Update: March 9: Additional phishing emails have been sighted by Trustwave SpiderLabs researchers targeting Ukrainian citizens with fake evacuation messages. Please see below for additional details.
The Russia-Ukraine conflict currently is ongoing and continues to escalate. Trustwave is on heightened alert, and we are actively monitoring malicious cyber activity associated with and adjacent to the conflict between Russia and Ukraine. In addition to monitoring for cyberattacks and malware use during this time, the elite Trustwave SpiderLabs team is actively monitoring for phishing, social engineering techniques and Dark Web chatter associated with these events to further enhance cyber detection and response for our clients.
Trustwave SpiderLabs researchers have recently observed a high volume of cyber activity on the Dark Web as supporters of Russia and, separately, Ukraine attempt to impact the outcome of the conflict in cyberspace.
We have identified some of the more evolved cyber tactics actioned that could impact geopolitical conflict and corporate cybersecurity in the long term.
What Makes These Cyber Activities Different
Trustwave SpiderLabs has noted a wide variety of attempts by Dark Web forum members to influence the conflict from the cyber side, including using social media and encrypted communication platforms to recruit actors to help conduct Distributed Denial of Service (DDoS) attacks against multiple Russian government and official sites.
Other hackers on the Dark Web are targeting Ukrainian government and military officials and spreading misinformation about what is truly taking place in Ukraine.
These calls to action differ from what has traditionally transpired during past geopolitical conflicts. Cyber activity tended to be less destructive and more for public perception, such as defacing websites with slogans or images.
Still, the majority of these new, more destructive and organized activities do not seem to be directly connected to either Russian or Ukrainian government efforts. These activities appear to be conducted by lone-wolf hackers or groups with a national loyalty who want to use their cyber skills to influence the conflict's outcome and the perception of what is taking place in Ukraine to those outside the region.
Organized Like Never Before: The Tactics Used By Hackers Supporting Ukraine
As of February 24, DDoS attacks were reported to be launched against Russian targets.
Multiple sources have used Facebook and other social media outlets to try and gather a force to conduct these attacks. Most notably, Yegor Aushev, co-founder of a cybersecurity company in Kyiv, told Reuters he wrote a post calling for underground cyber defenders at the request of a senior Ukrainian Defense Ministry official who contacted him.
Trustwave SpiderLabs has observed similar calls to cyber arms on the Dark Web. These include links to groups organizing to attack Russian entities, sites containing instructions on how to conduct a DDoS attack, and a recommended DDoS attack target list.
A description of how to DDoS and a list of targets
The suggested targets include Russian military, government and security websites.
"We did not want to kill anyone, but now we will show that we are brothers of the Cossack family. You can use your computer as a weapon by making DDOS attacks!" one Dark Web entry said.
For context, the Cossacks were much-feared cavalry historically from Ukraine and surrounding areas and are still considered heroes to Ukrainians.
"If you want to help Ukraine in the fight against Russia, but if you can't, help by opening a tab on the Internet," the posting above says.
Lone-Wolves Show Their Support For Russia, Dox Ukrainian Military Officials
Trustwave SpiderLabs has observed a lone threat actor that calls himself JokerDNR expressing support for Russia. DNR stands for the Donetsk People's Republic, one of the two Ukrainian regions Russia recognized as independent nations before its attack on February 24.
The bulk of JokerDNR's activity has been along two lines. First, JokerDNR has been issuing a string of posts for several weeks, generally attempting to embarrass Ukrainian officials, referring to them as clowns and mocking their abilities. However, on a much more serious note, JokerDNR has exposed what is claimed to be the real names, titles, addresses, and contact information of a number of Ukrainian government and military officers.
A sample of a post disclosing personal information of Ukrainian military officers for intimidation purposes.
If the information posted is accurate, it could pose a grave danger to those people or their families if Russian forces succeed in capturing the areas mentioned by JokerDNR. This type of doxing activity – releasing private information about an individual's family, location, etc. – could potentially deter some Ukrainian officials from being vocal or participating in the resistance to the Russian invasion.
JokerDNR also claimed to have hacked into a Western agency and exfiltrated satellite images of Ukrainian military bases. At this time, it is not possible to confirm whether the images are legitimate or whether these photos were obtained from any compromised device. Regardless, this threat actor is clearly trying to impact the psychology behind the conflict.
JokerDNR, a hacker on the Dark Web, has posted satellite images the actor claims are of Ukrainian military bases, exfiltrated from a western device, so claimed
In some posts, JokerDNR claimed to have prior knowledge that Russia was going to attack Ukraine based on the earlier malicious cyber activity.
Several cyber incidents did occur prior to the Russian invasion of Ukraine, with CISA posting on February 26 that the Microsoft Threat Intelligence Center (MSTIC) disclosed on January 15, 2022, that malware, known as WhisperGate, was being used to target organizations in Ukraine. According to Microsoft, WhisperGate is intended to be destructive and is designed to render targeted devices inoperable.
Additionally, CISA said that on February 23, 2022, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure.
Hacker Groups On Both Sides of the Fight
The Anonymous hacking group has stated that it had joined the "cyber war" against the Russian government. Anonymous also claimed that it had hacked the Russian Ministry of Defense database, Russian state TV and more.
The Conti ransomware gang, according to Bleeping Computer, had declared itself ready to conduct attacks in support of the Russian government. Conti, formerly known as Ryuk, has been a very active ransomware gang. The Cybersecurity and Infrastructure Security Agency issued an alert in September 2021 on Conti after observing the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations.
Conti's pro-Russia stance, however, may have upset some of the group's affiliates and could result in its demise. Bleeping Computer reported that a Ukrainian security researcher has leaked over 60,000 internal messages and 393 JSON files belonging to the Conti ransomware operation after the gang sided with Russia over the invasion of Ukraine.
We see researchers still digging through the data dump, and there is a possibility this could be the end of Conti.
For a more in-depth look at the Conti data dump, follow Brian Krebs’ blog series.
Ukraine-Russia Conflict Related Email Scams
Fraudsters not directly related to Russia or Ukraine's nation-state forces are also attempting to take advantage of the conflict. Whether it's the Olympics, COVID or a natural disaster, threat actors use chaos to scam good-hearted people who just want to help. In many cases these scamsters are using phishing emails containing detailed stories.
In the example email below, a scammer is attempting to pose as a director of a Ukrainian charitable foundation that is focused on defending human rights. The email asks for donations via Bitcoin, Ethereum or Tetherus cryptocurrency.
Trustwave MailMarshal Secure Email Gateway can block these types of phishing and scam emails.
A sample of a scam email spotted by Trustwave SpiderLabs
Another phishing scam spotted by Trustwave SpiderLabs researchers is using a social engineering scheme designed to take advantage of the very real evacuations that are now taking place throughout Ukraine by passing along fake evacuation information.
Evacuation plan from: SBU
Security Service of Ukraine
Good afternoon, you need to get acquainted with the electronic evacuation plan from March 1, 2022, provide data on the number of staff, fill out the document on the form 198 \ 00-22 SBU-98.
To ensure the confidentiality of transmitted data, the password is set to the attachment: 2267903645
Translated text from a phishing email.
How These Cyber Tactics Could Impact Future Geopolitical Conflicts and Corporate Cyber Attacks
Much of the cyber activity that has taken place so far have not had a direct, significant impact on the physical battlefield. But with that said, we believe these tactics and activities will stand as an example of what we should expect in future geopolitical conflicts.
Lone-wolf and organized threats actors who possess the proper cyber skills may directly attack their nation's enemy or recruit others to join in a coordinated attack. These activities, coupled with specific malware use designed to "prep” the physical battlefield, could become a more widely used tactic to weaken a nation’s defensive capabilities, critical infrastructure or communication streams.
There is also a strong possibility that social media and forum tactics such as doxing may be used during a conventional cyberattack against civilian targets. For example, corporate officials could be threatened with exposure or blackmail if they do not cooperate with an attacker's demands.
Trustwave SpiderLabs will continue to monitor the situation as events unfold and map the potential long-term impact of these evolved cyber tactics on the corporate threat landscape.