Cyberwarfare: Russia vs Ukraine (14)

   This report contains selected cyber-security information from 3rd to 16th Sept 2022. 

Synopsis

1. Russia’s latest cyber attacks target Japan, Montenegro and Albania. Ukrainian civilian hackers attack Russian telecommunications. In the background China is hacking Russian and Ukrainian networks to monitor all aspects of the conflict. Hackers are using the death of Queen Elizabeth II as ‘phishing bait’ to lure the unwary. 

2. Russian ‘Courses of Action for cyber forces, including allies such as ‘patriotic’, mercenary, and domestic criminal hackers are assessed as:   

Ongoing: Russian cyber forces, including allied forces, are launching a new series of cyber attacks against strategic targets such as energy companies and weapons manufacturers as well as vulnerable governments. 

Worst Case Scenario: President Putin decides to focus Russia’s cyber attacks on one country (such as Canada) or a small group of vulnerable countries. Assessed as UNLIKELY.

Best Case Scenario: Russia agrees to cease or is forced to cease offensive cyber operations. Assessed as VERY UNLIKELY. 

Russia

3. Russia – Cyber Offence: Russian cyber attacks on Ukraine have three levels: low-level Distributed Denial of Service (DDoS) attacks, malware attacks such as Conti Ransomware, and Russian government-originated, destructive attacks. Ukrainian Cyber Security reported that the Motor Vehicle Ministry had the vehicle database erased. Services were restored in hours from backups. No other attacks are known.  

4. What has been observed are Russian cyber attacks on other countries. On September 7th Pravda announced that Russian hacker group Killnet declared war on the Japanese government. Killnet hackers accused the Japanese government of running an anti-Russian campaign. Killnet attacked: the website of the Tokyo subway system, Mixi, a popular social network, the electronic government of Japan, the main tax website and the national payment system. From the Japanese perspective, the attacks lasted two days, Sept 6th and 7th. The Japanese e-Gov website, which provides information on laws and administrative procedures, and other sites operated by central government ministries could not be accessed from the evening of Sept. 6. But that problem was resolved later that day. Digital Agency officials said there were no signs that any personal information was leaked in the cyberattacks.

5. On Sept 12th Associated Press reported that Montenegro is under a sustained cyber attack. This attack started around Aug 20th crippling online government information platforms and putting essential infrastructure including banking, water and electrical systems at risk. “We have been faced with serious challenges related to the cyberattack for about 20 days, and the entire state system, the system of state administration, and the system of services to citizens are functioning at a rather restrictive level,” Defense Minister Rasko Konjevic told The Associated Press. The cyberattack comes amid an apparent attempt by Moscow to destabilize the Balkan region that was at war in the 1990s through the Kremlin’s Balkan ally Serbia, and thus at least partly shift the world’s attention from the war in Ukraine.

6. Montenegro’s neighbour, Albania has been under cyber attack by Iran. Albania severed diplomatic relations with Iran on Wednesday, Sept 7th and kicked out Iran’s diplomats after a cyber attack in July blamed on the Islamic Republic. Iran protested its innocence however multiple hacking groups, all associated with the Iranian government, launched new destructive attacks targeting the Albanian government’s websites and public services, taking them offline. The most recent campaign consisted of four different stages, with different actors responsible for every one of them: DEV-0861 performed initial compromise and data exfiltration, DEV-0166 stole data, DEV-0133 probed the victim’s infrastructure, and DEV-0842 deployed ransomware and wiper malware. The United States called the attack unprecedented because it said it violated the peacetime norm of not damaging critical infrastructure that the public relied on. The severity of the attack caused the U.S. to put sanctions on Iran. 

7. Analysts Comment: This analysis is based more on geopolitics than cyber security. The Iranian attack on Albania is listed here because Albania is not a ‘natural’ or ‘logical’ target for Iran (no money, no religious or political motivation). It makes even less sense to run multiple government hacker groups in a coordinated attack designed to damage critical infrastructure, unless Iran is working with Russia, assisting in destabilizing the Balkans. If President Putin is trying to distract Western attention from Ukraine, causing problems elsewhere is a standard tactic. It is assessed that the Iranian attacks on Albania are in support of Russian cyber operations. 

8. Russia – Cyber Defence: On September 1st hackers created a traffic jam in Moscow by ordering dozens of taxis from the ride-hailing app ‘Yandex Taxi’ to converge on the Kutuzovsky Prospekt, a major avenue in Moscow that is the location for the ‘Hotel Ukraine or Hotel Ukraine. Video circulated on social media showing a very long traffic jam of taxis along an otherwise lightly trafficked road. The video has been widely circulated on social media. A Yandex spokesperson said the issue was resolved “in less than an hour”.

Ukraine

9. Ukraine – Cyber Offence: Three volunteer hacker organizations including TeamOneFist struck Russia’s telecommunication infrastructure, hobbling the Kremlin’s ability to respond to Ukraine’s counter-offensive underway in Kherson. The attack ran from August 29th until September 1st, attacking Russia’s largest telecommunications provider, Rostelecom. “The hackers worked round the clock for three days to brick 800 Rostelecom routers and voice gateways. “Voice Gateways are routers that carry VoIP/Voice traffic, so taking those out literally breaks the phones. They would get fast-busy signals only,” Voltage said, explaining the attack’s impact. Rostelecom can of course fix and or buy new routers but that would take a few hours to days. If one router requires about 20 minutes reprogramming, it would take 16,000 minutes or over 266 hours, or 11 days, to get all of them back up and running.”

10. Voltage, the founder of the cyber volunteer group TeamOneFist said, “Operation Sidewinder was planned to take place when the Ukrainian counter-offensive started, to help provide as much logistical and communication impact against the Orcs that we could create in a short period, “The goal was to aid in the counter-attack by slowing down the Orc response.” Rostelecom did recover 45 voice gateways on the second day of the attack however the attackers took those down as well. The team claims over 4000 routers and voice gateways were ‘taken down’. It was also the first operation assigned (to them) by the IT Army of Ukraine. 

Analysis

11. Researchers from the University of Cambridge, the University of Edinburgh and the University of Strathclyde claim that the attacks by both sides of the conflict “have had a minor impact and are unlikely to escalate further.” The universities analyzed data from two months before and four months after the invasion including 281,000 web defacement attacks, 1.7 million distributed denial-of-service (DDoS) attacks, and hundreds of announcements on Telegram used by hackers to coordinate their activity. According to the analysis, which was published last week, Russia was the first to be attacked at scale, followed by Ukraine a few days later. They claim the increase in cyberattacks lasted for about two weeks before returning to the pre-war levels.

12. Analysis Comments: The university report is remarkable for its divergence from other cyber security assessments. Agencies such as EU cyber security, NATO, the UK’s GCHQ, the American NSA and Cyber Command all reported increasing Russian attacks on Ukraine prior to the start of the conflict. The first known cyber attack was the Russian attack on an American satellite ground station with Ukraine’s cyber authority reporting Russian attacks building to 800% of pre-conflict levels. Although most attacks on both sides have been low-level, nuisance Denial of Service (DoS) attacks, there have been significant attempts to crash critical infrastructure, block communications, and destroy equipment. The Ukrainian IT Army’s employment of external hackers to disrupt Russian telecommunications certainly qualifies as a ‘significant operation’. 

13. According to Kaspersky, China has recently focused cyber activities targeting Russia’s military industries in novel and targeted attacks. The attacks installed a series of stealthy backdoors into systems of interest. This tactic ensures access to infected hosts should a backdoor be discovered and remediated. It is not clear what, if any, data is being taken from Russia’s military industries. It is clear that China is NOT disrupting any of those industries. Having insight into key industries and military-related entities provides a more accurate narrative than open media, or the narrative that Russian officials may be telling their Chinese counterparts. China’s cyber espionage appears to be more focused on information gathering for situational and strategic understanding than stealing intellectual property.

Other News

14. Hackers are exploiting the death of Queen Elizabeth II as ‘phishing bait’. In an example reported in ‘Security Affairs’, messages supposedly from Microsoft, invite people to an ‘artificial technology hub’. Access is through their Microsoft Account Credentials. Two types of malware are used to bypass authentication protocols and compromise the account. Security Companies are reporting similar phishing attempts on other platforms such as Twitter.

15. In a new and troubling trend, Linux is receiving a lot more attention from malware writers. The latest example is a new shape-shifting cryptominer called ‘Shikitega’. It is proving hard to detect, hard to mediate and is savaging Linux endpoints.