Observing the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks leveraging malware are an important part of modern hybrid war strategy.
Reports from Trustwave and other security researchers show that Russian cyberattackers have maintained pressure on Ukraine throughout the conflict. This article covers malware that has been used against organizations in Ukraine to destroy systems and data or gain control over targeted systems for surveillance and data staling. Since the full report from Trustwave SpiderLabs researcher Pawel Knapczyk is rather technical, I wanted to break down the essential elements without boring readers with those complex details.
Early in the invasion, Russian cyberattackers focused quite a bit of energy on using malware to destroy systems and data through the use of "wipers." It is called that because that's exactly what the malware does. It wipes systems clean.
One of the earliest attacks, AcidRain, was timed for Russia's physical invasion of Ukraine in February. AcidRain was a targeted attack against modems accessing the internet through Viasat's satellite network. Viasat is a satellite-based broadband service provider. The attackers gained access to Viasat's management network. They then used it to push the AcidRain malware to satellite modems and wipe those modems of essential software needed to operate and connect to the internet properly.
The attack targeted internet service for customers in Ukraine, knocking out thousands of modems in the country. However, there was no way to only target modems in Ukraine. Service across Europe was wiped out for tens of thousands of customers, including an energy company in Germany that lost control of 5800 wind turbines.
The Sandworm crew employed two other wipers, a hacking operation tied to the FSB. HermeticWiper and IsaacWiper, functioned as destructive attacks, deleting data and filling up hard drive space on any infected Windows system. It's also interesting to note that the timestamp of the HermeticWiper malware was December 28, 2021, suggesting that the February attacks were in preparation since at least that time.
Another interesting piece of destructive malware used by Sandworm, a hacking operation tied to a former GRU unit, was Industroyer2. The gang wrote Industroyer2 explicitly to attack Ukraine's energy grid. The malware replaces administrative software in a power plant and then disrupts circuit breakers in electric substations. The result is widespread electric outages. Interestingly, technical information about the various substations like IP addresses was written directly in the malware. This methodology suggests that Sandworm spent time conducting proper reconnaissance to target the malware in specific ways.
After March, Russia seemingly gave up on using destructive wipers as much as they did in the two months prior. Instead, Russian cyberattackers focused more energy on surveillance and stealing data.
One such piece of malware was CredoMap, deployed by APT28, aka Fancy Bear. CredoMap has one primary function: stealing stored passwords and website cookies from Chrome, Edge, and Firefox web browsers. These credentials are then forwarded to the attackers via email or web.
Additionally, the popular DarkCrytal RAT was used to target Ukrainian telecommunication operators and media organizations. A RAT is a Remote Access Tool that does precisely that, allowing the attackers to access the infected computer remotely. It has many features like the ability to take screenshots as well as turn on the webcam and microphone. In addition, it can steal credentials like CredoMap and take anything stored on the computer's clipboard.
WEBINAR
Briefing: Cyber Weapons Used in the Ukraine-Russia War – Overview and Lessons Learned
For a more technical breakdown of the malware being used by Russia and Ukraine during the conflict please listen to this recent webinar hosted by Trustwave’s Karl Sigler, Senior Security Research Manager and Pawel Knapczyk, Security Research Manager.
Undoubtedly, sophisticated cyber weapons are key tools in the arsenal of a modern military. Compared to traditional warfare, cyber warfare is invisible to the naked eye, does not risk lives on the aggressor's side, and is cost-effective. We can also see in this current conflict that the territorial constraints of conventional warfare do not bind cyber warfare. It offers the chance to infiltrate and damage targets far behind the frontlines.
Sometimes the fallout from malware affects countries that are not even directly involved in the conflict. We saw this in the case of AcidRain, which targeted Ukraine but affected tens of thousands of systems across Europe. Whether your business, industry, or country is involved in any conflict, preparing for these attacks is crucial. Ensure that your team patches known vulnerabilities as quickly as possible and that your organization has an effective and ongoing Security Awareness education program to help your users protect themselves against social engineering and phishing attacks.
