Does Putin have the better hackers ? Part 4 Ukraine: Fully targeted by Russian hackers

Does Putin have the better hackers ? Part 4

Ukraine: Fully targeted by Russian hackers

Berlin, 21.3.20222

This much is certain: Russian and Belarusian hackers started their attacks months before Russia began its invasion of Ukraine. The proof was provided by Google’s Threat Analysis Group, which focuses on disrupting computer hackers and warning users about them. In early March, it said in a blog post that it had observed Russian hackers known to law enforcement agencies, including FancyBear, conducting espionage, phishing campaigns and other attacks against Ukraine and its European allies in late February. The goal of phishing campaigns is to steal users‘ credentials so hackers can break into the computers and online accounts of targeted individuals. The Analysis Group left open whether the hackers were successful. As expected, Russia denied that it was using hackers to track its enemies.

https://blog.google/threat-analysis-group/

But then came the next piece of evidence: Ghostwriter/UNC1151, described by Google as a Belarusian threat actor, tried to steal credentials by phishing attacks on Polish and Ukrainian government and military facilities. This was not pulled out of thin air, as Ukrainian cybersecurity officials confirmed that hackers from neighboring Belarus had targeted the private email addresses of Ukrainian military personnel „and associated individuals.“

Google also said Mustang Panda, or Temp.Hex, which the company said is based in China, sent virus-laden attachments to „European entities“ with file names such as „Situation on the EU borders with Ukraine.zip.“ Google described this action as a departure from Mustang Panda’s standard focus on Southeast Asian targets.

With the beginning of the invasion, Russian hackers intensified their activities. The majority of the attacks were aimed at defacing government websites.

Ukraine has publicly called on its hacker community to help protect infrastructure and conduct cyber espionage operations against Russian forces.

The Russian invasion of Ukraine is the largest attack on a European state since World War II. Russia calls its actions in Ukraine a „special operation“ aimed not at occupying territory but at destroying the military capabilities of its southern neighbor and capturing nationalists deemed dangerous.

The facts clearly speak against it: since the beginning of this war, thousands of Ukrainian civilians have been killed (including a frightening number of children),towns razed to the ground millions driven to flee. Many of the Russians‘ actions are reminiscent of Chechnya and Syria.

Against this backdrop, the question arises: What kind of cyberattacks should we expect now?

According to insiders, the Russians are relying on the following cyber activities:

►Attacks with Wiper malware on the organizations and border control in Ukraine ;

► Watering-hole attacks on government and media websites;

► cyber disruptions of satellite-based Internet services to.

► preparations for next-level disinformation campaigns; and

► phishing campaigns.

► Aid organizations are also active targets. Amazon stated: „We have observed several cases where malware has been targeted against charities, non-governmental organizations, and other aid organizations to cause confusion and disruption. In these particularly serious cases, malware was targeted to disrupt the supply of medicine, food and clothing.“

Many analysts expected further disruption and retaliatory attacks by Russian-backed hackers targeting both Ukrainian targets and targets in countries sympathetic to and supportive of Ukraine.

That these attacks have so far failed to materialize may be due in part to the preparatory work that Ukrainian cyber defenders and U.S. experts have done. But there is also the possibility that Russia has not yet deployed the full potential of its cyberattack capabilities.

Ransomware gangs are the biggest concern

Beyond cyber espionage, the biggest concern at present is that ransomware gangs that have sided or could side with Russia could quickly deploy their malicious payloads to cripple critical infrastructure organizations and inflict damage and chaos on „hostile“ countries.

Individuals that are looking to do more than just support relief efforts are also in the crosshairs of criminals: Cisco Talos researchers have warned that cybercriminals are attempting to exploit unwitting users “seeking tools to carry out their own cyber attacks against Russian entities.”

The criminals are using Telegram channels to target these people – they purportedly offer a DDoS tool for download, but their real goal is to infect the targets with information-stealing malware that goes after credentials, cryptocurrency-related information (including wallets and metamask information), etc.