Cyberattacks are a distinct concern in the Russia-Ukraine conflict, with the potential to impact individuals and organizations far beyond the physical frontlines. With events unfolding rapidly, we want to provide a single channel by which we can communicate to the security community the major cyber-related developments from the conflict each day.
Each business day, we will update this blog at 5 pm EST with what we believe are the need-to-know updates in cybersecurity and threat intelligence relating to the Russia-Ukraine conflict. We hope this blog will make it easier for you to stay current with these events during an uncertain and quickly changing time.
Ukrainian President Volodymyr Zelenskyy delivered a virtual speech to US lawmakers on Wednesday, asking again specifically for a no-fly zone over Ukraine and for additional support.
The White House released a new fact sheet detailing an additional $800 million in security assistance to Ukraine.
Threat Intelligence Update
SentinelOne researchers reported that UAC-0056 targeted Ukrainian entities using a malicious Python-based package, masquerading as a Ukrainian language translation software. Once installed, the fake app deployed various malware, such as Cobalt Strike, GrimPlant, and GraphSteel.
Source: Sentinel One
The Security Service of Ukraine claimed to have arrested a hacker that helped deliver communications from within Russia to the Russian troops operating in the Ukrainian territory. The hacker also sent text messages to
Ukrainian security officers and civil servants, exhorting them to surrender.
Source: The Verge
The Ukrainian Ministry of Defense leaked documents of a Russian nuclear power plant. This may be the first-ever instance of a hack-and-leak operation to weaponize the disclosure of intellectual property to harm a nation.
Researchers at INFOdocket, a subsidiary of Library Journal, have created a compendium of briefings, reports, and updates about the conflict in Ukraine from three research organizations: Congressional Research Service (CRS), European Parliament Research Service (EPRS), and the UK House of Commons Library. The resource will be updated as each of the three organizations releases relevant new content.
The Wall Street Journal is reporting that Russian prosecutors have issued warnings to Western companies in Russia, threatening to arrest corporate leaders there who criticize the government or to seize assets of companies that withdraw from the country.
Russia may default on $117 million (USD) in interest payments on dollar-denominated bonds due to Western sanctions, the first foreign debt default by Russia since 1918.
Reuters is reporting that Russia’s delegation to the Parliamentary Assembly of the Council of Europe (PACE) is suspending its participation and will not take part in meetings.
CNN reports that Russia has imposed sanctions against US President Joe Biden, his son, Secretary of State Antony Blinken, other US officials, and “individuals associated with them,” the Russian Foreign Ministry said in a statement on Tuesday.
Threat Intelligence Update
CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges.
Source: CISA
Ukraine’s Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware. The phishing emails impersonate Ukrainian government agencies offering ways to increase network security and advise recipients to download “critical security updates,” which come in the form of a 60 MB file named “BitdefenderWindowsUpdatePackage.exe.”
Source: BleepingComputer/CERT-UA
Cybersecurity researchers observed the new CaddyWiper malware targeting Ukrainian organizations. Once deployed, CaddyWiper destroys and overwrites the data from any drives that are attached to the compromised system. Despite being released in close proximity to other wiping malware targeting Ukraine, such as HermeticWiper and IsaacWiper, CaddyWiper does not share any significant code similarities with them and appears to be created separately.
Source: Bleeping Computer
The German Federal Office for Information Security agency (BSI) issued an alert urging its citizens to replace Kaspersky antivirus software with another defense solution, due to alleged ties to the Kremlin. The agency suggested Kaspersky could be used as a tool in the cyber conflict between Russia and Ukraine.
Source: BSI
The EU-based NEXTA media group has reported that Russia is starting to block VPN services.
Bermuda’s aviation regulator said it is suspending certification of all Russian-operated airplanes registered in the British overseas territory due to international sanctions over the war in Ukraine, in a move expected to affect more than 700 planes.
The Washington Post reported that Federal Security Service (FSB), Russian Federalnaya Sluzhba Bezopasnosti, agents approached Google and Apple executives with requests to remove apps created by activist groups.
Amnesty International said Russian authorities have blocked their Russian-language website.
Threat Intelligence Update
Anonymous claimed to hack the German branch of the Russian energy giant Rosneft, allegedly stealing 20 TB of data. The company systems were significantly affected by the attack, although there currently seems to be no effect on the company’s energy supply.
Source: Security Affairs
Russia’s Internet moderator Roskomnadzor decided to block Instagram access in the country, following Meta’s decision to allow “calls for violence against Russian citizens.” The federal agency gave Instagram users 48 hours to prepare and finally completed the act on March 13. The blocking of Instagram follows the former ban of Facebook and Twitter in Russia last week.
Source: Cyber News
President Biden, along with the European Union and the Group of Seven Countries, moved to revoke “most favored nation” trade status for Russia, deny borrowing privileges at multilateral financial institutions, apply sanctions to additional Russian elites, ban export of luxury goods to Russia, and ban US import of goods from several signature sectors of Russia’s economy.
Threat Intelligence Update
Signing authorities based in countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates. As a result, the Russian Ministry of Digital Development announced the availability of domestic certificates, replacing expired or revoked foreign certificates.
Source: Bleeping Computer
Triolan, a Ukraine-based ISP with more than half a million subscribers, was reportedly hacked initially on February 24th, with a second attack hitting on March 9th. The company reported that the threat actors managed to hack into key components of the network, some of which couldn’t be recovered.
Source: Forbes
By order of President Putin, Russia’s Economic Development Ministry has drafted a bill that would effectively nationalize assets and businesses “abandoned” in Russia by foreign corporations. Management of these seized assets will be entrusted to the VEB.RF state development corporation and to Russia’s Deposit Insurance Agency.
Russia has effectively legalized patent theft from anyone affiliated with countries “unfriendly” to it, declaring that unauthorized use will not be compensated. The Russian news agency Tass has further reporting on this, as does the Washington Post.
Goldman Sachs Group Inc announced it was closing its operations in Russia, becoming the first major Wall Street bank to exit the country following Moscow’s invasion of Ukraine.
UK Foreign Secretary Liz Truss announced a full asset freeze and travel ban on seven of Russia’s wealthiest and most influential oligarchs, whose business empires, wealth, and connections are closely associated with the Kremlin.
US Vice President Kamala Harris announced nearly $53 million in new humanitarian assistance from the United States government, through the US Agency for International Development (USAID), to support innocent civilians affected by Russia’s invasion of Ukraine.
The International Atomic Energy Agency (IAEA) provided an update on the situation at the Chernobyl Nuclear Power Plant. The IAEA Director General said that the Agency is aware of reports that power has now been restored to the site and is looking for confirmation. At the same time, Ukraine informed them that today it had lost all communications with the facility. The IAEA has assured the international community that there has been “no impact on essential safety systems.”
Threat Intelligence Update
RURansom is a malware variant that was recently discovered and appears to be targeting Russia. While it was initially suspected of being a ransomware, further analysis suggests it is actually a wiper. So far, no active non-Russian targets have been identified, likely due to the malware targeting specific entities.
Source: TrendMicro
Available in Threat Library as: RURansom
The hacking group NB65 claimed on social networks to have leaked source code from the Russian antivirus firm Kaspersky. However, it appears that the leaked files are nothing more than a long list of HTML files and other related, publicly available web resources.
Source: Cybernews
Hacktivist group Anonymous claims to have breached Roskomnadzor, a Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media, leaking over 360,000 (817.5 GB) files. Based on the report, the leak contains relatively recent censored documents, dated as late as March 5, and demonstrates Russia’s attempts to censor media related to the conflict in Ukraine.
_Source: @AnonOpsSE via Twitter _
Public policy: Citing concerns over rising cybersecurity risks related to the Russia-Ukraine conflict, the US is poised to enact new cyber incident reporting requirements. The_ _Cyber Incident Reporting for Critical Infrastructure Act of 2022:
The Bank of Russia established temporary procedures for foreign cash transactions, suspending sales of foreign currencies until September 9, 2022. Foreign currency accounts are limited to withdrawals up to $10,000 USD.
The Financial Crimes Enforcement Network (FinCEN) is alerting all financial institutions to be vigilant against efforts to evade the expansive sanctions and other US-imposed restrictions implemented in connection with the Russian Federation’s further invasion of Ukraine.
The Pentagon dismissed Poland’s offer to transfer MIG-29 fighter jets to the United States for delivery to Ukraine, stating they did not believe the proposal was “tenable.”
Threat Intelligence Update
Several threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched a large phishing campaign against Ukraine, Poland, and other European entities amid Russia’s invasion of Ukraine.
Source: The Hacker News
Available in Threat Library as: APT28 (Fancy Bear), Ghostwriter, Mustang Panda
The Conti Ransomware group appears to have made a comeback following the leak of its internal chats last week. On March 9, Rapid7 Threat Intelligence observed renewed activity on Conti’s onion site, and CISA released new IOCs related to the group on their Conti alert page.
Source: CISA
Available in Threat Library as: Conti
The Ukrainian government has reported on a continuous cyberattack on state organizations of Ukraine using malicious software Formbook.
Source: Ukrainian CERT
Available in Threat Library as: UNC1151
The US announced a ban on imports of Russian oil, gas, and other energy products. New US investments in the Russian energy sector are also restricted. The UK announced it would phase out Russian oil over 2022.
The International Atomic Energy Agency published a statement noting that remote data transmission from monitoring systems at Ukraine’s mothballed Chernobyl nuclear power plant has been lost. No network data has been observed by internet monitoring companies since March 5, 2022.
Chris Chivvis, a senior fellow and director of the American Statecraft Program at the Carnegie Endowment for International Peace, has provided an assessment of two likely trajectories in the Russia-Ukraine conflict.
Twitter announced they have made their social network available on the Tor Project onion service, which will enable greater privacy, integrity, trust, and availability to global users.
The Minister of Foreign Affairs of the Republic of Poland announced they are ready to deploy — immediately and free of charge — all their MIG-29 jets to the Ramstein Air Force base and place them at the disposal of the US government.
Lumen announced they are immediately ceasing their limited operations in Russia and will no longer provide services to local Lumen enterprise customers.
McDonald’s announced they have temporarily closed 850 restaurants in Russia in response to Russia’s attack on Ukraine.
Starbucks has announced they will be suspending all business in Russia in response to Russia’s attack on Ukraine.
Threat Intelligence Update
The FBI reported that as of January 2021, 52 US-based organizations, some related to critical infrastructure, were affected by RagnarLocker ransomware. The industries affected include manufacturing, energy, financial services, government, and information technology. The malware code excludes execution on post-Soviet Union countries, including Russia, based on a geolocation indicator embedded in its code.
_Source: FBI FLASH _
Available in Threat Library as: Ragnar Locker
During a two-week blitz in mid-February, hackers received access to dozens of computers belonging to multiple US-based energy companies, including Chevron Corp., Cheniere Energy Inc., and Kinder Morgan Inc. The companies were attacked in parallel to the Russian invasion of Ukraine.
Source: Bloomberg
According to Google and Proofpoint, a cyberattack was launched by the Chinese hacking group Mustang Panda and its affiliated group RedDelta, which usually targets Southeast Asian countries. The groups managed to gain access to an unidentified European NATO-member email account and spread malware to other diplomatic offices.
Source: Forbes
Available in Threat Library as: Mustang Panda
The group claims they have obtained access to 92TB of data related to the US Army. According to the group, they also hacked into four of the biggest “hosts” in the US and 49 TB of data. As of now, there is no real evidence for the attack provided by the group.
Source: @Ex_anon_W_hater via Twitter
Netflix, KPMG, PwC, and EY have cut ties with local units in Russia, and Danone suspended investments in Russia.
The Russian government has published a list of foreign states that have committed “unfriendly actions” against “Russia, Russian companies, and citizens.” Countries listed include Australia, Albania, Andorra, the United Kingdom, the member states of the European Union, Iceland, Canada, Liechtenstein, Micronesia, Monaco, New Zealand, Norway, Republic of Korea, San Marino, North Macedonia, Singapore, USA, Taiwan, Ukraine, Montenegro, Switzerland, and Japan.
The Russian government’s Ministry of Digital issued orders for all government websites to use only domestic hosting providers and DNS. They further instructed agencies to discontinue using non-Russian third-party tooling, such as Google Analytics.
TikTok is suspending content from Russia in response to the country cracking down on reporting about the invasion of Ukraine.
Threat Intelligence Update
The AnonGhost group claims to have hacked and shut down two Russian SCADA water supply systems impacting the Russian cities: Volkhov, Boksitogorsk, Luga, Slantsevsky, Tikhvinsky, and Vyborg.
Source: @darkowlcyber via Twitter
Available in Threat Library as: AnonGhost (for Threat Command customers who want to learn more)
Russian live TV channels Russia 24, Channel One, and Moscow 24, as well as Wink and Ivi, Netflix like services, have been hacked to broadcast footage of the war with Ukraine according to Anonymous.
Source: @YourAnonNews via Twitter
The NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) announced that Ukraine will join the group as a “contributing participant,” indicating that “Ukraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises, and training.”
Ukraine’s deputy chief of their information protection service noted in a Friday briefing that over 400,000 individuals have volunteered to help a crowdsourced Ukrainian government effort to disrupt Russian government and military targets.
Threat Intelligence Update
Russia has prevented its residents access to information channels, including Facebook, Twitter, Western news sites such as the BBC, and app stores. With that, the BBC is now providing access to its website via the Dark Web and has reinstated their BBC shortwave broadcast service.
Source: Reuters
The Russian Federal Guard Service of the Russian Federation was hacked by Anonymous. The hacker published leaked names, usernames, emails, and hashed passwords of people from the institution.
Source: @PucksReturn via Twitter
Anonymous claims responsibility for the takedown of a large number of Russian Government websites including one of the main government websites, gov.ru. Most of the websites are still down as of Friday afternoon, March 4.
Source: @Anonynewsitaly via Twitter
Additional sanctions: The US Treasury Dept. announced another round of sanctions on Russian elites, as well as many organizations it characterized as outlets of disinformation and propaganda.
Public policy: The Russia-Ukraine conflict is adding momentum to cybersecurity regulatory actions. Most recently, that includes
CISA threat advisory: CISA recently reiterated that it has no specific, credible threat against the U.S. at this time. It continues to point to its Shields Up advisory for resources and updates related to the Russia-Ukraine conflict.
Threat Intelligence Update
The hacktivist group Anonymous and its affiliate have hacked and leaked access to the phone directory of the military prosecutor’s office of the southern military district of Russia, as well as documents from the Rosatom State Atomic Energy Corporation.
Available in Threat Library as: OpRussia 2022 (for Threat Command customers who want to learn more)
The threat actor “Lenovo” claims to have hacked a branch of the Ukrainian military and leaked confidential information related to its soldiers. The information was published on an underground Russian hacking forum.
Source: XSS forum (discovered by our threat hunters on the dark web)
As part of the OpRussia cyber-attack campaign, an Anonymous hacktivist group known as “El_patron_real” took down one of the most popular Russian news websites, lenta.ru. As of Thursday afternoon, March 3, the website is still down.
Available in Threat Library as: El_patron_real (for Threat Command customers who want to learn more)
Additional reading:
Get the latest stories, expertise, and news about security today.
Subscribe