Analysis & Insights

The Cyber Impact of Russia-Ukraine Conflict: Heightened Global Cyber Threat Activity


As the Russia-Ukraine conflict continues to escalate, the resulting geopolitical instability has exposed organisations both within and beyond the region to increased cyber threat activity. Learn more about notable cyber threat incidents, and some recommendations to facilitate proactive actions in response to the conflict-related threats.
RussianCyberAdvisoryII_Banner

Updated as of 22 April 2022 1800hrs

This advisory is an update to the threat advisory on The Cyber Implication of the Ukraine Crisis, which was supplemented with the Executive Brief on The Cyber Impact of Russia-Ukraine Conflict.

As the Russia-Ukraine conflict continues to escalate, the resulting geopolitical instability has exposed organisations both within and beyond the region to increased cyber threat activity.

A joint cybersecurity advisory has been released (20 Apr) by the cybersecurity agencies of the United States, Britain, Australia, Canada, and New Zealand (https://www.cisa.gov/uscert/ncas/alerts/aa22-110a). Together, they form the Five Eyes intelligence-sharing alliance which calls for critical infrastructure network defenders to prepare for potential cyber threats, including destructive (wiper) malware, ransomware, DDoS attacks, and cyber espionage.  

Considering the heightened cyber threat activity, it is important that organisations prioritise reviewing and strengthening their cybersecurity postures and defences. We have collated a list of notable cyber threat incidents, and our recommendations to help organisations prepare for potential cyber threats.

Cyberattack on Ukraine’s Energy Facilities (Early Apr) – A malicious programme, (INDUSTROYER2), targeted high-voltage electrical substations. Caddywiper malware was deployed on Windows systems and, in addition, another wiper targeted servers running Linux operating systems and Solaris systems. The attack was attributable to Sandworm APT group, a suspected Russian-based APT group.

(For IOCs refer to: https://cert-gov-ua.translate.goog/article/39518)

Phishing and Scam - Opportunistic threat actors continue to take advantage of the conflict with lures-themed emails about the situation, calling out for urgent humanitarian assistance and fund raising. Phishing emails delivered Remcos RAT (Remote Access Trojan) on to the victim’s device via an attached Excel file with a malicious macro. Custom backdoor,originally known as Scieron, was deployed in lure documents, reportedly by a suspected Chinese threat actor, Scarab.

Credential phishing and malware campaigns targeted several US-based, non-government organisations (NGOs), and Ukrainian users. Phishing emails were sent out from many compromised accounts which included links to attacker-controlled domains.

Mars Stealer malware has been observed in campaigns linked to a Russian threat actor. It took advantage of cracked versions of the info stealer malware, exfiltrating data stored in web browsers and cryptocurrency wallets (like Metamask, Coinbase Wallet and Binance).

Russia/Ukraine-themed war documents have become the lure of choice for cyber espionage threat actors to steal sensitive information from governments, banks, and energy companies, according to Check Point Research. Attackers used decoys, from official-looking documents to news articles and job postings, in their spearphishing campaigns. The capabilities of the malware deployed included: keylogging, credential collection, file collection, screenshotting, clipboard data collection, and command execution.

For IOCs, refer to: 

https://cert-gov-ua.translate.goog/article/39708

https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/

https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing

Destructive Malware – Another wiper malware surfaced: AcidRain (as named by SentinelOne). The destructive executable was run on modems, routers, or IoT devices, with technical similarities to VPNFilter. Earlier wiper malware campaigns included WhisperGate, HematicWiper, IssacWiper, CaddyWiper and DoubleZero.

Ransomware – Conti (Ransomware-as-a-Service) ransomware malware source code was leaked. Other threat actors can easily leverage the leaked Visual Studio source with their own public keys, add new functionalities, and create their own ransomware operations.  

The proliferation of initial access broker (IAB) activities reduces the time and effort for deployment of ransomware. At the very least, five known Russian-speaking ransomware operators were reportedly using IABs which include Conti, LockBit, Avaddon, DarkSide and BlackByte. With the leaked Conti ransomware source code in late March, a pro-Ukrainian hacktivist group, NB65, has allegedly claimed to have breached Russian entities.

BotNets - A new variant of Cyclops Blink has been acquired, and targeted ASUS routers. See ASUS security bulletin for more information and mitigation measures: (https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html)

For IOCs related to Cyclops Blink malware targeting ASUS Routers: (https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf)

Supply Chain Compromise - An open-source software supply chain abuse in the code in NPM library ‘node-ipc’ affected the popular JavaScript front end framework, ‘Vue.js’;Selected NPM versions (tracked under CVE-2022-23812) of the ‘node-ipc’ library were seen launching a destructive payload to delete all data by overwriting the files of users (believed to be from Russia or Belarus) installing the packages. Maintainers of the open-source packages—dubbed as protestware, add broken codes, protest messages or undesired damaging functionality in the latest versions of their project without documenting it beforehand. A recent NPM protestware, ‘event-source-polyfill’ package (v1.0.26), was modified to show anti-war messages to Russia-based users.

Exploitation of Default Multifactor Authentication (MFA) Protocols and “PrintNightmare” Vulnerability – Russian state-sponsored actors gained network access to the victim’s network through exploitation of default MFA protocols, enrolling a new device for MFA. The attacks then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges. TTPs and IOCs are available in the CISA Advisory (AA2-074A).

Ensign Posture & Monitoring

In addition to the 24/7 coverage of stepped-up monitoring operations, Ensign is keeping pace with updates on the current geopolitical situation, particularly in the cyber realm. Ensign stands ready to help organisations prepare for, respond to, and mitigate the impact of cyber incidents.

Our Recommendations

Here are cyber hygiene and broad protection pointers, in addition to the recommendations made in threat advisory on The Cyber Implications of the Ukraine Crisis and Executive Brief on The Cyber Impact of Russia-Ukraine Conflict.

  • Patch Management (Refer to the NIST Guide to Enterprise Patch Management Planning for more information)

    • Keep your computers, systems, devices, and applications updated with the latest security patches. Prioritise mitigation activities, and patch as soon as possible

  • Network Monitoring

    • Pay close attention to unrecognised network traffic (both ingress and egress), and watch out for sophisticated new phishing attacks

    • Lower reporting thresholds for cyber incidents. Follow up on security alerts and reports with urgency, and conduct close investigation as necessary

    • For organisations with ICS or OT, take note of any unexpected behaviour such as reboots

  • Remote Desktop Protocol

    • Secure and monitor remote desktop (RDP) services

    • Secure RDP services with measures such as two-factor authentication (2FA), and move RDP remote access behind single sign-on (SSO), if possible, to enforce strong password usage

    • Lock down Port 3389 to prevent attackers from on-path attacks by using secure tunneling software. Any requests that do not pass through the tunnel will be blocked (Port 3389 is typically used in RDP services)

  • Security as a trade-off to User-Friendliness and Functionality

    • Many applications can be abused, even though the application itself may not be malicious. If a functionality or service is not required, blocking it will improve your security posture

  • Supply Chain Security

    • Leverage an attack surface management platform for continuous discovery, inventory, classification, and monitoring of the organisation’s IT infrastructure

    • Regular testing will evaluate security gaps, and expose potential risks as the surface is constantly evolving

  • User Training

    • Think before you click. A malicious link can come even from somebody that you had an established communication with

    • Users should be trained to recognise spearphishing attempts. Attachments with rare attachment extensions (LNK, ISO, and BAT, to name a few) should be reported

    • Users should report immediately if their computers or mobile phones show unusual behaviour, such as experiencing crashes or operating very slowly

    • Cultivate a stronger digital security hybrid workforce to master evolving challenges

  • Ransomware Guidance

  • Critical Infrastructure
     

We will continually provide updates on this situation, and keep you informed of any additional recommendations and IOCs. If you require further assistance, get in touch with marketing@ensigninfosecurity.com.

References

  1. Russia-Ukraine Conflict Leverages Phishing Themes - https://cofense.com/blog/russia-ukraine-conflict-leverages-phishing-themes

  2. Chinese Threat Actor Scarab Targeting Ukraine - https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/

  3. Mars Stealer Attacks! - https://blog.morphisec.com/threat-research-mars-stealer

  4. Wiper Malware – AcidRain - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/

  5. Russian, Ukraine-themed war lure of choice for cyber espionage - https://securitybrief.com.au/story/russian-ukraine-themed-war-lure-of-choice-for-cyber-espionage

  6. How the initial access broker market leads to ransomware attacks -https://www.zdnet.com/article/from-start-to-finish-how-the-initial-access-broker-market-leads-to-ransomware-attacks/

  7. NB65 group targets Russia with a modified version of Conti’s ransomware - https://securityaffairs.co/wordpress/130051/hacktivism/nb65-modified-version-conti-ransomware.html

  8. NPM Protestware - https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/

  9. Third NPM Protestware - https://www.bleepingcomputer.com/news/security/third-npm-protestware-event-source-polyfill-calls-russia-out/

  10. Guide to Enterprise Patch Management Planning -https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4-draft.pdf

  11. Russia-Ukraine Cyberattacks – How to protect against related CyberThreats - https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/

  12. Updates from Threat Analysis Group (7 Mar) - https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/

  13. Tracking cyber activity in Eastern Europe - https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/