CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

An Inside Look at Russian Cyber Weapons Used Against Ukraine

Observing the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks leveraging malware are an important part of modern hybrid war strategy. 

Reports from Trustwave and other security researchers show that Russian cyberattackers have maintained pressure on Ukraine throughout the conflict. This article covers malware that has been used against organizations in Ukraine to destroy systems and data or gain control over targeted systems for surveillance and data staling. Since the full report from Trustwave SpiderLabs researcher Pawel Knapczyk is rather technical, I wanted to break down the essential elements without boring readers with those complex details.

Early in the invasion, Russian cyberattackers focused quite a bit of energy on using malware to destroy systems and data through the use of "wipers." It is called that because that's exactly what the malware does. It wipes systems clean.

One of the earliest attacks, AcidRain, was timed for Russia's physical invasion of Ukraine in February. AcidRain was a targeted attack against modems accessing the internet through Viasat's satellite network. Viasat is a satellite-based broadband service provider. The attackers gained access to Viasat's management network. They then used it to push the AcidRain malware to satellite modems and wipe those modems of essential software needed to operate and connect to the internet properly.

The attack targeted internet service for customers in Ukraine, knocking out thousands of modems in the country. However, there was no way to only target modems in Ukraine. Service across Europe was wiped out for tens of thousands of customers, including an energy company in Germany that lost control of 5800 wind turbines.

The Sandworm crew employed two other wipers, a hacking operation tied to the FSB. HermeticWiper and IsaacWiper, functioned as destructive attacks, deleting data and filling up hard drive space on any infected Windows system. It's also interesting to note that the timestamp of the HermeticWiper malware was December 28, 2021, suggesting that the February attacks were in preparation since at least that time.

Another interesting piece of destructive malware used by Sandworm, a hacking operation tied to a former GRU unit, was Industroyer2. The gang wrote Industroyer2 explicitly to attack Ukraine's energy grid. The malware replaces administrative software in a power plant and then disrupts circuit breakers in electric substations. The result is widespread electric outages. Interestingly, technical information about the various substations like IP addresses was written directly in the malware. This methodology suggests that Sandworm spent time conducting proper reconnaissance to target the malware in specific ways.

After March, Russia seemingly gave up on using destructive wipers as much as they did in the two months prior. Instead, Russian cyberattackers focused more energy on surveillance and stealing data. 

One such piece of malware was CredoMap, deployed by APT28, aka Fancy Bear. CredoMap has one primary function: stealing stored passwords and website cookies from Chrome, Edge, and Firefox web browsers. These credentials are then forwarded to the attackers via email or web.

Additionally, the popular DarkCrytal RAT was used to target Ukrainian telecommunication operators and media organizations. A RAT is a Remote Access Tool that does precisely that, allowing the attackers to access the infected computer remotely. It has many features like the ability to take screenshots as well as turn on the webcam and microphone. In addition, it can steal credentials like CredoMap and take anything stored on the computer's clipboard.  

Briefing: Cyber Weapons Used in the Ukraine-Russia War – Overview and Lessons Learned

Briefing: Cyber Weapons Used in the Ukraine-Russia War – Overview and Lessons Learned

For a more technical breakdown of the malware being used by Russia and Ukraine during the conflict please listen to this recent webinar hosted by Trustwave’s Karl Sigler, Senior Security Research Manager and Pawel Knapczyk, Security Research Manager.

Undoubtedly, sophisticated cyber weapons are key tools in the arsenal of a modern military. Compared to traditional warfare, cyber warfare is invisible to the naked eye, does not risk lives on the aggressor's side, and is cost-effective. We can also see in this current conflict that the territorial constraints of conventional warfare do not bind cyber warfare. It offers the chance to infiltrate and damage targets far behind the frontlines.

Sometimes the fallout from malware affects countries that are not even directly involved in the conflict. We saw this in the case of AcidRain, which targeted Ukraine but affected tens of thousands of systems across Europe. Whether your business, industry, or country is involved in any conflict, preparing for these attacks is crucial. Ensure that your team patches known vulnerabilities as quickly as possible and that your organization has an effective and ongoing Security Awareness education program to help your users protect themselves against social engineering and phishing attacks.

Latest Trustwave Blogs

Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense

Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect...

Read More

Behind the Scenes of the Change Healthcare Ransomware Attack Cyber Gang Dispute

Editor’s Note – The situation with the Change Healthcare cyberattack is changing frequently. The information in this blog is current as of April 16. We will update the blog as needed. April 16, 2024:...

Read More

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More