A new report reveals that Ukraine is fighting a battle with Russia in cyberspace as well as a physical war.
Russia has been deploying a “cyber war” against Ukraine since the physical invasion began in late February, says Chicago-based security firm Trustwave.
Malware has been used against organizations in Ukraine to either destroy or take control of their online systems and “damage targets far behind the front lines”.
Malware – a collective term for any type of malicious software – has been used to steal data, spy on citizens and attack national infrastructures.
Trustwave has listed a number of malware types used as part of its cyberwarfare efforts, many with colorful names like “AcidRain” and “Industroyer2”.
Russia has been using “cyber warfare” against Ukraine since the physical invasion began in late February, says SpiderLabs, Trustwave’s investigative arm. Pictured, Ukrainian soldiers sit on infantry fighting vehicles on a road in Ukraine’s Donetsk region on Aug. 18, 2022
MALWARE AND SPYWARE
Malware is a collective term for any type of malicious software, regardless of how it works, its intent, or how it is distributed.
The term includes adware, spyware, viruses, trojans and more.
Spyware is a specific type of malware that steals information from a computer and sends it to a third party without the person’s knowledge.
Spyware collects your personal information and forwards it to advertisers, data companies, or outside users.
Source: Norton Security
“By observing the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks leveraging malware are an important part of modern hybrid warfare strategies,” said Pawel Knapczyk, security research manager at SpiderLabs, Trustwave’s investigative arm.
“While conventional warfare is fought on the battlefield and constrained by multiple factors, cyber warfare continues in cyberspace, offering the chance to infiltrate and damage targets far behind the front lines.”
According to SpiderLabs, the perpetrators of the attacks include the Russian foreign intelligence service, the Russian Federal Security Service and the General Staff of the Armed Forces of the Russian Federation.
The team has listed a number of malware types used as part of its cyberwarfare efforts, many with colorful names like “AcidRain” and “Industroyer2”.
HermeticWiper
This particular piece of malware is known as a “wiper” because it erases or “erases” the hard drive of the computer it infects.
It was discovered on hundreds of Ukrainian computers, as well as computers in Lithuania and Latvia, on the evening of February 23, just hours before Russian troops invaded Ukraine.
It was named “HermeticWiper” based on a digital certificate from a Cyprus-based company called Hermetica Digital Ltd.
The perpetrators of the attacks include the Russian foreign intelligence service, the Russian Federal Security Service and the General Staff of the Armed Forces of the Russian Federation
RUSSIAN THREAT ACTORS
Trustwave SpiderLabs says notorious threat groups and Russian special services are involved in cyber attacks on Ukraine:
– APT28, also known as Cozy Bear or The Dukes, has ties to the Russian Foreign Intelligence Service (SVR).
– APT29, also known as Fancy Bear or Sofacy, has been assigned to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (formerly GRU) Unit 26165.
– SANDWORM, aka Black Energy, was associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (formerly GRU) Unit 74455.
– Dragonfly, also known as Energetic Bear or Crouching Yeti, has been identified as Russian Federal Security Service (FSB) unit 71330.
– GAMAREDON, also known as Primitive Bear or Armageddon, was traced back to the Russian Federal Security Service (FSB) in November 2021.
The company is run by Polis Trachonitis, a 24-year-old video game designer who runs the business from his home in the suburbs of the capital Nicosia.
The malware had been signed with a digital certificate bearing the Hermetica Digital name, but Trachonitis said it had nothing to do with the attack.
“I don’t even write the code — I write stories,” he told Portal at the time. “I’m just a Cypriot … I have no connection with Russia.”
Trustwave SpiderLabs said the digital certificate – a type of electronic password needed to carry out the attack – was stolen.
acid rain
Another wiper malware, AcidRain, was used on February 24 to wipe US company Viasat’s modems in Ukraine.
It affected several thousand customers in Ukraine and tens of thousands others across Europe.
AcidRain’s functionality is “relatively simple” as it wipes a computer’s file system and all files on the storage device.
“After the deletion is complete, a restart of the device is triggered,” explains SpiderLabs.
The attack in February also resulted in the failure of 5,800 Enercon wind turbines in Germany. Remote monitoring and control of the turbines was no longer available, although the turbines themselves continued to function.
Viasat had to ship nearly 30,000 modems to distributors to get customers back online.
Another cybersecurity group, SentinelLabs, claims to have named this malware “AcidRain”. The malware is said to be designed to delete both routers and modems.
AcidRain’s functionality is “relatively simple” as it performs a recursive wipe of a computer’s file system and all storage device files.
industrialist2
Industroyer2 is a “sophisticated malware” that was able to manipulate devices in electric utility companies to control the flow of electricity.
According to SpiderLabs, it specifically abuses a set of standards used in electrical power control systems with the aim of causing a blackout.
In April, Industroyer2 was deployed at a targeted Ukrainian high-voltage power plant to penetrate and disrupt part of its industrial control system.
Fortunately, the station’s defenders were able to prevent power outages, Ukraine said.
CredoMap
CredoMap is known as a “credential stealer” or “information stealer” because it uses user credentials stored in browsers.
It was used by threat actor APT28, which has ties to the Russian Foreign Intelligence Service (SVR).
CredoMap steals cookies and saved passwords from Chrome, Edge and Firefox browsers.
Depending on the version, stolen data is then exfiltrated or extracted via email or POST – an HTTP supported request method used by the World Wide Web.
Finally, SpiderLabs points out that sophisticated cyber weapons are “key tools in the modern military’s arsenal”.
“We can clearly see that government assets, critical infrastructure, media and private sector organizations are extremely lucrative targets for attackers and even legitimate penetration tools can be hijacked and weaponized,” it said.
SpiderLabs has provided a full list of culprits and attack types in its report, which can be downloaded from the Trustwave website.
GOOGLE WARNS ABOUT SPYWARE USED BY FOREIGN GOVERNMENTS TO HACK APPLE AND ANDROID PHONES
Google has warned of spyware used by foreign governments to hack into Apple and Android phones and spy on users’ activities.
The obnoxious “spyware” – software that steals information from a device – was developed by Milan-based company RCS Lab and was uncovered by Google and security firm Lookout.
RCS Lab Spyware was allegedly used by the Italian and Kazakh governments to spy on private messages and contacts stored on their citizens’ smartphones.
However, the spyware may also be able to spy on a victim’s browser, camera, address book, clipboard, and chat apps.
RCS Lab is an example of a “lawful wiretapping company” that claims to only sell to customers who are lawfully used for surveillance purposes, such as: B. Secret services and law enforcement agencies.
But in reality, such tools have often been misused under the guise of national security to spy on businesspeople, human rights activists, journalists, academics and government officials, security experts say.
Continue reading