Cyberwarfare: Russia vs Ukraine
Cyber-security information from 4th to 17th June 2022.
David Swan Director, CSCIS Cyber Intelligence Defence Centre (CIDC)
Publisher – CSCIS / David Swan, Director CIDC
Release – June 17, 2022
Cyber Intelligence Report
Cyberwarfare: Russia vs Ukraine
This report contains selected cyber-security information from 4th to 17th June 2022.
1. The last two weeks have been relatively quiet on the cyber warfare front. A non-technical article in Wired magazine stated Russian cyber attacks were largely unsuccessful because Ukraine has backups for critical infrastructure. Ukraine continues its pattern of not commenting on its cyber operations. Russia is using a new malware attack exploiting the Follina vulnerability against Ukrainians.
2. The forecast for Russia cyber attacks against western nations remains unchanged. The scenarios for cyber attacks are:
Most Likely Scenario: Russian cyber forces will launch targeted cyber attacks as ‘consequences’ for nations that opposed Russia’s invasion of Ukraine.
Worst Case Scenario: President Putin decides to select one country to focus Russia’s cyber attacks on. Canada would be an obvious choice of a country to target. Assessed as POSSIBLE but NOT PROBABLE.
Best Case Scenario: Russia decides NOT to use its cyber forces, allies and associates against western countries. Assessed as UNLIKELY.
3. Cyber Attack: During the last two weeks Russia introduced versions of its attacks based on the ‘Follina’ vulnerability. This is a vulnerability in the Microsoft Support Diagnostic Tool or MSDT that can be triggered to execute remote files. Russian cyber teams are delivering Qbot, AsyncRAT, and other Malware. Office Pro Plus, Office 2013, Office 2016, Office 2019 and Office 2021 have been confirmed to be affected. The Russian APT ‘Sandworm’ launched the attacks targeting Ukrainian media organizations including Radio Stations, and newspapers.
4. Analysts Comment: Apparently the Follina vulnerability has been exploited for several years. Multiple reports stated Microsoft was in ‘no hurry to patch it’, possibly because it was not well known. Only one Chinese government APT was known to be using the exploit. It should be expected that the Follina vulnerability will see much wider use in the immediate future.
5. An investigation by the Bangladesh Government’s Computer Incident Response Team (or BD CIRT) reveals that almost 1,400 Bangladeshi IP addresses are being used by Russia and Ukraine to attack each other. The report states that the IPs have been used for spreading misinformation and Denial of Service attacks.
6. Russia continues to recruit cyber forces. Emerging from the recruiting done by the ‘KillNet Collective’, a new group has been identified called “Cyber Spetsnaz”. In April the first sub-unit, “Zarya” was identified. Other established sub-units include: “Phoenix”, “Vera”, “FasoninnGung”, “Mirai”, “Jacky”, “DDOS Gung” and “Sakurajima”. On June 2nd a new sub-unit, “Sparta”, was identified. The strength of these units is unknown. A stated group aim is to attack NATO. To date their cyber attacks are primarily focused on exploiting poorly configured WEB servers and short-term disruptions, and not NATO installations or organizations.
7. When Russia captures an area from Ukraine, the Internet provider is required to re-route all internet services through Russian providers. For example in Kherson, all of KhersonTelecom’s traffic is now being routed through Miranda Media, a Crimea-based company that’s itself connected to Russian national telecom provider Rostelecom. “Russian networks are fully controlled by the Russian authorities,” Malon, the Ukrainian telecom regulator, says. The rerouting of the internet in occupied Ukrainian areas, Malon says, has the goal of spreading “Kremlin propaganda”.
8. Cyber Defence: Russia’s government Ministries and businesses are still being hacked. The attacks are mostly minor, meaning web sites are being replaced with ‘Glory to Ukraine’. The most publicized example is the Russian Ministry of Construction Housing and Utilities web site which was hacked June 6th. Russia’s state news agency RIA quoted a ministry representative on Sunday as saying that the site was down but users’ personal data was protected. The website was working as normal by Monday. A report in the International Business Times says that that the Central Bank of the Russian Federation was hacked for a second time with over a Terabye of data copied. Anonymous claims they accessed the software system used to run the bank.
9. Analysts Comment: Russia’s lack of success with their cyber attacks and the steady incursions of pro-Ukrainian hackers has trashed Russia’s cyber warfare reputation. There is a growing consensus among cyber security organizations that Russia’s cyber threat is dangerous, however it can be managed. The unspoken caveat is that a lot of preparation is required in order to be ready.
10. Cyber Operations: Ukraine continues its policy of not reporting or commenting on its cyber operations. One exception is the You Tube video documenting how a fifteen year old boy used his drone to locate a Russian unit. Subsequent reports have confirmed the fusion of 3,000 drone operators into the Ukrainian Army, supporting Intelligence and the Artillery.
11. From Wired Magazine: As the conflict in Ukraine drags on, the country’s communications strategy has become slicker and more professional, say academics studying information warfare. Ukraine has shifted its strategy away from amplifying exaggerated myths (i.e. the Ghost Pilot) to focusing on the courage of ordinary people who are committing small, achievable acts of bravery in the face of the Russian invasion. Like any country at war, Ukraine has been working to shape the information its people see. The military is not allowed to disclose casualty numbers, photos of deceased Ukrainian soldiers are rare. the idea of everyday heroism as a morale booster has become commonplace in Ukraine, with MPs and civil society groups echoing the message. “Every volunteer project has its own mission and goal, but all of them tell the stories of how Ukrainians are fighting, which gives others examples and inspires them to join the fight or to continue fighting,”.
12. Anonymous: Anonymous continues its attacks on Russia. In addition to the Russian Ministry of Construction, another Russian law firm has been hacked. Analysts Comment: Based on the number of claims, the volume of Anonymous cyber attacks appears to be lower, however the quality of the attacks appears to be increasing.
In Other News
13. A small botnet launched the largest Distributed Denial of Service attack ever recorded. Web-performance firm Cloudflare says It was caused by a small but powerful botnet of just 5,067 devices. This attack was over HTTPS, the secure version of the web. Cloudflare suggested the attack achieved the size it did because the attacker used cloud based devices. The botnet that was put to work in the unprecedented 26 million requests per second DDoS attack managed to deliver over an astronomical 212 million HTTPS requests within a period of just 30 seconds. This was achieved due to requests stemming from more than 1,500 networks located in 121 countries around the globe.
14. According to an alert the Cybersecurity and Infrastructure Security Agency issued Tuesday along with the NSA and FBI, Chinese government hackers have successfully exploited flaws that have been around for years in the systems of U.S. network providers, redirecting traffic to their own infrastructure. The widespread intrusion campaigns aim to exploit publicly identified security flaws in network devices such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices with the goal of gaining deeper access to victim networks. In addition, the attackers used these compromised devices as route command-and-control (C2) traffic to break into other targets at scale.
15. The brutal truth of ransomware remains: “it doesn’t pay to pay”.
A. According to Forbes, 92% of organizations that pay ‘ransomware’ don’t get their data back. Nearly a third, 29%, couldn’t recover more than half the encrypted data.
B. From Security Week: The most shocking indicator of the futility of paying comes from the repetitive nature of extortion attacks. Eighty percent of victims were hit a second time. Forty percent paid the second ransom. Seventy percent of these paid a higher amount the second time round. Ten percent paid a third ransom, and 1% paid a fourth. The additional attacks come rapidly and usually demand a higher figure. Sixty-eight percent of firms said the second attack came less than a month after the first, with an increased demand.
C. A survey in the UK reported: The damage done by a successful ransomware attack can easily last beyond the initial incident. Among the respondents, 37% said they were forced to lay off employees following an attack, 35% revealed that several C-level executives were forced to resign and 33% admitted they had to close their business either temporarily or permanently.
16. Global News: The Canadian government wants sweeping new powers, including access to confidential information, in order to “direct” how critical infrastructure operators prepare for and respond to cyber-attacks. It wants to prohibit those companies from disclosing to the public anything about the directions issued by the federal government — including the mere existence of any orders to beef up protections. Critical infrastructure refers to the networks, systems, services and supply chains that can apply broadly to things like 911 phone-lines, electric grids, pipeline operations, hydroelectric dams, food supplies and emergency medicine stockpiles, and the IT networks. The federal government also has created a special unit within the RCMP to coordinate police operations against cyber criminals.
For more information on the CIDC, this Intelligence Report or to have a dedicated briefing please contact firstname.lastname@example.org