Russia-Ukraine Cybersecurity Updates

Cyberattacks are a distinct concern in the Russia-Ukraine conflict, with the potential to impact individuals and organizations far beyond the physical frontlines. With events unfolding rapidly, we want to provide a single channel by which we can communicate to the security community the major cyber-related developments from the conflict each day.

Each business day, we will update this blog at 5 pm EST with what we believe are the need-to-know updates in cybersecurity and threat intelligence relating to the Russia-Ukraine conflict. We hope this blog will make it easier for you to stay current with these events during an uncertain and quickly changing time.

---

March 16, 2022

Ukrainian President Volodymyr Zelenskyy delivered a virtual speech to US lawmakers on Wednesday, asking again specifically for a no-fly zone over Ukraine and for additional support.

The White House released a new fact sheet detailing an additional $800 million in security assistance to Ukraine.

Threat Intelligence Update

• UAC-0056 targets Ukrainian entities

SentinelOne researchers reported that UAC-0056 targeted Ukrainian entities using a malicious Python-based package, masquerading as a Ukrainian language translation software. Once installed, the fake app deployed various malware, such as Cobalt Strike, GrimPlant, and GraphSteel.

Source: Sentinel One

• Ahacker was caught routing calls to Russian troops****

The Security Service of Ukraine claimed to have arrested a hacker that helped deliver communications from within Russia to the Russian troops operating in the Ukrainian territory. The hacker also sent text messages to

Ukrainian security officers and civil servants, exhorting them to surrender.

Source: The Verge

March 15, 2022

The Ukrainian Ministry of Defense leaked documents of a Russian nuclear power plant. This may be the first-ever instance of a hack-and-leak operation to weaponize the disclosure of intellectual property to harm a nation.

Researchers at INFOdocket, a subsidiary of Library Journal, have created a compendium of briefings, reports, and updates about the conflict in Ukraine from three research organizations: Congressional Research Service (CRS), European Parliament Research Service (EPRS), and the UK House of Commons Library. The resource will be updated as each of the three organizations releases relevant new content.

The Wall Street Journal is reporting that Russian prosecutors have issued warnings to Western companies in Russia, threatening to arrest corporate leaders there who criticize the government or to seize assets of companies that withdraw from the country.

Russia may default on $117 million (USD) in interest payments on dollar-denominated bonds due to Western sanctions, the first foreign debt default by Russia since 1918.

Reuters is reporting that Russia’s delegation to the Parliamentary Assembly of the Council of Europe (PACE) is suspending its participation and will not take part in meetings.

CNN reports that Russia has imposed sanctions against US President Joe Biden, his son, Secretary of State Antony Blinken, other US officials, and “individuals associated with them,” the Russian Foreign Ministry said in a statement on Tuesday.

Threat Intelligence Update

• Russianstate-sponsoredcyberactorsaccessnetworkmisconfigured withdefault MFAprotocols****

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges.

Source: CISA

• Fake antivirus updates used to deploy Cobalt Strike in Ukraine

Ukraine’s Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware. The phishing emails impersonate Ukrainian government agencies offering ways to increase network security and advise recipients to download “critical security updates,” which come in the form of a 60 MB file named “BitdefenderWindowsUpdatePackage.exe.”

Source: BleepingComputer/CERT-UA

• Anovelwipertargets Ukrainianentities****

Cybersecurity researchers observed the new CaddyWiper malware targeting Ukrainian organizations. Once deployed, CaddyWiper destroys and overwrites the data from any drives that are attached to the compromised system. Despite being released in close proximity to other wiping malware targeting Ukraine, such as HermeticWiper and IsaacWiper, CaddyWiper does not share any significant code similarities with them and appears to be created separately.

Source: Bleeping Computer

• German Federal Office for Information Securityagencyissues analert for Russianantivirussoftware Kaspersky****

The German Federal Office for Information Security agency (BSI) issued an alert urging its citizens to replace Kaspersky antivirus software with another defense solution, due to alleged ties to the Kremlin. The agency suggested Kaspersky could be used as a tool in the cyber conflict between Russia and Ukraine.

Source: BSI

March 14, 2022

The EU-based NEXTA media group has reported that Russia is starting to block VPN services.

Bermuda’s aviation regulator said it is suspending certification of all Russian-operated airplanes registered in the British overseas territory due to international sanctions over the war in Ukraine, in a move expected to affect more than 700 planes.

The Washington Post reported that Federal Security Service (FSB), Russian Federalnaya Sluzhba Bezopasnosti, agents approached Google and Apple executives with requests to remove apps created by activist groups.

Amnesty International said Russian authorities have blocked their Russian-language website.

Threat Intelligence Update

• Anonymous claims to hack Rosneft, German subsidiary of Russian energy

Anonymous claimed to hack the German branch of the Russian energy giant Rosneft, allegedly stealing 20 TB of data. The company systems were significantly affected by the attack, although there currently seems to be no effect on the company’s energy supply.

Source: Security Affairs

• Russia blocks access to Instagram nationwide

Russia’s Internet moderator Roskomnadzor decided to block Instagram access in the country, following Meta’s decision to allow “calls for violence against Russian citizens.” The federal agency gave Instagram users 48 hours to prepare and finally completed the act on March 13. The blocking of Instagram follows the former ban of Facebook and Twitter in Russia last week.

Source: Cyber News

March 11, 2022

President Biden, along with the European Union and the Group of Seven Countries, moved to revoke “most favored nation” trade status for Russia, deny borrowing privileges at multilateral financial institutions, apply sanctions to additional Russian elites, ban export of luxury goods to Russia, and ban US import of goods from several signature sectors of Russia’s economy.

Threat Intelligence Update

• Amid difficulties with renewing certificates, Russia has created its own trusted TLS certificate authority

Signing authorities based in countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates. As a result, the Russian Ministry of Digital Development announced the availability of domestic certificates, replacing expired or revoked foreign certificates.

Source: Bleeping Computer

• Triolan,a major Ukrainian internet service provider,** was hacked — twice******

Triolan, a Ukraine-based ISP with more than half a million subscribers, was reportedly hacked initially on February 24th, with a second attack hitting on March 9th. The company reported that the threat actors managed to hack into key components of the network, some of which couldn’t be recovered.

Source: Forbes

March 10, 2022

By order of President Putin, Russia’s Economic Development Ministry has drafted a bill that would effectively nationalize assets and businesses “abandoned” in Russia by foreign corporations. Management of these seized assets will be entrusted to the VEB.RF state development corporation and to Russia’s Deposit Insurance Agency.

Russia has effectively legalized patent theft from anyone affiliated with countries “unfriendly” to it, declaring that unauthorized use will not be compensated. The Russian news agency Tass has further reporting on this, as does the Washington Post.

Goldman Sachs Group Inc announced it was closing its operations in Russia, becoming the first major Wall Street bank to exit the country following Moscow’s invasion of Ukraine.

UK Foreign Secretary Liz Truss announced a full asset freeze and travel ban on seven of Russia’s wealthiest and most influential oligarchs, whose business empires, wealth, and connections are closely associated with the Kremlin.

US Vice President Kamala Harris announced nearly $53 million in new humanitarian assistance from the United States government, through the US Agency for International Development (USAID), to support innocent civilians affected by Russia’s invasion of Ukraine.

The International Atomic Energy Agency (IAEA) provided an update on the situation at the Chernobyl Nuclear Power Plant. The IAEA Director General said that the Agency is aware of reports that power has now been restored to the site and is looking for confirmation. At the same time, Ukraine informed them that today it had lost all communications with the facility. The IAEA has assured the international community that there has been “no impact on essential safety systems.”

Threat Intelligence Update

• New malware variant targeting Russia named RURansom

RURansom is a malware variant that was recently discovered and appears to be targeting Russia. While it was initially suspected of being a ransomware, further analysis suggests it is actually a wiper. So far, no active non-Russian targets have been identified, likely due to the malware targeting specific entities.

Source: TrendMicro

Available in Threat Library as: RURansom

• Kaspersky source code leak seems to be just a collection of publicly available HTML files

The hacking group NB65 claimed on social networks to have leaked source code from the Russian antivirus firm Kaspersky. However, it appears that the leaked files are nothing more than a long list of HTML files and other related, publicly available web resources.

Source: Cybernews

• Anonymous claims to hack Roskomnadzor, a Russian federal agency

Hacktivist group Anonymous claims to have breached Roskomnadzor, a Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media, leaking over 360,000 (817.5 GB) files. Based on the report, the leak contains relatively recent censored documents, dated as late as March 5, and demonstrates Russia’s attempts to censor media related to the conflict in Ukraine.

_Source: @AnonOpsSE via Twitter _

March 9, 2022

Public policy: Citing concerns over rising cybersecurity risks related to the Russia-Ukraine conflict, the US is poised to enact new cyber incident reporting requirements. The_ _Cyber Incident Reporting for Critical Infrastructure Act of 2022:

• Will require critical-infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours of determining the incident is significant enough that reporting is required;
• Will require critical infrastructure owners and operators to report ransomware payments to CISA within 24 hours; and
• Is intended to give federal agencies more insight into attack trends and potentially provide early warnings of major vulnerabilities or attacks in progress before they spread.

The Bank of Russia established temporary procedures for foreign cash transactions, suspending sales of foreign currencies until September 9, 2022. Foreign currency accounts are limited to withdrawals up to $10,000 USD.

The Financial Crimes Enforcement Network (FinCEN) is alerting all financial institutions to be vigilant against efforts to evade the expansive sanctions and other US-imposed restrictions implemented in connection with the Russian Federation’s further invasion of Ukraine.

The Pentagon dismissed Poland’s offer to transfer MIG-29 fighter jets to the United States for delivery to Ukraine, stating they did not believe the proposal was “tenable.”

Threat Intelligence Update

• Multiple hacking groups target Ukrainians and other Europeanallies viaphishingattacks****

Several threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched a large phishing campaign against Ukraine, Poland, and other European entities amid Russia’s invasion of Ukraine.

Source: The Hacker News

Available in Threat Library as: APT28 (Fancy Bear), Ghostwriter, Mustang Panda

• The Conti Ransomware group resumes activity following leaks

The Conti Ransomware group appears to have made a comeback following the leak of its internal chats last week. On March 9, Rapid7 Threat Intelligence observed renewed activity on Conti’s onion site, and CISA released new IOCs related to the group on their Conti alert page.

Source: CISA

Available in Threat Library as: Conti

• The Belarusian group UNC1151 targets Ukrainian organizations using MicroBackdoor malware

The Ukrainian government has reported on a continuous cyberattack on state organizations of Ukraine using malicious software Formbook.

Source: Ukrainian CERT

Available in Threat Library as: UNC1151

March 8, 2022

The US announced a ban on imports of Russian oil, gas, and other energy products. New US investments in the Russian energy sector are also restricted. The UK announced it would phase out Russian oil over 2022.

The International Atomic Energy Agency published a statement noting that remote data transmission from monitoring systems at Ukraine’s mothballed Chernobyl nuclear power plant has been lost. No network data has been observed by internet monitoring companies since March 5, 2022.

Chris Chivvis, a senior fellow and director of the American Statecraft Program at the Carnegie Endowment for International Peace, has provided an assessment of two likely trajectories in the Russia-Ukraine conflict.

Twitter announced they have made their social network available on the Tor Project onion service, which will enable greater privacy, integrity, trust, and availability to global users.

The Minister of Foreign Affairs of the Republic of Poland announced they are ready to deploy — immediately and free of charge — all their MIG-29 jets to the Ramstein Air Force base and place them at the disposal of the US government.

Lumen announced they are immediately ceasing their limited operations in Russia and will no longer provide services to local Lumen enterprise customers.

McDonald’s announced they have temporarily closed 850 restaurants in Russia in response to Russia’s attack on Ukraine.

Starbucks has announced they will be suspending all business in Russia in response to Russia’s attack on Ukraine.

Threat Intelligence Update

• 52 US organizations were impacted by RagnarLocker ransomware,** including critical infrastructures******

The FBI reported that as of January 2021, 52 US-based organizations, some related to critical infrastructure, were affected by RagnarLocker ransomware. The industries affected include manufacturing, energy, financial services, government, and information technology. The malware code excludes execution on post-Soviet Union countries, including Russia, based on a geolocation indicator embedded in its code.

_Source: FBI FLASH _

Available in Threat Library as: Ragnar Locker

• US energy companies were attacked prior to the Russian invasion to Ukraine

During a two-week blitz in mid-February, hackers received access to dozens of computers belonging to multiple US-based energy companies, including Chevron Corp., Cheniere Energy Inc., and Kinder Morgan Inc. The companies were attacked in parallel to the Russian invasion of Ukraine.

Source: Bloomberg

• European officials were hacked by Chinese threat actors amid the conflict in Ukraine

According to Google and Proofpoint, a cyberattack was launched by the Chinese hacking group Mustang Panda and its affiliated group RedDelta, which usually targets Southeast Asian countries. The groups managed to gain access to an unidentified European NATO-member email account and spread malware to other diplomatic offices.

Source: Forbes

Available in Threat Library as: Mustang Panda

• #OpAmerica: DEVLIX_EU, a pro-Russian hacktivist group, and its affiliates claim to have gained access to terabytes of US sensitive data

The group claims they have obtained access to 92TB of data related to the US Army. According to the group, they also hacked into four of the biggest “hosts” in the US and 49 TB of data. As of now, there is no real evidence for the attack provided by the group.

Source: @Ex_anon_W_hater via Twitter

March 7, 2022

Netflix, KPMG, PwC, and EY have cut ties with local units in Russia, and Danone suspended investments in Russia.

The Russian government has published a list of foreign states that have committed “unfriendly actions” against “Russia, Russian companies, and citizens.” Countries listed include Australia, Albania, Andorra, the United Kingdom, the member states of the European Union, Iceland, Canada, Liechtenstein, Micronesia, Monaco, New Zealand, Norway, Republic of Korea, San Marino, North Macedonia, Singapore, USA, Taiwan, Ukraine, Montenegro, Switzerland, and Japan.

The Russian government’s Ministry of Digital issued orders for all government websites to use only domestic hosting providers and DNS. They further instructed agencies to discontinue using non-Russian third-party tooling, such as Google Analytics.

TikTok is suspending content from Russia in response to the country cracking down on reporting about the invasion of Ukraine.

Threat Intelligence Update

• Anonymous-affiliated threat actor claims to have hacked and shut down water infrastructure in Russia

The AnonGhost group claims to have hacked and shut down two Russian SCADA water supply systems impacting the Russian cities: Volkhov, Boksitogorsk, Luga, Slantsevsky, Tikhvinsky, and Vyborg.

Source: @darkowlcyber via Twitter

Available in Threat Library as: AnonGhost (for Threat Command customers who want to learn more)

• Anonymous claims to hack Russian TV services to broadcast footage of the war with Ukraine

Russian live TV channels Russia 24, Channel One, and Moscow 24, as well as Wink and Ivi, Netflix like services, have been hacked to broadcast footage of the war with Ukraine according to Anonymous.

Source: @YourAnonNews via Twitter

March 4, 2022

The NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) announced that Ukraine will join the group as a “contributing participant,” indicating that “Ukraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises, and training.”

Ukraine’s deputy chief of their information protection service noted in a Friday briefing that over 400,000 individuals have volunteered to help a crowdsourced Ukrainian government effort to disrupt Russian government and military targets.

Threat Intelligence Update

• Russia blocked access to social media platforms and Western news sites

Russia has prevented its residents access to information channels, including Facebook, Twitter, Western news sites such as the BBC, and app stores. With that, the BBC is now providing access to its website via the Dark Web and has reinstated their BBC shortwave broadcast service.

Source: Reuters

• Anonymous-affiliated threat actor hacked and leaked data from the Russian Federal State Budgetary Institution of Science

The Russian Federal Guard Service of the Russian Federation was hacked by Anonymous. The hacker published leaked names, usernames, emails, and hashed passwords of people from the institution.

Source: @PucksReturn via Twitter

• Anonymous takes down multiple Russian government websites

Anonymous claims responsibility for the takedown of a large number of Russian Government websites including one of the main government websites, gov.ru. Most of the websites are still down as of Friday afternoon, March 4.

Source: @Anonynewsitaly via Twitter

March 3, 2022

Additional sanctions: The US Treasury Dept. announced another round of sanctions on Russian elites, as well as many organizations it characterized as outlets of disinformation and propaganda.

Public policy: The Russia-Ukraine conflict is adding momentum to cybersecurity regulatory actions. Most recently, that includes

• **Incident reporting law:**Citing the need to defend against potential retaliatory attacks from Russia, the US Senate passed a bill to require critical infrastructure owners and operators to report significant cybersecurity incidents to CISA, as well as ransomware payments. The US House is now considering fast-tracking this bill, which means it may become law quite soon.
• FCC inquiry on BGP security:“[E]specially in light of Russia’s escalating actions inside of Ukraine,” FCC seeks comment on vulnerabilities threatening the Border Gateway Protocol (BGP) that is central to the Internet’s global routing system.

CISA threat advisory: CISA recently reiterated that it has no specific, credible threat against the U.S. at this time. It continues to point to its Shields Up advisory for resources and updates related to the Russia-Ukraine conflict.

Threat Intelligence Update

• An Anonymous-affiliated hacking group claims to have hacked a branch Russian Military and Rosatom, the Russian State Atomic Energy Corporation.

The hacktivist group Anonymous and its affiliate have hacked and leaked access to the phone directory of the military prosecutor’s office of the southern military district of Russia, as well as documents from the Rosatom State Atomic Energy Corporation.

Available in Threat Library as: OpRussia 2022 (for Threat Command customers who want to learn more)

• A threat actor supporting Russia claims to have hacked and leaked sensitive information related to the Ukrainian military.

The threat actor “Lenovo” claims to have hacked a branch of the Ukrainian military and leaked confidential information related to its soldiers. The information was published on an underground Russian hacking forum.

Source: XSS forum (discovered by our threat hunters on the dark web)

• An Anonymous hacktivist associated group took down the popular Russian news website lenta.ru

As part of the OpRussia cyber-attack campaign, an Anonymous hacktivist group known as “El_patron_real” took down one of the most popular Russian news websites, lenta.ru. As of Thursday afternoon, March 3, the website is still down.

Available in Threat Library as: El_patron_real (for Threat Command customers who want to learn more)

Additional reading:

• Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict
• Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?
• Staying Secure in a Global Cyber Conflict
• Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Subscribe