Cyberwarfare: Russia vs Ukraine (15)

   This report contains selected cyber-security information from 17th to 30th Sept 2022. 

Synopsis

1. The pace of the Russia-Ukraine cyber warfare is escalating. There is a warning that Russia intends to attack energy suppliers. Russia has also formed three new hacker groups and launched new cyber campaigns. Ukrainian cyber allies have also been busy hacking: the Russian payment system, the mercenary ‘Wagner Group’ and the website of the Russian Defence Department.

2. Russian ‘Courses of Action’ for cyber forces, including allies such as ‘patriotic’, mercenary, and domestic criminal hackers are assessed as:   

Ongoing: Russian cyber forces, including allied forces, are launching a new series of cyber attacks against strategic targets such as energy companies and weapons manufacturers as well as vulnerable governments. 

Worst Case Scenario: President Putin decides to focus Russia’s cyber attacks on one country (such as Canada) or a small group of vulnerable countries. Assessed as UNLIKELY.

Best Case Scenario: Russia agrees to cease or is forced to cease offensive cyber operations. Assessed as VERY UNLIKELY.

Russia

3. On Monday 26th September Ukraine’s Defence Intelligence Agency ‘warned that Kremlin-backed hackers are planning to carry out massive cyberattacks on the critical infrastructure facilities of Ukrainian enterprises. The agency also accused Russia of planning cyberattacks on critical infrastructure institutions of Ukraine’s allies, primarily Poland and the Baltic States. “First of all, [the] attacks will be aimed at enterprises in the energy sector. The [Russian] experience of cyberattacks on Ukraine’s energy systems in 2015 and 2016 will be used when conducting operations,” the defence intelligence agency said.’ Analysts Comment: The attacks on the Nord Stream pipeline could be perceived as part of an over-arching attack on European energy systems.

4. Cyber Security firm Mandiant has identified three hacktivist groups working for the GRU or the ‘Russian Main Intelligence Directorate’. The three groups identify themselves on Telegram channels as: “XakNet Team,” “Infoccentr,” and “CyberArmyofRussia_Reborn”. The groups ‘conducted distributed denial-of-service (DDoS) and defacement attacks against Ukrainian websites, but the experts believe that they are a front for information operations and destructive cyber activities coordinated by the Kremlin.’ The best known cyber group operating out of the GRU is APT28. The new hacker groups have used some APT28 tools and have launched attacks ‘which coincided with APT28 wiping attacks’. Experts believe that the moderators of the XakNet Team channel are directly supported by APT28. Analysts Comment: It is likely that these ‘new’ hacker groups were formed from the ‘patriotic hackers’ recruited by KillNet or existing cyber groups and are not ‘new talent’. 

5. Fake Internet domains ‘identified in July and August 2022 are spoofing telecommunications operators in Ukraine, but also telecoms company Starlink, which is operated by American company SpaceX. Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT. An ISO file contained within the malicious webpage is automatically downloaded onto the visitors’ computers via HTML smuggling.’ That is a technique and operating procedure common to APT29, another Russian cyberespionage group. Another way these groups have operated is to create new Russian mobile telephone and Internet companies in occupied Ukraine claiming to provide cell phone coverage across “liberated territories”. The two mobile providers, 7Telecom and MirTelecom, have both been visible since June, although their presence has been disappearing as Ukraine’s counter-attacks take back Ukrainian territory.

6. Another Russian cyber campaign is targeting Ukraine with a new info-stealer. “Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.” The attacks started in August and are ongoing. 

Ukraine

7. Ukrainian OPSEC (Operational Security) for cyber operations remains very tight. Third party hacking groups supporting Ukraine have accomplished a range of hacks including a hack of the Russian payment system, Mir, exposing the personnel files of Russia’s mercenary ‘Wagner Group’ and compromising the web site of the Russian Defense Department.

8. Two Russian sources are reported on September 25th that Mir, the Russian payment system was under a Distributed Denial of Service (DDoS) attack. According to the Russian news outlet Kommersant Ukrainian ‘hacktivists‘ are carrying out DDoS (Distributed Denial-of-Service) attacks on the Mir system and its operator, National Payment Card System, by coordinating their activities via pro-Ukraine chats. Mir cards work as Russia’s alternative to Visa and Mastercard, which suspended operations in the country. “Under the current conditions, we can expect the culprits to achieve some success in their DDoS attacks on the Mir payment system, the risks are more than real,” one Kommersant source said, adding that a complete failure in the ‘card acquiring’ process, which could last up to several hours, is possible.

9. On September 20th the Ukraine IT Army claimed that they had exfiltrated personnel data from the Russian mercenary ‘Wagner Group’ website. Apparently, personnel data had been stored on that web server. None of the data allegedly stolen by the IT Army has been posted, hindering the verification of the hacktivist group’s claims. The Ukraine IT Army has not responded to requests for comment regarding the incident. The Wagner group is a Russian private military contractor. They are believed to have links with Kremlin insiders. Since 2014, the group has operated in Russian wars and proxy wars such as the conflict in the Ukrainian region of Donbas, in Syria, and the Central African Republic. Analysts Comment: It has been confirmed that the Wagner Group website was defaced (hacked). It is possible that personnel data was exfiltrated. 

10. On September 23rd Security Affairs reported that the hacker group Anonymous claimed to have hacked the website of the Russian Ministry of Defense. The hack warned that 305,925 people were likely to be mobilized in the first of three waves of mobilization announced by President Putin. 

11. In an unusual twist, hacker for hire group dubbed ‘Void Balaur’ has begun hacking ‘entities with business or political ties to Russia’. According to Trend Micro “Void Balaur primarily dabbles in cyber espionage and data theft, selling the stolen information to anyone willing to pay,” What makes this unusual is that one of the groups domains resolves to an address owned and operated by the Russian Federal Guard Service (FSO). Analysts Comment: It can be difficult to determine what side a group is on, or if they are truly ‘mercenaries’. This source has been very accurate at reporting hacker information, so there is a high probability the data is accurate.  

12. This week Meta (Facebook’s parent company) announced that they had shut down both Russian and Chinese propaganda networks. The Russian network used “more than 60 websites created to mimic legitimate news sites including The Guardian newspaper in the United Kingdom and Germany’s Der Spiegel. The fake sites contained links to Russian propaganda and disinformation about Ukraine. More than 1,600 fake Facebook accounts were used to spread the propaganda to audiences in Germany, Italy, France, the U.K. and Ukraine.” Meta claims it identified and disabled the network before it commenced full operation and gained an audience. It was described as the most

complex Russian propaganda operation it (Meta) has found since the invasion began. 

13. Concurrently Meta security researchers discovered another, much smaller Chinese network attempting to spread political content in the U.S. According to the Register: “the Chinese operation targeting US audiences attempted to reach both sides of the political spectrum, but was largely unsuccessful. Across 81 Facebook accounts, eight Pages, one Group, and two Instagram accounts, the operation garnered less than 300 followers/group members. The operation doesn’t appear to have been sophisticated, or have had much in the way of resources for its operators, Meta’s findings suggest. Instead of operating during US hours, the accounts only posted during working hours in China, posting was sporadic, many of the accounts had fake female English names but male profile pictures, and most appear to have been written in broken English.” Analysts Comment: The Chinese network was similar to Russian TTP suggesting that China may be trying Russian style information operations. 

Analysts Comment

14. It is essential to Ukraine’s fight that western, especially U.S. support is maintained. Unfortunately, North American media coverage of the Russia-Ukraine conflict is inconsistent, sometimes inferring there is no ‘activity’ to cover. Cyber warfare activity remains largely unreported by mainstream media and is therefore not visible to the general public. This can result in leaders writing material such as: 

“the absence of visible cyber activity raises important questions about 

what “cyberwar” actually is, and how we can know if one is taking place.”

A more accurate summary of cyber operations can be found in Security Week: 

“As of mid-September, the Cyber Peace Institute, an NGO based in 

Switzerland, counted nearly 450 attacks — roughly 12 a week — carried 

out by 57 different entities on either side since the invasion was 

launched in February. … “Large-scale cyberattacks have indeed 

occurred, but it’s generally agreed that they have clearly failed to 

produce the ‘shock and awe’ effect some predicted,” according to 

Alexis Rapin, a researcher at the University of Quebec.”

15. If Lee Atwater is correct and ‘perception is reality’ then inaccurate perceptions of the Russia-Ukraine conflict serves Russia’s interests while reducing the understanding that we in the west need to improve our security and cyber security posture. The ideas expressed in the CIGI article are not merely wrong, they are dangerous.