Kaspersky researchers have been monitoring the activity of APT actors, cybercriminals and hacktivists currently involved in the conflict in Ukraine. During this webinar, the Global Research and Analysis Team (GReAT) will share their findings on the most recent cyberattacks targeting Ukraine and present their observations, analysis and top findings.
- The types of attacks that have been targeting Ukraine for the past few months
- The results of analysis on destructive attacks and malware (HermeticWiper, etc...)
- How organizations can defend themselves against cyberattacks
GReAT, Kaspersky’s Global Research and Analysis Team, consists of 40 researchers based around the world that work on uncovering APTs, cyberespionage campaigns, major malware, ransomware and underground cybercriminal trends across the world.
AWS Community Day CPH - Three problems of Terraform
A look at current cyberattacks in Ukraine
1. 2022
Webinar:
Ukraine cyber attacks analysis
Kurt Baumgartner, Dan Demeter
Ivan Kwiatkowski, Marco Preuss, Costin Raiu
Global Research and Analysis Team, Kaspersky
3. 3 |
Historical overview of cyberattacks in Ukraine
● 2014 BlackEnergy APT - routers hack, elections
● Oct 2014 CyberBerkut leaks; Ukrainian Central Election
Commission DDoS attacks
● Dec 2015 Powergrid attack - BlackEnergy3, KillDisk
● Dec 2016 Industroyer attack - ICS functionality
● Jun 2017 NotPetya attack - supply chain
● Oct 2017 BadRabbit attack - FlowerDandy framework
● 2018 - Hades cyberespionage
● 2019-2022 - spike in Gamaredon / Armageddon ops
4. 4 |
APT name First active Currently active in UA
RedOctober 2007 No
Dukes .. APT29 2013 Unknown
Turla 2008 No
Sofacy / APT28 2008 Yes
CrouchingYeti / E.B. 2010 No
BlackEnergy APT (BE2,3) 2013-2014 No
Hades / Sandworm / Telebots 2015 Unknown
Gamaredon 2013 Yes, highly active
UNC1151 / Ghostwriter 2016 Yes
Historical overview of cyberattacks in Ukraine
5. 5 |
Overview of current
cyber activity
in Ukraine Known APT
activity
6. 6 |
Timeline of recent cyberattacks in Ukraine
21-23 Dec
2021
WhisperGate test variants
Custom wiper being developed
and tested.
28 Dec
2021
HermeticWiper
compiled
Sophisticated wiper
being developed and
final version compiled.
13 Jan
2022
WhisperGate deployed
Custom wiper deployed on a low
number of Ukraine
organizations.
14 Jan
2022
Ukraine websites hack
Multiple UA gov websites
hacked to display that
citizen data has been
compromised.
23 Feb
2022
HermeticWiper,
HermeticWizard,
Hermetic Ransom
Sophisticated
destructive malware
deployed on Ukraine
organizations.
24 Feb
2022
IsaacWiper
Another custom wiper deployed
in UA gov networks.
10. 10 |
Source IP Geolocation
Origin Hits
China 4090
United States 2147
Russian Federation 470
India 414
United Kingdom 373
Singapore 333
Germany 294
Korea, Republic of 260
Netherlands 248
Others 3097
21. 21 |
Pandora RAT / PandoraBlade
● Spearphishing campaigns
● Запит від СБУ (виконання до
25.02.2022).rar
● “План евакуації
(затверджений СБУ
28.02.2022 Наказом №
009363677833).rar”, which can
be roughly translated to
“Evacuation plan (approved by
the Security Service of Ukraine
on February 28, 2022 by Order
No. 009363677833)”
30. ● On Feb 24th, around 4am UTC, thousands of
Viasat satellite modems (eg. Surfbeam 2)
stopped working
● Modems are “bricked”, lights won’t turn on
● Collateral damage
● Result of “cyber event”. LEA investigating.
31. ● “Viasat is experiencing a partial network outage — impacting internet service for fixed
broadband customers in Ukraine and elsewhere on our European KA-SAT network,”
● Viasat provides KA-SAT service
● 5,800 of Enercon’s turbines, with 11GW of total capacity, have been affected
● Overall 30,000+ terminals in Europe were believed to have been affected
● Timing makes it unlikely to be a “random occurrence”
● Possible causes:
○ Malicious update
○ Remote hack / 0-day via SAT
○ Remote hack via internet
○ Collateral damage from other ops
The Viasat “cyber event”
35. 35 |
Hacktivists & other parties
Open UA support Open RU support Neutral
RaidForums Conti ransomware Lockbit ransomware
Anonymous collective CoomingProject ransomware ALPHV ransomware
IT ARMY of Ukraine Stormous ransomware
Belarusian Cyber-Partisans KILLNET
AgainstTheWest
NB65
Squad303
Kelvinsecurity + ...
36. 36 |
Summary and outlook
● We expect the number of cyber attacks in Ukraine will increase during the next 6 months
● Most of the current attacks are low complexity - to hinder attribution?
○ DDoS attacks, commodity rats
● More sophisticated attacks exist as well
○ Viasat “cyber event”
○ HermeticWiper
● The risk of the conflict spilling into the west is medium-high
● Most active APT groups - Gamaredon, UNC1151
● Companies need to take typical measures against:
○ DDoS attacks and network connectivity, ransomware and destructive malware (backups),
phishing (MFA), targeted attacks, supply chain attacks, firmware attacks
● Integrate Threat Intelligence into SOC, EDR
○ Leverage IOCs, Yara, Suricata and Sigma rules