{"id":8313,"date":"2022-06-03T12:00:00","date_gmt":"2022-06-03T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2022\/06\/03\/100-days-of-war-in-ukraine-how-the-conflict-is-playing-out-in-cyberspace\/"},"modified":"2022-06-03T12:00:00","modified_gmt":"2022-06-03T09:00:00","slug":"100-days-of-war-in-ukraine-how-the-conflict-is-playing-out-in-cyberspace","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2022\/06\/03\/100-days-of-war-in-ukraine-how-the-conflict-is-playing-out-in-cyberspace\/","title":{"rendered":"100 days of war in Ukraine: How the conflict is playing out in cyberspace"},"content":{"rendered":"

On January 14th<\/sup> this year, a raid by Russian law enforcement authorities made headlines<\/a> all over the world, as it resulted in the arrests of 14 members of the infamous Sodinokibi\/REvil ransomware gang. The crackdown came after a series of talks between U.S. and Russian officials, including June\u2019s Geneva meeting<\/a> between Presidents Biden and Putin. The Russian intelligence agency, FSB, confirmed that \u201cthe individual responsible for the attack on Colonial Pipeline last spring\u201d was arrested as part of the raid.<\/p>\n

At the time, when a Russian invasion of Ukraine was a real possibility, some<\/a> saw this development as a \u201chuge result that few would expect.\u201d Others even called it<\/a> \u201cRussian ransomware diplomacy\u201d, a kind of message to the U.S. about how far Russia was willing to go in exchange for lighter sanctions over a future invasion of Ukraine.<\/p>\n

<\/p>\n

RELATED READING: ESET Research webinar: How APT groups have turned Ukraine into a cyber\u2011battlefield<\/a>\n<\/p>\n

<\/span><\/p>\n

The night before (on January 13th<\/sup>, Orthodox New Year\u2019s Eve), a number of Ukraine\u2019s government agencies, NGOs and IT organizations were targeted by WhisperGate<\/a>, destructive malware that, according to Microsoft, was \u201cdesigned to look like ransomware but lacking a ransom recovery mechanism\u201d. This kind of faux ransomware, as ESET researchers also categorize it, has the ultimate goal of making the targeted devices inoperable, thus suggesting their connection with nation-state actors<\/a>, rather than with cybercrime gangs.<\/p>\n

On January 14th<\/sup>, the websites of multiple Ukrainian ministries and government agencies were defaced to display<\/a> anti-Ukraine imagery and a message reading, \u201cBe afraid and fear the worst\u201d. Both government and private entities kept being targeted<\/a> in the days ahead of the invasion, including by a series of distributed denial-of-service (DDoS) attacks that knocked out several important websites in Ukraine. At the same time, the clients of a major Ukrainian bank were on the receiving end of an SMS campaign that alerted them of fake disruptions of the bank\u2019s ATM network.<\/p>\n<\/p>\n

\n
\n<\/p>\n

ESET Threat Report T 1 2022<\/p>\n

<\/a>
\nRead the full report<\/a>\n<\/div>\n


\n\"ESET
\n<\/a>\n<\/div>\n

Barely an hour before the invasion, a major cyberattack at Viasat\u2019s satellite KA-SAT disrupted broadband internet service<\/a> for thousands of Ukrainians as well as other European customers, leaving behind thousands of bricked modems. Both the US<\/a> and the EU<\/a> condemned the attack and attributed it to Russia, who they believe intended to impair the communication capabilities of the Ukrainian command during the first hours of the invasion.<\/p>\n

The first hours<\/h2>\n

The attacks did not stop there. On the contrary, the cyber-incursions in January and early February were just a prelude to what was about to come. On the evening of February 23rd<\/sup>, following the DDoS attacks that brought several vital Ukrainian websites offline, ESET detected<\/a> new data-wiping malware \u2013 HermeticWiper<\/a> \u2013 on hundreds of machines in several organizations in Ukraine. The wiper\u2019s time stamp, meanwhile, shows that the malware was compiled on December 28th<\/sup>, 2021, suggesting the attack may have been in the works for some time.<\/p>\n

The next day, while the military invasion of Ukraine was unfolding, ESET researchers spotted yet more data-wiping malware on Ukrainian systems. IssacWiper<\/a> was far less sophisticated than, and had no code similarity with, HermeticWiper, and was ultimately less successful in wiping the data on targeted machines.<\/p>\n

In a much smaller deployment, ESET researchers also observed HermeticRansom being used at the same time as HermeticWiper. HermeticRansom was first reported<\/a> in the early hours of February 24th<\/sup> and is faux ransomware. In other words, it had no financial motives and was instead deployed as a decoy while the wiper did the damage.<\/p>\n<\/p>\n

\"\"<\/a><\/p>\n

Figure 1. The ransom note in HermeticWiper, complete with an apparent reference to U.S. elections<\/em><\/p>\n<\/div>\n

The next 99 days<\/h2>\n

ESET researchers believe that the various data wiping attacks, including those involving CaddyWiper<\/a>, which was discovered March 14th<\/sup>, were intended to target specific organizations with the aim of impairing their ability to respond adequately to the invasion. ESET identified victims in the financial, media and government sectors and attributed both HermeticWiper and CaddyWiper to Sandworm<\/a>, a group identified by the U.S. as being part of Russia’s GRU military intelligence agency.<\/p>\n

The same infamous group was also responsible for attempting to deploy Industroyer2<\/a> against a high-voltage electrical substation in Ukraine, a discovery made in time thanks to collaboration<\/a> between ESET and CERT-UA. The malware is a new version of Industroyer<\/a>, the dangerous malware used to attack the Ukrainian electric power grid back in 2016, leaving thousands of people without electricity.<\/p>\n

Several other<\/a> campaigns went on, including DDoS attacks, malware compromising media networks, NGOs and telecom providers, and government entities. The Russian invasion of Ukraine had sizable influence on the ransomware landscape and not only in Ukraine.<\/p>\n<\/p>\n

\"\"<\/a><\/p>\n

Figure 2. Attacks detected by ESET researchers before and after Russia\u2019s invasion of Ukraine<\/em><\/p>\n<\/div>\n

A taste of its own medicine<\/h2>\n

In the first few months of 2022, according to ESET telemetry, Russia was the top targeted country for all ransomware attacks, with 12% of total detections. This development is in stark contrast to the situation before the invasion, when Russia and some members of the Commonwealth of Independent States (CIS) avoided many ransomware attacks, probably due to criminals residing in those countries or fearing Russia\u2019s retribution.<\/p>\n

Some of the attacks were directed at Russian entities, including the space agency Roscosmos and the state-owned TV and radio network VGTRK. The attacks at Roscosmos and VGTRK were conducted by the NB65 hacking group, who took advantage of leaked<\/a> code that resulted in the division of the Conti hacker group after a disagreement among members over the gang\u2019s pledged support to Russia.<\/p>\n

Russia was also the target of 40% of all screen-locking ransomware incidents (11% in Ukraine). Not surprisingly, just like we saw with the HermeticRansom display of political messaging, some of these attacks in Russia included the Ukrainian national salute, \u201cSlava Ukraini\u201d (\u201cGlory to Ukraine\u201d).<\/p>\n

Exploiting fear and solidarity<\/h3>\n

It is not just the countries involved in the war that saw a spike in spam detections, mainly on February 24 and a total increase of 5.8% until April. Just after the war started, ESET warned of the danger of scammers shamelessly<\/a> exploiting the worldwide movement in support of Ukraine with fictitious charities and false appeals for donations<\/a>.<\/p>\n

And as the war was leaving Ukrainians worried about accessing their money, or Russians abroad not being able to use their bank cards, ESET found increased targeting of cryptocurrency<\/a> platforms and the spread of crypto-related malware.<\/p>\n

Conclusion<\/h2>\n

The latest ESET Threat Report, released last Thursday, shines a light on the threat landscape in the first four months of this year. Above all, however, the attacks described show the destructive potential of cyberwarfare in parallel with a conventional, kinetic war. At the same time, the increased cyberthreats faced by Ukraine since January are also a warning sign about an escalation in future conflicts.<\/p>\n

As ESET Senior Detection Engineer Igor Kabina observes, \u201cWe expect attacks supporting a particular side to continue in the upcoming months and even escalate as ideology and war propaganda are becoming the central driving forces for their spread.\u201d<\/p>\n

Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

It\u2019s been 100 days since Russia invaded Ukraine, and we look back at various cyberattacks connected to the conflict<\/p>\n","protected":false},"author":5,"featured_media":8314,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2880],"tags":[],"class_list":["post-8313","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-digital-security"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8313"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8313\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8314"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}