A NEW ERA OF CYBERWAR HAS BEGUN
On February 24, Russian forces launched a large-scale invasion of Ukraine that was predated by a series of cyberattacks targeting critical Ukrainian government, banking, and communications infrastructure.
In response to the pre-invasion cyber-assault, Ukrainian Vice Prime Minister Mykhailo Fedorov took to Twitter to call for the creation of a global “IT army” to combat Russia’s formidable cyber forces. Within hours, posts in numerous hacking forums rallied for counterstrikes targeting Russian assets.
Combined with some of the most comprehensive economic sanctions ever imposed on a rogue nation, cyberattacks by and against Russian forces are already cascading beyond Russian and Ukrainian borders.
In fact, the conflict represents what Harvard Business Review calls the most acute cyber risk U.S. and western corporations have ever faced. The following assessment of cyberattacks observed in the earliest days of the conflict suggests organizations should prepare for varied and rapidly-evolving cyberthreats in coming weeks.
Beginning February 23, DDoS attacks against Ukrainian government and infrastructure websites caused widespread disruption of web resources belonging to the Ukrainian Ministry of Defense, the Ministry of Foreign Affairs and the Verkhovna Rada, among others—prompting the Ukrainian Vice Prime Minister’s call to action.
The announcement sparked robust chatter in underground forums and groups, with most supporting Ukraine and its efforts to repel Russia’s cyber-assaults. And that chatter soon turned to action.
On February 26, the prominent hacker group known as “Anonymous” launched #OpRussia to unleash massive DDoS attacks against Russian domains, along with large-scale leaks of private Russian data. Within hours, it is believed the coordinated effort succeeded in taking down the Kremlin’s official website along with those of Russian president Vladimir Putin, the Russian Ministry of Defense, and the Russian Parliament (aka the Duma). Nonetheless, Russia vast network of state-sponsored threat actors continue to launch new attacks.
On February 25th, Ukraine’s CERT reported “mass phishing emails” targeting the private “i.ua” and “meta.ua” accounts of Ukrainian military personnel and related individuals. After an account is infiltrated, the attackers gain access to all archived and incoming messages. Leveraging contact details from the victim’s address book, they can then send new phishing emails to laterally expand the network of compromised accounts. CERT UA identified the attackers as The Minsk-based group ‘UNC1151’. Its members are officers of the Ministry of Defense of the Republic of Belarus.
Emerging Malware Threats
Russian hacker groups are well-known for developing malware for use in attacks worldwide. In the last few days, cybersecurity researchers have discovered a new data-wiping malware, dubbed HermeticaWiper (AKA KillDisk.NCV), that has been deployed against Ukrainian targets and is believed to have been created just within the last two months. Additionally, Conti Group, an infamous Russian ransomware gang, threatened last Friday in a dark web blog post to use its full force and hack the critical infrastructure of any nation or organization that attempts to target Russia.
PREPARING FOR A WIDENING BLAST RADIUS
As this is a developing situation, it is unclear what impact this cyberwarfare may have on the rest of the world.
But the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that the damaging economic sanctions and other measures being imposed on Russia are likely to result in cyberattacks against western targets.
It is important to be mindful that this cyberwarfare could expand in unpredictable ways.
As a precaution, US, British, and Australian cyber agencies are warning public- and private-sector cybersecurity personnel to be vigilant and prepare for possible retaliatory nation-state phishing, malware, and direct cyberattacks that could result in significant and prolonged business disruptions.