Cyberwarfare: Russia vs Ukraine (21) A grim looking New Year

Synopsis

1. Russia continues to release new cyber attacks against Ukraine. Poland is warning governments who support Ukraine to expect an increasing number of cyber attacks. There have been a lot of Russian hacker attacks on ‘local’ U.S. governments. LockBit Ransomware Group walks back a ransomware attack on Toronto’s Sick Kids Hospital. 

2. Russian ‘Courses of Action’ for cyber forces, including allies such as ‘patriotic’, mercenary, and domestic criminal hackers are assessed as:   

Ongoing: Russian cyber forces, including allied forces, have launched a series of cyber campaigns against both strategic targets and general targets as well as vulnerable governments. 

Worst Case Scenario: President Putin decides to focus Russia’s cyber attacks on one country (such as Canada) or a small group of vulnerable countries. Assessed as UNLIKELY. * Recently Russia has launched a number of cyber attack campaigns against Poland. 

Best Case Scenario: Russia agrees to cease or is forced to cease offensive cyber operations. Assessed as VERY UNLIKELY. 

Russia: Cyber Offense

3. Attacks on Ukraine: In late December 2022 the Computer Emergency Response Team of Ukraine (CERT-UA) warned users of Ukraine’s Delta situational awareness program received phishing emails from a compromised email account belonging to Ukraine’s Ministry of Defense. The attacks attempted to infect the cloud-based operational situation display system data-stealing malware referred to as FateGrab and StealDeal. Other recent cyber attacks against Ukraine include:

• • RomCom RAT (Remote Access Trojan),
• • Vidar stealer (A data stealer), 
• • Somnia ransomware, and
• • phishing campaign based on State Emergency Service of Ukraine.

4. A number of these attacks have the signature of the ‘Gamaredon’ hacking group. The Security Service of Ukraine links the group to Russia’s Federal Security Service. During the past 10 months security researchers have attributed: over 500 new domains, 200 samples and other Indicators of Compromise (IoCs) to this group in addition to its support for other Russian hacker groups hacking Ukraine. Palo Alto Networks research team describes it as: “one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.” Gamaredon is assessed as the group that attacked Dutch LNG terminals last fall. 

5. Poland warns of increased Russian offensive cyber activity:  The government of Poland has issued a warning that “Russian cyberattacks against third-party countries that have supported Ukraine during Russia’s war can be expected to increase.” Poland “has been a “constant target” of pro-Russian hackers since the start of the war between Russia and Ukraine. The cyberattacks on Poland’s government services, private companies, media organizations and ordinary citizens have intensified over the past year … The country’s strategic, energy, and military enterprises are particularly at risk.” A CyberWire report continues: The motivation is retaliatory. “Such incidents in cyberspace are retaliatory actions typical of Russia, which are a response to steps taken by other countries, that are unfavorable and inconvenient for the Russian Federation. Hacker groups linked to the Kremlin use ransomware, DDoS and phishing attacks, and the goal of hostile actions coincides with the goals of a hybrid attack: destabilization, intimidation and sowing chaos.“

6. Poland has been on the receiving end of a number of recent Russian cyber attacks. In November there was an attack on a public procurement system. Following a resolution in the Polish parliament “recognizing Russia as a state sponsor of terrorism” there was a Distributed Denial of Service (DDoS) attack on the Polish parliamentary website following by a phishing campaign attributed to the ‘GhostWriter’ group. The European Union links the group to the GRU, Russia’s Military Intelligence Service. In addition to GhostWriter, Russian hacker groups KillNet and NoName057(16) have been identified attacking Polish targets.

7. Local U.S. Governments Attacked: The U.S. has received ongoing attention from Russian hackers with 105 local governments reporting ransomware attacks. Although the report is based on multiple sources experts agree that the attack count could easily be higher. Emisoft reported attacks as:

• • 105 local governments
• • 44 universities and colleges 
• • 45 school districts operating 1,981 schools 
• • 25 healthcare providers operating 290 hospitals

8. I found a report that a Russian cyberespionage group, Fancy Bear also known as APT28, hacked an American satellite communications provider “with U.S. critical infrastructure clients.” Apparently “Fancy Bear exploited a 2018 vulnerability found in an unpatched virtual private network, giving its hackers the ability to scrape all the credentials with active sessions. Because the targeted satellite communications provider used the same credentials for “emergency” accounts as ordinary ones, the hackers were able to re-use the stolen credentials for emergency accounts that made it easier for the hackers to move around the system. At the time of the intrusion, the company was also transmitting unencrypted supervisory control and data acquisition, or SCADA, traffic, which can include data like the state of industrial devices and commands from control centers.”

9. Analysts Comment: This report can only provide the reader with a ‘snap shot’ of some of what we see over a limited time period. We assess that Russia is almost certainly generating new cyber attacks that are: better designed, stealthier (more difficult to detect), more dangerous (they are designed to do more damage), and operate more independently. Further, we assess that Russia’s government hackers are almost certainly sharing: code, tactics, procedures and targeting with some of the top tier hacker groups residing in Russia. 

Ukraine: Cyber Defense

10. The head of the Cyber Security Department of the Security Service of Ukraine, (SBU) reports the agency has stopped more than 4,500 cyberattacks on Ukraine in 2022. Ilya Vityuk said attacks started before the February invasion. Russian military hackers were behind a surge of distributed denial of service (DDoS) attacks that briefly knocked Ukrainian banking and government websites offline. According to the SBU, Russia uses cyber operations to target energy, logistics, military facilities, as well as IT centers of state institutions. The SBU is seeing more than ten cyberattacks on Ukraine per day.

11. Ukraine continues to maintain tight operational security around its offensive and defensive IT operations. We know that Ukraine’s internal security is still operating because on 3rd January 40 people were busted during a police raid on a fake bank call-centre. “Typically, the scammers try to convince you that your bank account is under attack from fraudsters. … the (the scammers) call up pretending to be an official from your own bank, using a variety of tricks to make you accept their fictitious credentials as bank staff, and then “advise” you to take a series of disastrous steps.“ The Ukrainian police video (shown on YouTube) shows a modern room with relatively new computers with lots of Hewlett Packard workstations. This infers a healthy bank account to set the operation up and lots of computer capability.

Canada: Toronto Sick Kids Hack

12. On 21st December Toronto’s Hospital for Sick Children declared a ‘Code Grey’ meaning an IT system failure. The public was warned that they “may experience difficulties calling into the hospital, and accessing some webpages such as AboutKidsHealth.ca (SickKids’ health information site) and the hospital’s Careers application portal”. Internal damage appeared limited to “a few internal clinical and corporate systems”. The hospital did “activate the hospital’s incident management command centre and launched an investigation to determine the nature and scope of the incident.”

13. The LockBit Ransomware Group, the hackers behind the Sick Kids hack, had an extraordinary year. The group bragged on social media that it attacked 12,125 organizations, including Thales Ground and the French Ministry of Justice. LockBit does have a rule that affiliates (hacker groups using their ransomware) can not hack public healthcare centers. LockBit released a statement through Twitter: “We formally apologise for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violates our rules, is blocked and is no longer in our affiliate programme.” The hospital said to the CBC that: “60 per cent of its priority systems have since been brought back online and restoration efforts are “progressing well.” Cybersecurity experts say even if SickKids decides to use a decryptor, they face the often lengthy and costly task of fully restoring the systems and potentially rebuilding their cybersecurity architecture to prevent another attack.”

14. Analysts Comment: Not all hacker groups have the ‘morality’ of the LockBit group. Some Russian hackers have no target restrictions – outside Russia. For hackers who don’t hack healthcare, the policy is not necessarily altruistic. Hacking a hospital and causing deaths, especially children’s deaths, could cause a backlash. Upset people contact politicians, who in turn provide direction to police and intelligence agencies. Hackers do not want to be targeted. 

15. 2022 Summed Up: a year-long lesson in how not to respond to a data breach. Most experts agree – few lessons have been learned. 2023 could be a very hard year.