Ukrainian Cyber Threats
Ukrainian Cyber Threats
The current (March 2022) conflict between Ukraine and Russia is expanding into cyberspace and may affect computer systems Worldwide
Politically motivated attacks are seeking to further the war aims of one group or another. Examples of this kind have already been reported. Their aim is to destroy data and hence infrastructure. WhisperGate and HermeticWiper malware attacks against Ukrainian organisations have already been released to delete data and ensure that it is not coming back.
It is no surprise that old fashioned cyber-criminal organisations are also taking advantage of the conflict to expand their usual activities. The consequence is that networks with no connection to the Ukraine or Russia now face new cyber threats.
One avenue is the expansion of phishing ‘hooks’ to encompass the Ukraine. The core concept of phishing is to fool the target to access a file or compromised website. That in turn will install malware on the user’s computer. The malware may then act as a backdoor; allowing criminals to access files and install further agents such as those responsible for ransomware. The criminals know that many individuals and organisations are looking for ways to help the Ukraine without wishing to escalate the conflict there. January and February 2022 saw a noted increase in the number of phishing attacks using the keyword Ukraine. Spoof sites purportedly providing portals to donate funds to support the people of Ukraine have also begun to appear. Any funds given through these sites will not find their way to the publicised recipient. Additionally there is the risk that any bank details harvested from such sites will be further exploited for criminal ends.
There is also a new risk aimed at those with some knowledge of how computer systems work. Why not use that knowledge to deliberately target systems used by the opposition? The short answer is because it is almost certainly a scam. 900 Ukrainian users downloaded the disBalancer DDoS tool in the hope that they could use it to take Russian websites off-line. DDoS is ‘Distributed Denial of Service’; send so many requests to view a website that the server cannot process them quickly enough and is thrown off-line. The tool was promoted as relatively easy to install and use. It probably is but it also harvests user details when installed and lets the program author not its end user decide on the sites under attack. It is quite possible that the end target could belong to the opposite faction to the one the user expects. This type of threat could apply equally to supporters of the Russian or Ukrainian side. The perceived allegiance of the mark is being exploited for criminal gain or even in direct opposition to their political views.
In the case of purely destructive software there is no remedy only prevention; even backup files might be compromised. It is most likely to affect organisations with strong links to the conflict zone.
The phishing scams are a new avenue for an old threat. The key to stopping these scams is ensuring that users do not fall for the bait and allowing system users the opportunity to immediately report the issue (without repercussions) if they believe that they have. Security staff can then scan potentially infected computers for malware before any linked threats go live. If there is a recent backup it may be quicker to restore a system rather that scanning for indicators of compromise. Any scan can only pick up known threats not brand new vectors of attack. Users need to be on the lookout for Ukrainian phishing scams and ‘aid’ websites. As usual if in doubt do not open the file or click on the web link.
Installing software to deliberately target another machine must be regarded as a serious offence at work and a very unwise move at home. A little computer knowledge can be a dangerous thing; a fact that is easily exploited by the cyber criminal.
Kindus will be ensuring that its services, including penetration tests, take account of criminal activity trying to benefit from the conflict in the Ukraine.