The Russia-Ukraine Conflict in Cyberspace

The ongoing conflict between Russia and Ukraine has been the main highlight of March 2022, generating a significant increase in online activity. As a majority of the world united against Russian aggression, multiple hacktivist groups have targeted Belarusian and Russian institutions. This resulted in major data breaches from government and commercial organizations in between ongoing Distributed Denial of Service attacks and relentless information operations from both sides. Chinese threat actors also took part in the Ukrainian conflict with multiple cyber operations.

Attacks Against Belarusian and Russian Corporations

Given the Russian invasion of Ukraine, a significant increase in data breaches of Russian and Belarusian corporations. The following data breaches were published in February and March 2022:

  • On February 25th, 2022, over 200 gigabytes of emails from the Belarusian weapons manufacturer Tetraedr were leaked on DDoSecretswebsite. The company was allegedly compromised by a group named “Anonymous Liberland and the Pwn-Bär Hack Team“.
  • On February 27th, a contact list of supposedly Russian VIPs and their respective company’s contact information was distributed on pro-Ukrainian Telegram channels via PasteBin;
  • On March 1st, 2022, Ukrainian news outlet Pravda released the personal data of 120,000 Russian soldiers allegedly fighting in Ukraine. The data includes names, DOBs, addresses, unit affiliation and passport numbers;
  • On March 10th, files and databases from the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media A.K.A. Roskomnadzor were released by DDoSecrets. The total leak, which includes files and database dumps, holds up to 800Gb of stolen data;
  • On March 17th, DDoSecrets published around 79 gigabytes of emails from the OMEGA Company, the R&D department of Russia’s state-controlled pipeline company, Transneft;

Given the atmosphere of propaganda and misinformation surrounding the conflict, some actors are using the situation to publish fake data and leaks for unclear reasons. The group AgainstTheWest A.K.A. ATW has claimed to have leaked the source code of multiple Russian government entities like the Russian Space Forces and the Ministry of Transport of Russia. Upon further inspection, it is clear that the generated data has nothing to do with the real targets. A second group – named NB65 – claimed to have leaked data from supposedly Russian satellite and telecom systems. However, the data contained in the archive appeared randomly generated. While the end goal of such a release is unclear, it is assessed that gaining clout in order to sell “private accesses” to forums or channels may be the goal: a tactic employed by ATW in the past. The current environment is conducive to large-scale attacks on Russian and Belarusian entities, producing a much higher rate of data breaches against such organizations.

Telegram as Command and Control

In the wake of the Russian invasion of Ukraine, Telegram rose up as the communication platform of choice by actors involved in the conflict. The confirmed accounts of Ukrainian officials have seen a drastic increase in subscribers: Ukrainian president Zelensky’s official account had around 65,000 subscribers on February 23rd and jumped to more than 1 million by the 26th. Many Telegram groups have also been created to share information of all kinds like military assets location, soldier “trophy” pictures, information operations and cyber operations.

In the immediate follow-up to the invasion, officials sought to recruit foreigners to conduct or assist in cyber operations. Multiple groups were created to recruit a volunteer “cyber army”, with one particular group reaching over 305,000 subscribers after being promoted by the Ukrainian Vice Prime Minister. The owner of the group regularly rotates a set of key targets for volunteers to join Distributed-Denial-of-Service (DDoS) attacks. The group also shares a Github repository containing links to various tools, instructions and references for volunteers with no technical backgrounds. The targets provided are mostly critical infrastructures like telecoms, utilities, banks, military and government servers hosting websites or web-based APIs. The owner appears to monitor the status of these targets via third-party connectivity validation services (Figure 1). The channel also shares pro-Ukraine propaganda material for militants to spread on social media and in news outlets around the world. Also, they provide instructions to disrupt Russian social media accounts like YouTube, Facebook, Twitter and others. Based on the results, the owner provides new targets and/or encourages volunteers to redirect their attacks on targets likely to fail.

Figure 1. The owner of the “IT ARMY of Ukraine” channel on Telegram regularly posts target details and their current effectiveness.

Another group with more than 60,000 subscribers planned and executed a railway disruption campaign in the Belarusian cities of Minsk and Orsha, as well as in the town of Osipovichi. The attack was made by compromising the Belarusian Railway system’s routing and switching devices and rendering them inoperable by encrypting data stored on them. Physical sabotage operations were also performed with instructions that were provided on their channel. Back in January 2022, the same group unleashed a ransomware attack that locked files on employees’ workstations and servers. The group asked for the release of 50 political prisoners and the removal of all Russian troops from Belarus in exchange for the decryption keys (Figure 2).

Figure 2. A post by the Belarusian Cyber-Partisans requesting the release of political prisoners for encryption keys to unlock the Belarusian railway network.

Information Operations

As per Russian Tactics, Techniques and Procedures (TTPs), social media is leveraged for propaganda and disinformation. Pro-Putin social media bots, fabricated news about humanitarian aid, fake capitulation news and doctored videos of Ukrainian president Zelensky are some examples of how invested the Russian government is in his disinformation campaign. In an attempt to counter anti-propaganda efforts from Ukrainian and Western governments, the Russian government has blocked or severely limited access to foreign social media platforms and may slowly be generating a “Russian Internet”, somewhat similar to what the Chinese government accomplished domestically with its “Great Firewall”. In any case, Russian authorities are likely to continue their crackdown on the free flow and manipulation of information in and out of the country.

On February 27, 2022, Meta reported taking down a pro-Russia network for violating their policy against coordinated inauthentic behaviour. The network ran websites posing as independent news entities and created fake personas across social media platforms including Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki and VK. This network created fake accounts, fictitious personas and brands to appear more authentic in an apparent attempt to prevent detection and removal from the platform. These sigil accounts used profile pictures likely generated using artificial intelligence techniques like generative adversarial networks (GAN). This network had fewer than 4000 Facebook accounts following one or more of its Facebook pages and fewer than 500 accounts following one or more of its Instagram accounts. According to Meta, this operation has links to a previous one conducted in 2020 by individuals in Russia, the Donbas region in Ukraine and two media organizations in Crimea.

While some pro-Ukraine groups have formed with the purpose of conducting offensive operations, others are specializing in information operations. Other Telegram channels have recruited influencers, graphic designers, video editors and other multimedia specialists to generate pro-Ukrainian content and publish it via social media. The same organizers also have mobilized a group of volunteers to browse various social media and report/flag pro-Russian content to have it removed from the platform. They also actively encourage these users to share content generated by other users on their accounts and share it across their networks.

Ukraine Cyber Attacks Timeline

Leading to its invasion, Ukraine has suffered multiple cyber-attacks which sought to disrupt the operations of the Ukrainian government and key institutions.

  • On February 23rd, 2022, the websites of several Ukrainian banks and government departments, including the Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, Security Service (SBU) and Cabinet of Ministers became inaccessible following a large DDoS attack. Most other sites came online within two hours but latency and outages continued into the following day for others. This attack has been attributed to Russian-state GRU;
  • On the same day, the British government warned that residual VPNfilter compromises – a 2018 malware affecting network devices – were being upgraded to a new malware dubbed Cyclops Blink. Previous VPNfilter activity was attributed to the Russian-sponsored Sandworm threat actor;
  • On February 24th, 2022, a number of financial organizations and government contractors linked to Ukraine were hit by a cyber-attack that involved a new data-wiping malware dubbed HermeticWiper; with effects similar to previously observed campaigns. The malware was probably designed to execute prior to the invasion to maximize disruption. Additional versions of the malware were subsequently released, introducing worm and ransomware capabilities. Samples of the malware were later released online.;
  • On the same day, Microsoft detected a new round of unattributed offensive and destructive cyber-attacks directed against Ukraine’s digital infrastructure. This time, the malware used was dubbed FoxBlade. These include attacks on the financial and agriculture sectors, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises;
  • On February 24th, a phishing campaign was observed using a possibly compromised Ukrainian armed service member’s email account. The campaign targeted European government officials involved in humanitarian efforts, especially officials responsible for transportation, financial and budget allocation, administration, and population movement within Europe. This campaign delivered the SunSeed malware. Tentative attribution was made to Belarus APT group UNC1151;
  • On February 25th, 2022, two different cyber-attacks occurred. The first was an unattributed wiper attack targeted against a Ukrainian border control station. The second targeted Ukrainian universities and resulted in at least 30 compromised websites. These were attributed to a Brazilian group known as theMx0nday;
  • On February 27th, 2022, Meta reported a surge in hacking attempts against Ukrainians. It identified some hacking attempts from a threat actor that has been trying to hack the accounts of high-profile Ukrainians, including military officials and public figures, although it did not identify any individuals. The threat actor typically targets people through email compromise and then uses that to gain access to their social media accounts and post disinformation as if it’s coming from the legitimate account owners. This campaign was attributed to the Belarus APT group UNC1151;
  • Around March 1st, 2022, Russian tech-giant Yandex suffered a breach resulting in the leak of customer data of 58,000 customers from its food delivery service;
  • On March 4th, 2022, Amazon reported seeing several unattributed situations where malware has been specifically targeted at charities, NGOs, and other aid organizations in order to spread confusion and cause disruption;
  • On March 5th, 2022, Ukraine’s Computer Emergency Response Team (CERT-UA) warned of new phishing attacks aimed at its citizens. The unknown threat actors leveraged compromised email accounts belonging to three different Indian entities with the goal of compromising their inboxes and stealing sensitive information;
  • On March 7th, 2022, a threat actor conducted several large credential phishing campaigns targeting ukr.net users; UkrNet is a Ukrainian media company. In two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. This attack was attributed to Russian state-sponsored FancyBear by Google;
  • On the same day, a phishing campaign targeting Ukrainian government agencies with the MicroBackdoor malware was confirmed by the country’s Computer Emergency Response Team (CERT-UA). CERT-UA claims that the malware campaign bears similarities to the activities of Belarussian threat actor UNC1151. This threat actor has allegedly conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations;
  • On March 8th, 2022, Trend Micro released an article about a new wiper malware called RURansom, which is targeted toward Russian entities. The malware wipes all files if the language of the operating system is Russian. No official attribution was made but the creator left an anti-Putin message in his source code;
  • On March 9th, 2022, two known cyberattacks against Ukraine occurred. The first involved telecommunication service provider Triolan: three sources within the company and a former co-founder of the business claimed internal computers had stopped working because the “attackers reset the settings to the factory level”. The second unattributed attack leveraged the Formbook info stealer against Ukrainians;
  • On March 14th, 2022, a new destructive data wiper nicknamed CaddyWiper was used against a limited number of Ukrainian organizations. No code similarities to either HermeticWiper or IsaacWiper were identified;
  • Finally, on March 16th, 2022, television station Ukraine 24 falsely reported Wednesday that the Ukrainian president had urged Ukrainians to stop fighting and give up their weapons in what has been reported as disinformation. The program’s news ticker was hacked to display messages to appear as though they were coming from the president. The network confirmed that the news ticker was hacked and the messages were false. On the same day, a Telegram channel reported that hackers published to Ukrainian websites a deepfake video of the president repeating similar messages (figure 3);
Figure 3. A poor-quality deepfake video of the Ukrainian president was generated to promote a demoralizing message.

Recent events provide an excellent opportunity to study Russian TTPs in the conduct of cyber operations. Based on our observations, Russian threat actors may have been leveraging prior access to Ukrainian networks and other foreign accesses to prepare pre-invasion offensive operations. Latent compromises of network appliances and other high-bandwidth appliances held by pro-Russian groups may have been upgraded with more effective malware to conduct DDoS attacks against key IT infrastructure. Accesses to Ukrainian government networks may have harboured logic bombs to activate wiper malware to generate disruption prior to the invasion. On the Ukrainian side, a major surge of hacktivism, mostly organized via Telegram, has quickly materialized following kinetic Russian operations. These channels, often uncontrolled and created by unknown individuals, have quickly coordinated large amounts of often low-skilled actors into DDoS attacks against multiple Russian and Belarus strategic targets. Smaller, higher-skilled groups have remained isolated and released a steady flow of data leaks. Some of these leaks were false and performed by groups with suspicious motives. These events, combined with relentless propaganda efforts using social media may provide valuable intelligence on TTPs on both sides, by various threat actors in times of major conflict.

Chinese Threat Actors Target Ukrainian Targets

Known Chinese threat actors allegedly have been actively targeting European and American officials related to the Ukrainian situation using common Techniques, Tactics and Procedures (TTPs).  On February 28, 2022, Threat actor Mustang Panda (aka TA416) was observed leveraging a compromised diplomatic account from a NATO partner to target an individual working in refugee and migrant services. The attack leveraged basic spear-phishing tactics, using Portable Executable (PE) files and archives (Zip) files dropping the PlugX malware, which has been used by Chinese-speaking actors for multiple years. On March 22nd, 2022, the Ukrainian national CERT (UA-CERT) reported a spear-phishing campaign targeting Ukrainian officials using archive files (RAR) bundling Office documents and Batch scripts dropping the HeaderTip malware. At least one security company attributed the campaign to Chinese state-sponsored actors. These tactics are fairly basic and have long been part of Chinese TTPs for spear-phishing campaigns. Based on the few reports reviewed, Chinese-based cyber threat actors may show interest in targeting individuals involved with the logistics and management of refugees, as well as U.S. government officials associated with the conflict.

Conclusion

The Ukraine invasion by Russia resulted in an uptick in hacktivism activities, resulting in a significant increase in data leaks from Russian organizations. The Cyber Partisans hacking group was able to disrupt logistical assets from the Belarusian Railway systems that caused resupply issues for the Russian army. Chinese threat actors also did their part with multiple spear-phishing campaigns aimed at key NATO, EU and Ukrainian officials.