Cyberwarfare: Russia vs Ukraine
Cyber-security information from the 15th to 28th October 2022.
David Swan Director, CSCIS Cyber Intelligence Defence Centre (CIDC)
Publisher – CSCIS / David Swan, Director CIDC
Release – October 28, 2022
Cyber Intelligence Report
Cyberwarfare: Russia vs Ukraine
This report contains selected cyber-security information from 15 to 28th Oct 2022.
1. Russia is launching deliberate cyber attacks against infrastructure, mostly Ukrainian infrastructure. Distributed Denial of Service (DDoS) is being used to harass governments that offend President Putin. Russian organizations are being attacked by a ransomware organization known as ‘OldGremlin’. Cables carrying a portion of France’s Internet backbone were cut, again.
2. Russian ‘Courses of Action for cyber forces, including allies such as ‘patriotic’, mercenary, and domestic criminal hackers are assessed as:
Ongoing: Russian cyber forces, including allied forces, have launched a new series of cyber attacks against strategic targets such as energy companies and weapons manufacturers as well as vulnerable governments.
Worst Case Scenario: President Putin decides to focus Russia’s cyber attacks on one country (such as Canada) or a small group of vulnerable countries. Assessed as UNLIKELY.
Best Case Scenario: Russia agrees to cease or is forced to cease offensive cyber operations. Assessed as VERY UNLIKELY.
Russia vs Ukraine
3. Russian cyber operations appear to be evolving into two streams: Deliberate attacks on specific targets and harassing attacks on targets of opportunity. Deliberate attacks include destructive (wiper) attacks (designed to delete information) and ransomware attacks. Harassing attacks are typically distributed denial of service (DDoS) attacks against a government and/or a country.
4. The mainstream media has covered the Russian drone attacks on civilian infrastructure and energy facilities. In addition to those, telecommunications nodes were targeted. “Network connectivity was observed to fall to 81% of ordinary levels in Kyiv City after the Russian attacks on infrastructure.” Regions around Kharkiv, Sumy, Lviv, and Zaporizhzhia were the most heavily impacted areas. Other reports suggest that most telecommunications/Internet outages were restored within 24 hours.
5. The Microsoft Security Intelligence Team “has identified a new ransomware strain “Prestige” in limited targeted attacks in Ukraine and Poland. Several notable features differentiate this ransomware from other campaigns and payloads tracked by MSTIC. The Prestige ransomware first appeared in the threat landscape on October 11 in attacks occurring within an hour of each other across all victims.” The Microsoft Team says “this campaign was not connected to any of the 94 currently active ransomware activity groups that it is tracking.” ‘Prestige’ ransomware works by encrypting a victim’s data and leaving a ransom note that says the data can only be unlocked with the purchase of a decryption tool, according to Microsoft. In several cases, the researchers noted that the hackers had gained administrator control of the victims’ systems ahead of deploying the ransomware, suggesting they had stolen their credentials earlier and were waiting for the right moment. The targets were transportation and logistics companies, the same companies that were targeted by the Russian government in a data-shredding cyberattack that involved the “FoxLoad,” or “HermeticWiper” malware, Microsoft said.
6. Russia has continued to recruit ‘hackers’ or more accurately, hacking groups. The Ukrainian Computer Emergency Response Team (CERT-UA) is warning that the ‘Cuba Ransomware Group’ is now supporting Russian operations with a phishing campaign impersonating “the Press Service of the General Staff of the Armed Forces of Ukraine.” “Considering the use of the RomCom backdoor, as well as other features of the related files, we believe it is possible to associate the detected activity with the activity of the group Tropical Scorpius (Unit42) aka UNC2596 (according to Mandiant), which is responsible for the distribution of Cuba Ransomware; CERT-UA monitors [they’re] activity under the identifier UAC-0132.” reads the alert published by Ukraine CERT.
7. In the early hours of October 15, 2022, distributed denial of service (DDoS) attacks were launched against several Bulgarian websites including government departments, airports, media and telecommunications providers. Prosecutor-General Ivan Geshev described it as a “serious problem” calling it “an attack on the Bulgarian state.” In addition to the president’s office, the distributed denial of service (DDoS) attack paralyzed the websites of the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court, Geshev said. The attack came from the Russian city of Magnitogorsk, he added. The Bulgarian newspaper Dnevnik reported that the Russian hacking group KillNet claimed responsibility on its Telegram channel. Its not clear from reporting how long the attacks lasted or what the impacts were.
8. A relatively new Russian hacker group named ‘Xaknet’, launched a Denial of Service attack against the Israeli parliament, the Knesset, overnight on October 22nd/23rd. According to the ‘Times of Israel’ the parliamentary website was brought down however “the Knesset’s cybersecurity unit was able to regain control and bring the site back up within minutes.” Israel has been maintaining a strict policy of not providing military support to Ukraine. “Xaknet took responsibility for the attack on Telegram and said it was carried out as revenge for what it said was Israel’s intelligence assistance to Ukraine on offensive drones provided to Russian forces by Iran.”
9. Cyber attacks on Russia from Ukraine and its allies are ongoing. Claims have been made on social media, however, impact on Russian organizations appears to be minimal. For example, on October 26th it was reported that Russia’s ‘Sherbank’ had repelled a 24-hour denial of service attack. The spokesman claimed at “least 104,000 hackers with at least 30,000 computers located in different countries” took part in the attack. The spokesman said that the bank had detected more than 470 cyber-attacks this year.
10. Russia has been receiving hacking attacks from a Russian-speaking gang known as ‘OldGremlin’. Also known as ‘TinyScouts’, the group has been operating since at least March 2020 using self-made malware, focusing on Russian companies in the logistics, industry, insurance, retail, real estate, software development, and banking sectors. Across its two and a half years of operations, the group has launched 16 campaigns. In each campaign the group demands millions of dollars ransom. During 2022, the group has launched five more ransom schemes, reaching a record amount of $16.9 million in ransom demands. The group relies on a self-developed toolkit (malware) that includes the following:
- • a reconnaissance tool
- • malicious LNK files
- • multiple backdoors (TinyPosh, TinyNode, TinyFluff, TinyShell)
- • tool to extract data from Credential Manager
- • tool to bypass antivirus software
- • tool to isolate a device from the network
- • TinyCrypt ransomware
The toolkit strongly suggests that OldGremlin is a highly skilled actor. Attacks are executed carefully, leaving victims with no other choice but to pay the ransom. The group operates in Microsoft Windows and Linux. Security Company Group-IB observed: “Despite the fact that OldGremlin has been focusing on Russia so far, they should not be underestimated elsewhere. Many Russian-speaking gangs started off by targeting companies in post-Soviet space and then switched to other geographies.“
French Internet Backbone Fibre Cables Attacked Again
11. For the second time this year, fibre optic cables carrying France’s Internet and telecommunications signals were cut. French cable operator and internet service provider ‘Free’ said its repair teams were mobilized before dawn Wednesday (Oct 19th) to deal with “an act of vandalism on our fiber infrastructure.” Media described the event very differently: “there were at least three cable cuts – Marseille-Lyon, Marseille-Milano, and Marseille-Barcelona.” … “The people knew what they were doing,” Michel Combot, the managing director of the French Telecoms Federation, told Wired. “Those were what we call backbone cables that were mostly connecting network service from Paris to other locations in France, in three directions.” “The attacks were believed to be simultaneous and on numerous points of its fibre network near Marseille. Multiple wires were entirely broken in their concrete housings buried in the ground, according to photos posted on Twitter by Free. It said that the cuts caused significant delays to its network and phone services in the Marseille area.” Computer security company Zscaler described the incident as: “a major cable cut in the South of France that has impacted major cables with connectivity to Asia, Europe, US, and potentially other parts of the world.”
12. “BBC reported that an underwater cable between the Shetland Islands and Scotland was damaged about the same time as the event in southern France. … Faroese Telecom’s head of infrastructure Páll Vesturbú told the BBC that the cable cuts are believed to have been done by fishing vessels, though it’s unusual to have two incidents simultaneously. “We expect it will be fishing vessels that damaged the cable but it is very rare that we have two problems at the same time,”Vesturbú told the BBC.
” Analysts Comment: Having two Internet backbone problems at the same time is rare, however having one of those problems being a deliberate attack is extraordinary. This is more than a ‘rare problem’.
13. A September 11th hack of the University of Guelph has not been fully remediated. Students told CTV News that they could not log into their ‘CourseLink’. The university says “it’s IT systems are “largely operational” and “they’ve since learned that “limited information” was compromised.” The university has not shared what type of data was accessed. In a statement, the school stated it is “conducting a thorough review of the affected data on a priority basis.” The university declined to comment to CTV News saying they would provide more information when it becomes available.
For more information on the CIDC, this Intelligence Report or to have a dedicated briefing please contact firstname.lastname@example.org