exploiting unpatched versions of an open-source content management system “October CMS” which was supported by Kitsoft and other IT companies.

· Sentiment campaigns, disinformation, false flag operations, SMShing against citizens: as part of the propaganda effort and psy-ops; from rumors about the ATM network not working, to characterizing the Donbass situation as a genocide.

Russia is a powerful cyber actor with long-term experience and a robust build of cyber capabilities since at 1996. It uses a plethora of different TTPs in their attacks, and has organized a well-coordinated attack combining cyber space and analog military to soften Ukraine’s resistance in the pursuit of their strategic objectives.