CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Development of the Ukrainian Cyber Counter-Offensive

Overview

Russia’s military incursion against Ukraine began on February 24, 2022, with a massive ground attack supported by several cyber incidents. This activity set the stage for what would become an active hybrid war fought in two domains: cyber and ground warfare.

On Ukraine’s side, a loose cyber collective developed into the IT Army of Ukraine, launching DDoS attacks targeting Russian infrastructure, including airports, public transportation, government facilities, financial institutions, and private organizations. Cyber operations also targeted Moscow’s Stock Exchange website and the Russian Federal Tax Service. Even as recently as this week, the IT Army claimed to have breached the Central Bank of Russia, stealing thousands of internal documents and dumping 2.6 GB of data publicly.

In this post, we will cover the IT Army of Ukraine from its start at the very beginning of the war as a loose collective of cybersecurity experts and hackers, to a well-organized nation-state group of defensive and offensive actors with specific roles and purposes.

From Cyber Collective to IT Army

On February 24, 2022, Yegor Aushev, co-founder of a cybersecurity company located in Kyiv, posted a call to cyber arms on several hacker forums, enlisting the aid of those with a cybersecurity background and hacking skills. Volunteers and various hacktivists joined together to form Ukraine’s cyber counter offense collective which developed into a more formalized group referred to as the ‘IT Army of Ukraine.’

The term ‘IT army’ was first introduced by Mykhailo Fedorov, a Minister of Digital Transformation of Ukraine, in a social media post on February 26, 2022 consequently beginning the IT Army’s operations.

19213_picture1xc

Figure 1: https://twitter.com/FedorovMykhailo/status/1497642156076511233

In another call to arms, Yegor Aushev, co-founder of a cybersecurity company in Kyiv, posted "Ukrainian cybercommunity! It's time to get involved in the cyber defense of our country." In an interview with Reuters Aushev stated that he “wrote the post at the request of a senior defense ministry official who contacted him" that day.

Targeting Russia

Based on Aushev’s statements, the collective is believed to be composed of two groups: an open collective of hacktivists whose task is to target and launch DDoS attacks against Russian infrastructure, and an in-house team of cyber operatives who are tasked with launching more complex operations, such as those highlighted in Stefan Soesanto’s CSS Cyberdefense Report.

19214_picture2xc

Figure 2: Russia-Ukraine War — Cyber Group Tracker. October 12, 2022. Cyberknow. The chart shows an almost equal number of threat actors supporting opposing parties in the war.

 https://cyberknow.medium.com/update-19-2022-russia-ukraine-war-cyber-group-tracker-october-12-c684310ba654

IT Army of Ukraine Cyber Operations

After being formed, Ukraine’s IT Army almost immediately launched its first attack against Russian corporate and state entities. Information about this cyber operation, along with a call to use DDoS and other attack types against 31 Russian targets, was shared on a Telegram channel titled ‘itarmyofukraine2022.’

On February 28, 2022, the IT Army breached Moscow’s Stock Exchange website rendering it inaccessible just five minutes after the attack was launched, according to a Telegram post. The IT Army claims to have taken down Sberbank’s website. Sberbank is the largest bank in Russia. The attack resulted in an interruption of the payment system services, a small loss of funds, but had no major impact.  

Also on February 28, the Russian media agency Interfax published a quote from Roskomnadzor stating, "A hybrid war is currently being waged against Russia that includes elements of disinformation, as well as traditional cyberwarfare." Roskomnadzor is the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media, a federal executive body responsible for overseeing the media, including electronic media, mass communications, information technology, and telecommunications.

19215_picture3xc

Figure 3: Telegram post with list of 31 initial targets

19216_picture4xc

 

Translation 1:

You can use your computer as a weapon by making DDOS attacks!

Here are instructions on how to do it: …

Translation 2:

If you want to support Ukraine in combat with Russia, but do not have the ability – help by opening a tab in the browser. …

Figure 4: Example of Facebook advertisement calling users to join DDoS attacks against targets in Russia and a similar advertisement in a public Telegram channel

As the IT Army grew in number, it attracted members with diverse skillsets, adding to the group’s targeting capabilities.

The growth in size and mission scope created a need to support the IT Army’s members by furnishing them with scripts to run, and highlighted an opportunity to develop and introduce educational materials and hacking guidelines, which could be accessed and shared via an educational portal:

19217_picture5xc

 

Translation:

HackYourMom Community driven portal, lab, academy, and cyber army of hackers

 Education

Privacy

   Services

Can you hack?

   Communication

About us

   Cyber war

Join the cyber army

​Figure 5: The educational portal from HackYourMom team.​

The HackYourMom team introduced multiple educational articles from OSINT basics to reverse engineering articles and lessons on YouTube.

19218_picture6xc

Figure 6: The educational portal from HackYourMom team, Cyberwar. OSINT related articles in Ukrainian.

A variety of information can be found in various teams, groups, and channels, including guides and books on launching attacks, to advice on specific tactics to infect a target’s network or devices.

19219_picture7xc

 

Translation:

How to properly attack Android Phones of the Russian Military #training #software

SARA - Simple Android Ransomware Attack ( Root required )

Installation

apt update

apt upgrade

pkg install git

git clone …

CD SARA

launch

bash install.sh

Next, you will create an apk file that you need to send to the victim.

Figure 7: HackYourMom group teaches members how to deploy ransomware to the Russian soldier's Android phones.

Used in attacks against the Russian military’s Android cellphones, the Simple Android Ransomware Attack enables exfiltration of geolocation data and allows ongoing geolocation data point tracking from the infected device, all of which is extremely valuable battlefield intelligence.

19220_picture8xc

Figure 8: Screenshot from SARA malware control panel.

The IT Army of Ukraine also provides its members with English language learning resources to better aid them in learning and acquiring cybersecurity skills and knowledge.

19221_picture9xc

Figure 9:  OpSec informational portal.

As information about the IT Army’s mission was shared, support from organizations such as the Student Committee of Cybersecurity and the Defense of Ukraine joined the cause. The group stated that it was beginning to attack Russian resources with the target being Mosmetro, also known as the Moscow Metro. Mosmetro is a metro system serving Moscow and neighboring cities.

19222_picture10xc

19223_picture11xc

Figure 10: Screenshots showing the Student Committee of Cybersecurity and Defense of Ukraine logo and new targets for its members.

The group also shares news about the Russian Federation as reported in the media and government sources.

19224_picture12xc

 

19225_picture13xc

 

Translation:

Results of IT Army of Ukraine for 2 weeks.

 

Figure 11: Student Committee of Cybersecurity and Defense of Ukraine shares latest updates from “Minsifra” - the Ministry of Digital Transformation of Ukraine. 

The IT Army’s operational methods have matured since the group’s inception, including using Telegram as the central communication point for the hundreds of thousands of hacktivists located around the world. In addition to tasking the IT Army with launching DDoS attacks against specified Russian targets, other attack types encouraged on Telegram’s ‘itarmyofukraine2022’ channel include reporting Russian YouTube propaganda channels, and signing petitions to block PayPal, GitHub, and similar services in Russia. New targets and operational methods continue to be posted in the ‘itarmyofukraine2022’ channel.

19226_picture14xc

Figure 12: Telegram posts encouraging users to sign petitions to block PayPal and YouTube in Russia

Not long after creating the Telegram channel, the first automated scripts and guides, which included instructions on constructing VPNs, started to appear.

The first scripts facilitated DDoS attacks, targeting the Mir payment system in Russia, following a suspension of services in Russia from Mastercard, Visa, and American Express.

Automated tools, such as Death by 1000 needles, Liberator, and mhddos_proxy were created by the IT Army specifically for its members, which allowed them to automatically retrieve target lists and perform DDoS attacks with minimal effort.

On April 1, 2022, the IT Army launched an automated chatbot on Telegram that responds to questions and provides an instruction guide detailing how to execute DDoS attacks. Not long after the chatbot became active, the IT Army of Ukraine created a website sharing its target list, and details on how to launch a DDoS attack.

19227_picture15xc

Figure 13: Official website of IT Army of Ukraine containing instructions on how to perform DoS attacks

In May, an attack automation function was introduced to the Telegram chatbot which allowed volunteers to grant bot access to their cloud resources. This action could allow a coordinated attack from all available servers, maximizing the scale of a DDoS attack. To prevent proactive fixes on the attacked resources, the IT Army closed sourced its mhddos_proxy tool to gain better operational security against abuse from hostile threat actors. The cyber collective also stopped publicly sharing their target list.

According to the information provided on the IT Army of Ukraine’s official website, the group has now become a well-organized operation with a coordinated team that includes experts from the following fields:

  • Cyber ​​security experts who identify a potential target’s vulnerabilities
  • Economists who identify targets that will significantly impact the enemy's economy
  • Attack solution developers who update the software, allowing for more effective strikes
  • Moderators who assist the IT Army by reading messages and passing important information to other members of the cyber collective for analysis and involvement in future campaigns

19228_picture16xc

Figure 14: The Evolution of IT Army DDoS Toolkit timeline. The dates represent the first-time a particular topic or tool was introduced by the official IT Army account on Telegram.

On October 7, 2022, the IT Army of Ukraine’s members defaced the ODKB’s (Collective Security Treaty Organization) official websites. The URL in the screenshot below leads to the Internet archive service Wayback Machine:

19229_picture17xc

Figure 15: Telegram post with link to Wayback Machine where ODKB website defacement was captured

The defacement text can be translated to: “IT-army of Ukraine is in touch. We would like to congratulate Putin on his last birthday and wish him a <comfortable> trip to The Hague!”

Since October 7, 2022, the IT Army of Ukraine has focused on Russian financial institutions and businesses such as Sberbank, Gazprombank, Credit Bank of Moscow, Wildberries, and others.

19230_picture18xc

Figure 16: Telegram post dated Oct 7 with screenshots from Sbierbank’s Vkontakte page where customers are talking about the outage.

On October 20, the IT Army of Ukraine launched a DDoS against Russia’s Federal Tax Service blocking Russian taxpayers from submitting tax forms, retrieving documents, and caused an interruption in communications with the Federal service. 

19231_picture19xc

Figure 17: Russian taxpayers are complaining on inability to submit tax form

On October 22, the IT Army of Ukraine launched another attack against the Russian Federal Tax Service.

19232_picture20xc

Figure 18: The thousands of angry comments in chat with Federal Tax Service of Russian Federation.

In a surprising show of anti-war, anti-Russian sentiment, the NRA claims to have breached Technoserv – Russia’s largest systems integrator company. The NRA also claims to have uncovered a connection between Technoserv and Russia’s Federal Security Service.

Conclusions

While we've seen a great deal of coordinated nation-state and Russian-sympathetic attackers in this conflict from the Russian side, the "crowd-sourced" methodology of the IT Army of Ukraine is a somewhat unique technique. Its ability to coordinate resources on a massive scale is something that probably hasn't been seen since the early days of Anonymous vs. Scientology.

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More