The conflict between Ukraine and Russia goes a long way back, but it took a dramatic turn after the 2014 Ukrainian revolution. Since then, the war in the Donbas region has resulted in a number of casualties as well as a constant feeling of insecurity among the population.
In recent months, Russia increased its pressure on Ukraine by placing more and more troops along its Eastern border. At the same time, a number of destructive cyber attacks against government websites and other organizations took place.
On February 24, Russia invaded Ukraine and started a full military conflict across that nation. While the kinetic war is by far the most pressing issue, cyber threats against Ukraine and Western countries are increasing as well.
In this blog, we will review some of the threats that have primarily targeted Ukraine but could also spill over globally.
Constant APT attacks
The Russian APT group Gamaredon has been actively targeting Ukraine for a number of years. However in recent months the interest has reached a new level and this was observed in campaigns using a number of lures. We caught one such sample recently that displays a decoy PDF of 40 pages supposedly detailing Russian military training:
Наставление по физической подготовке в Вооруженных Силах Российской Федерации разработано для командиров (начальников) всех степеней, специалистов физической подготовки, содержит указания и требования по вопросам физической подготовки личного состава.
The Manual on Physical Training in the Armed Forces of the Russian Federation is designed for commanders (chiefs) of all degrees, specialists in physical training, contains instructions and requirements for physical training of personnel.
The malicious archive not only contains a decoy, but also a VNC server that allows the attacker to gain access to the victim’s computer. The command and control server (licensecheckout[.]com) is hosted on 45.139.186[.]190 (Russia).
In January, a new destructive malware dubbed WhisperGate was unleashed against Ukrainian targets. It was followed in February by HermeticWiper, a piece of malware that is meant to render a machine unusable by corrupting the MBR partition.
Our Threat Intelligence team is currently analyzing this threat and will publish a technical report.
The infamous Conti ransomware group announced on February 25 that it will retaliate against any cyber (or physical) attack against Russia.
The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.
This was followed by another clarification:
If there ever was any doubt that some of the world’s most damaging ransomware groups were aligned with the Kremlin, this sort of allegiance will put an end to it.
Since several countries have announced severe economic sanctions against Russia, we should expect retaliation via cyber means. Russia will perceive those sanctions as a direct attack against its economy, and they know how to respond in kind, not with sanctions but with cyber intrusions on critical infrastructure.
Organizations have already faced the global ransomware threat for a number of years, and in many ways the same security recommendations continue to apply. What might be different is the intensity of attacks as well as the sheer determination from the adversary. For this reason, we would recommend following best practices outlined by CISA and your country’s CERT.
More than ever, individuals and organizations should be extremely vigilant to phishing attempts and preemptively hunt for possible threats within their environment. Remember to not only deploy but also properly configure your endpoint detection and response (EDR) solution.
At Malwarebytes, we are tracking those cyber threats and ensuring that our customers continue to be protected. According to AV-Comparatives, Malwarebytes Consumer and Enterprise versions were able to protect the system effectively against multiple variants of the Hermetic Wiper malware.