Kaspersky researchers have been monitoring the activity of APT actors, cybercriminals and hacktivists currently involved in the conflict in Ukraine. During this webinar, the Global Research and Analysis Team (GReAT) will share their findings on the most recent cyberattacks targeting Ukraine and present their observations, analysis and top findings. - The types of attacks that have been targeting Ukraine for the past few months - The results of analysis on destructive attacks and malware (HermeticWiper, etc...) - How organizations can defend themselves against cyberattacks GReAT, Kaspersky’s Global Research and Analysis Team, consists of 40 researchers based around the world that work on uncovering APTs, cyberespionage campaigns, major malware, ransomware and underground cybercriminal trends across the world.

1. 2022
Webinar:
Ukraine cyber attacks analysis
Kurt Baumgartner, Dan Demeter
Ivan Kwiatkowski, Marco Preuss, Costin Raiu
Global Research and Analysis Team, Kaspersky

2. A historical overview of
cyberattacks in Ukraine

3. 3 |
Historical overview of cyberattacks in Ukraine
● 2014 BlackEnergy APT - routers hack, elections
● Oct 2014 CyberBerkut leaks; Ukrainian Central Election
Commission DDoS attacks
● Dec 2015 Powergrid attack - BlackEnergy3, KillDisk
● Dec 2016 Industroyer attack - ICS functionality
● Jun 2017 NotPetya attack - supply chain
● Oct 2017 BadRabbit attack - FlowerDandy framework
● 2018 - Hades cyberespionage
● 2019-2022 - spike in Gamaredon / Armageddon ops

4. 4 |
APT name First active Currently active in UA
RedOctober 2007 No
Dukes .. APT29 2013 Unknown
Turla 2008 No
Sofacy / APT28 2008 Yes
CrouchingYeti / E.B. 2010 No
BlackEnergy APT (BE2,3) 2013-2014 No
Hades / Sandworm / Telebots 2015 Unknown
Gamaredon 2013 Yes, highly active
UNC1151 / Ghostwriter 2016 Yes
Historical overview of cyberattacks in Ukraine

5. 5 |
Overview of current
cyber activity
in Ukraine Known APT
activity

6. 6 |
Timeline of recent cyberattacks in Ukraine
21-23 Dec
2021
WhisperGate test variants
Custom wiper being developed
and tested.
28 Dec
2021
HermeticWiper
compiled
Sophisticated wiper
being developed and
final version compiled.
13 Jan
2022
WhisperGate deployed
Custom wiper deployed on a low
number of Ukraine
organizations.
14 Jan
2022
Ukraine websites hack
Multiple UA gov websites
hacked to display that
citizen data has been
compromised.
23 Feb
2022
HermeticWiper,
HermeticWizard,
Hermetic Ransom
Sophisticated
destructive malware
deployed on Ukraine
organizations.
24 Feb
2022
IsaacWiper
Another custom wiper deployed
in UA gov networks.

7. Network level attacks

8. 8 |
Honeypots
Total: 20,905 unique attacking IP addresses
of which 11,735 were only observed at UA-Sensors (so far)

9. 9 |
Daily malicious sessions

10. 10 |
Source IP Geolocation
Origin Hits
China 4090
United States 2147
Russian Federation 470
India 414
United Kingdom 373
Singapore 333
Germany 294
Korea, Republic of 260
Netherlands 248
Others 3097

11. 11 |
Attacked services (ports)
Rank Port Service
1 23 Telnet
2 22 SSH
3 80 HTTP
4 465 SMTP over TLS
5 21 FTP
6 25 SMTP
7 443 HTTPS
10 8080 Apache Tomcat
11 6379 Redis Database
12 8443 Apache Tomcat
13 8081 alternative HTTP
14 9000 different IoT-Devices/Router
15 7547 TR-069 (Router remote control)
18 37215 Router
21 10000 ICS related, div. Management Software
23 49152 different IoT-Devices/Routers
26 37777 IP-Camera

12. 12 |
Attacked services (credentials)
Username Service
gpadmin Greenplum Database
nagios Nagios Monitoring
tomcat Tomcat (webserver)
smmsp Sendmail
netscreen Router
CUAdmin Voicemail&Messaging
yhtcAdmin Modem
gdcuadmin Router
e8ehome1 Router
TMAR#DLKT20060205 Router
nmgcuadmin Router

13. 13 |
Attacked services (paths)
Path Service
cgi-bin/hi3510/param.cgi IP Camera
global-....../login.esp Management Solution
wp-content/plugins Wordpress CMS
phpMyAdmin/index.php phpMyAdmin
laravel/vendor/ laravel (PHP Framework)
-unspecified- OWA
/zabbix/ IT Monitoring System
/remote/fgt Firewall management
luci-static/top-iot OpenWRT Router UI
com.atlassian.jira/jira-webapp-dist Project Management
microsoft.exchange. Microsoft Exchange

14. 14 |
IOCs
We will share collected IOCs
publicly after the webinar.

15. Known and unknown APT attacks
• Gamaredon
• Hades/Sandorm - CyclopsBlink
• PandoraBlade
• Unknown attacks relying on commodity malware / RATs

16. 16 |
Gamaredon

17. 17 |
Gamaredon
● Seemingly low urgency offensive efforts (lack of 0day,
technical capability)
● Highly active
● Changing, clumsy, low tech malware set
○ Macro-enabled malicious documents
○ Multi-stage infection and process initiation chain - malicious LNK via removable/network drives,
Powershell, scheduled tasks, VBScripts, Sfx executables
○ modified uVNC, DStealer (custom filestealer, June/July 2021 peak)
○ Simple http communications
● Targeting in waves - every couple months
● Targeting profiles include:
○ Telecoms
○ Court systems, law enforcement (anti-corruption related)

18. 18 |
Gamaredon
● Inexpensive, minor changes in infection chain into 2022
● malicious LNK, VBScript, scheduled tasks, malicious HTA
● Re-use of “desktop.ini” filename since 2017 (used for 2017 configuration files)
○ Sept 2021 - March 2022 “desktop.ini” use - obfuscated vbscript delivery via removable
drives

19. 19 |
Gamaredon
● Interesting overlap with CERT-UA
incident here (dependency on LNK ->
VBScript “desktop.ini” process initiation
chain)
https://cert.gov.ua/article/37626, https://media.kasperskycontenthub.com/wp-
content/uploads/sites/43/2018/03/08083618/themysteryofthepdf0-dayassemblermicrobackdoor.pdf

20. 20 |
Cyclops Blink, Hades/Sandworm
https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf

21. 21 |
Pandora RAT / PandoraBlade
● Spearphishing campaigns
● Запит від СБУ (виконання до
25.02.2022).rar
● “План евакуації
(затверджений СБУ
28.02.2022 Наказом №
009363677833).rar”, which can
be roughly translated to
“Evacuation plan (approved by
the Security Service of Ukraine
on February 28, 2022 by Order
No. 009363677833)”

22. 22 |
Other examples
feukslpost.mil.gov.ua.zip
n.lashevychdirekcy.atom.gov.ua.zip
sadovska-iiutg.ua.zip
pumbaarbitr.gov.ua.rar
...

23. 23 |
MicroBackdoor (UNC1151?)
довідка.zip -> dovidka.chm

24. Wipers, fake ransomware
• WhisperGate
• HermeticWiper
• IsaacWiper
• HermeticRansom

25. 25 |
WhisperGate

26. 26 |
IsaacWiper

27. 27 |
HermeticRansom / PartyTicket / Elections GoRansom

28. 28 |
HermeticWiper + HermeticWizard
Image source:
MalwareBytes
- Digitally signed
- Abuses a legitimate driver
- Data fragmentation
- Very complex NTFS parsing
- Independent spreading utility

29. Unknown or unattributed attacks
• Viasat / satellite hacks

30. ● On Feb 24th, around 4am UTC, thousands of
Viasat satellite modems (eg. Surfbeam 2)
stopped working
● Modems are “bricked”, lights won’t turn on
● Collateral damage
● Result of “cyber event”. LEA investigating.

31. ● “Viasat is experiencing a partial network outage — impacting internet service for fixed
broadband customers in Ukraine and elsewhere on our European KA-SAT network,”
● Viasat provides KA-SAT service
● 5,800 of Enercon’s turbines, with 11GW of total capacity, have been affected
● Overall 30,000+ terminals in Europe were believed to have been affected
● Timing makes it unlikely to be a “random occurrence”
● Possible causes:
○ Malicious update
○ Remote hack / 0-day via SAT
○ Remote hack via internet
○ Collateral damage from other ops
The Viasat “cyber event”

32. Hacktivism and
cybercriminals turned
hacktivists

33. 33 |
Hacktivism and cybercriminals turned hacktivists

34. 34 |
Raidforums, Cyber-Partisans, IT ARMY of Ukraine

35. 35 |
Hacktivists & other parties
Open UA support Open RU support Neutral
RaidForums Conti ransomware Lockbit ransomware
Anonymous collective CoomingProject ransomware ALPHV ransomware
IT ARMY of Ukraine Stormous ransomware
Belarusian Cyber-Partisans KILLNET
AgainstTheWest
NB65
Squad303
Kelvinsecurity + ...

36. 36 |
Summary and outlook
● We expect the number of cyber attacks in Ukraine will increase during the next 6 months
● Most of the current attacks are low complexity - to hinder attribution?
○ DDoS attacks, commodity rats
● More sophisticated attacks exist as well
○ Viasat “cyber event”
○ HermeticWiper
● The risk of the conflict spilling into the west is medium-high
● Most active APT groups - Gamaredon, UNC1151
● Companies need to take typical measures against:
○ DDoS attacks and network connectivity, ransomware and destructive malware (backups),
phishing (MFA), targeted attacks, supply chain attacks, firmware attacks
● Integrate Threat Intelligence into SOC, EDR
○ Leverage IOCs, Yara, Suricata and Sigma rules

37. Thank you!