22 August 2022

How Russia is harnessing cyber warfare in its conflict with Ukraine: State-sponsored attackers are using malware to steal data, spy on citizens and attack national infrastructure, study reveals

JONATHAN CHADWICK

A new report shows that Ukraine is fighting a battle with Russia in cyber space, as well as a physical war.

Russia has been using 'cyber warfare' on Ukraine since the physical invasion started in late February, says Chicago-based security firm Trustwave.

Malware has been used against organisations in Ukraine either to destroy or gain control over their online systems and 'damage targets far behind the frontlines'.

Malware – a catch-all term for any type of malicious software – has been used to steal data, spy on citizens and attack national infrastructure.

Trustwave listed the array of malware types used as part of its cyber warfare efforts, many of which go by colourful names such as 'AcidRain' and 'Industroyer2'

Russia has been using 'cyber warfare' on Ukraine since the physical invasion started in late February, says SpiderLabs, Trustwave's investigative branch. Pictured, Ukrainian servicemen sit on infantry fighting vehicles on a road in Ukraine's Donetsk region on August 18, 2022

MALWARE AND SPYWARE

Malware is a catch-all term for any type of malicious software, regardless of how it works, its intent, or how it’s distributed.

The term includes adware, spyware, viruses, trojans and more.

Spyware is a specific type of malware that steals information from a computer and sends it to a third party, without the person's knowledge.

Spyware gathers your personal information and relays it to advertisers, data firms, or external users.


'Observing the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks leveraging malware are an important part of modern hybrid war strategy,' said Pawel Knapczyk, security research manager at SpiderLabs, Trustwave's investigative branch.

'While conventional warfare is conducted on the battlefield and limited by several factors, cyber warfare continues in cyber space, offering the chance to infiltrate and damage targets far behind the frontlines.'

Perpetrators of the attacks include the Russian Foreign Intelligence Service, the Russian Federal Security Service and the General Staff of the Armed Forces of the Russian Federation, according to SpiderLabs.

The team has listed the array of malware types used as part of its cyber warfare efforts, many of which go by colourful names such as 'AcidRain' and 'Industroyer2'.

HermeticWiper

This particular malware is referred to as a 'wiper' because it's intended to erase or 'wipe' the hard drive of the computer it infects.

It was discovered on hundreds of Ukrainian computers, as well as computers in Lithuania and Latvia, on the evening of February 23, just hours before Russian troops rolled into Ukraine.

It was given the name 'HermeticWiper' based on a digital certificate from a company based in Cyprus called Hermetica Digital Ltd.


Perpetrators of the attacks include the Russian Foreign Intelligence Service, the Russian Federal Security Service and the General Staff of the Armed Forces of the Russian Federation

RUSSIAN THREAT ACTORS

Trustwave SpiderLabs says there are notorious threat groups and Russian special services involved in cyberattacks on Ukraine:

- APT28, also known as Cozy Bear or The Dukes has ties to the Russian Foreign Intelligence Service (SVR).

- APT29, also known as Fancy Bear or Sofacy was traced to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 26165.

- SANDWORM, also known as Black Energy, was tied to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 74455.

- DRAGONFLY, also known as Energetic Bear or Crouching Yeti was identified as the Russian Federal Security Service (FSB) Unit 71330.

- GAMAREDON, also known as Primitive Bear or Armageddon, traced to the Russian Federal Security Service (FSB) in November 2021.

The company is run by Polis Trachonitis, a 24-year-old video game designer who operates the business from his home in a suburb of capital city Nicosia.

The malware had been signed using a digital certificate with Hermetica Digital's name on it, but Trachonitis said he had nothing to do with the attack.

'I don't even write the code – I write stories,' he told Reuters at the time. 'I'm just a Cypriot guy ... I have no link to Russia.'

Trustwave SpiderLabs said the digital certificate – a type of electronic password needed to perform the attack – had been stolen.

AcidRain

Another wiper malware called AcidRain was used to wipe US company Viasat's modems in Ukraine on February 24.

It impacted several thousand customers located in Ukraine and tens of thousands of others across Europe.

AcidRain's functionality is 'relatively straightforward', as it performs a wipe of a computer's file system and all storage device files.

'After the wiping is done a device reboot is triggered,' SpiderLabs explains.

February's attack also led to an outage of 5,800 Enercon wind turbines in Germany. Remote monitoring and control of the turbines became unavailable, although the turbines themselves kept working.

Viasat had to ship nearly 30,000 modems to distributors to bring customers back online.

Another cybersecurity group, SentinelLabs, claims to have named this malware 'AcidRain'. It says the malware is designed to wipe routers as well as modems.


AcidRain's functionality is 'relatively straightforward', as it performs a recursive wipe of a computer's file system and all storage device files.

Industroyer2

Industroyer2 is a 'sophisticated piece of malware' that was able to manipulate equipment in electrical utilities to control the flow of power.

According to SpiderLabs, it specifically abuses a set of standards that are used in electric power control systems, with the aim of causing a power blackout.

In April, at one targeted high-voltage Ukrainian power station, Industroyer2 was used to penetrate and disrupt part of its industrial control system.

Fortunately, people defending the station were able to prevent electrical outages, Ukraine said.
iPhones can run malware while turned off

CredoMap

CredoMap is described as a 'credential stealer' or 'information stealer' because it takes user credentials stored on browsers.

It was used by the threat actor APT28, which has ties to the Russian Foreign Intelligence Service (SVR).

CredoMap steals cookies and stored passwords from Chrome, Edge and Firefox browsers.

Depending on the version, stolen data is then exfiltrated or extracted via email or POST – a request method supported by HTTP used by the World Wide Web.

To conclude, SpiderLabs points out that sophisticated cyber weapons are 'key tools in the arsenal of a modern military'.

'We can clearly see that government assets, critical infrastructure, media and private sector organisations are highly lucrative targets for attackers, and even legitimate penetration tools can be hijacked and used as weapons,' it says.

SpiderLabs has provided a full list of perpetrators and attack types in its report, available to download on the Trustwave website.

No comments: