The Ukrainian invasion by Russian forces is dominating the headlines and for good reason. For many, particularly those in Europe, the sense of order has been shattered. From the war itself, the plight of Ukrainian refugees, Russians against the war taking great risks in voicing their opinion, to wealthy oligarchs losing billions of dollars in a few hours. Many stories are needing to be told competing for airtime, including the cyberwar that is currently playing out in real-time.
On March 1, security firm Wordfence, which specializes in protecting WordPress websites, published an article detailing how Ukrainian universities came under a cyber siege of sorts shortly after the military invasion began. The attack resulted in the compromise of 30 websites belonging to Ukrainian universities.
The security firm further managed to determine who was behind the attacks, a group going by “theMx0nday” which seem to be a splinter group of a larger group simply going by Monday. The group has come out in support of Russia. Further Wordfence researchers stated,
“The threat actor is based in Brazil. The majority of attacks transited an internet service provider called Njalla who claim they are “Considered the world most notorious ‘Privacy as a Service’ provider for domains, VPSs and VPNs”. Njalla is a Swedish-based hosting provider and is run by Peter Sunde, who is the co-founder of Pirate Bay. The specific Njalla server that the traffic was routed through appears to be based in Finland, based on IP geolocation data, although Njalla claims their servers are based “In secret locations in Sweden”.”
Researchers also noted that they had detected approximately 144,000 on websites with a Ukrainian domain name. In that staggering number was not just attacks on universities but also the commercial, local and national government, military, police, academic and private websites.
This amounted to a 10 times upsurge in attacks on Ukrainian websites when compared to when troop build-up began on the Ukrainian border. In terms of Wordfence’s interest in the matter, they noted,
“Out of the 8,320 UA websites that we protect, we found a list of 383 websites where attacks had increased dramatically following the invasion. Out of those 383 websites, 229 were sites ending in “EDU.UA”. In other words, academic websites and universities in Ukraine.”
Shortly after Wordfence’s article, the Ukrainian government announced that local government websites had been compromised to announce fake capitulation notices. Further, the Security Service of Ukraine (SSU) said that "enemy" hackers are using compromised local government and regional authorities' websites to push rumors that Ukraine surrendered and signed a peace treaty with Russia.
These notices were quickly determined to be fake by Ukraine's State Service for Special Communication and Information Protection (SSSCIP) who then took to Twitter to inform Ukrainian users of the platform that they are fake and no such treaty had been signed. This follows news that Ukranian government officials and military personal have been increasingly targeted in phishing attacks.
Yet Another Wiper
Researchers have discovered yet another data wiper, malware that corrupts the master boot record to destroy data making recovery all put impossible unless diligent backups are done, and a new worm used to help spread HermeticWiper laterally across networks. Discovered by Eset who subsequently published a report at the start of March has named the wiper IsaacWiper.
According to Eset the wiper was first deployed on February 24, 2022. Further, it is believed that IsaacWiper achieves initial access through tools such as Impacket to move laterally.
On a few machines, researchers also observed threat actors using RemCom, a remote access tool, to assist in infection by being deployed at the same time as IsaacWiper. Eset provided more technical details in their report, noting
“IsaacWiper is found in either a Windows DLL or EXE with no Authenticode signature; it appeared in our telemetry on February 24th, 2022. As mentioned earlier, the oldest PE compilation timestamp we have found is October 19th, 2021, meaning that if its PE compilation timestamp was not tampered with, IsaacWiper might have been used in previous operations months earlier…For DLL samples, the name in the PE export directory is Cleaner.dll and it has a single export _Start@4.”
It was also discovered that IsaacWIper bear little resemblance to HermeticWiper, yet another wiper used in attacks against Ukranian targets. IsaacWiper is far less sohpistacated that the other wipers discovered before and during the military invasion of Ukraine as it will look to delete files using only a single thread, this is a slow process and on large drives is painfully slow.
On February 25, 2022, researchers discovered a new version of IsaacWiper was being dropped with debug logs. This may indicate that the attackers were unable to wipe some of the targeted machines and added log messages to understand what was happening.
As for the new worm, HermeticWizard, the malware will first try find other machines on the local network by collecting known IP address information. It then tries to connect to those IP addresses, this is limited to known local IP addresses, to see if they are still reachable.
The ports are scanned in a random order so it’s not possible to fingerprint HermeticWizard traffic that way. When it has found a reachable machine, it drops the WMI spreader (detailed below) on disk and creates a new process in the command line to drop HermeticWhisper.
Ukrainian and internation IT professionals and hackers are not take the war in cyberspace lying down. The Associated Press reports that hundreds, some reports indicate thousands, of hactivists are retaliating to Russian and those sympathising with Russia’s actions attempts at cyber warfare, attacking critical infrastructure and the spread of disinformation.
The report notes that hackivists are looking to carry out several objectives including,
“Inventions of the volunteer hackers range from software tools that let smartphone and computer owners anywhere participate in distributed denial-of-service attacks on official Russian websites to bots on the Telegram messaging platform that block disinformation, let people report Russian troop locations and offer instructions on assembling Molotov cocktails and basic first aid.”
It also appears that attacks are specifically targeting Russian military organisations and not Russian civilians. This is in line with many other groups labelling the war as President Putin’s War and not a Russian war against the Ukraine, historically seen as one of the birth places of Slavic culture.
Such views are supported by increasing opposition to the war within Russia’s borders. A top Ukrainian cybersecurity official, Victor Zhora, shared this sentiment by insisting that homegrown volunteers were attacking only what they deem military targets, in which he included the financial sector, Kremlin-controlled media and railways.
However, the incorporation of international groups, while good intentioned, can possibly backfire and rewrite the rules of current cyber norms, which are fairly vague to begin with. Some cybersecurity experts have expressed concern that soliciting help from international hacktivists who violate cyber norms could have dangerous escalatory consequences.
One shadowy group claimed to have hacked Russian satellites. The claim was followed by a statement by Dmitry Rogozin, the director general of Russia’s space agency Roscosmos, whos stated the claim false but was also quoted by the Interfax news agency as saying such a cyberattack would be considered an act of war.
Such actions could lead to an escalation bringing other countries into a hairs breath from declaring war.