Ukraine-Russia cyber war

Ukraine and Russia seems to be at the moments on both traditional and cyber war. We could call that hybrid warfare. We are at a cyber war. Countless examples exist of damage to infrastructure from hostile acts via computer attacks. Russia’s invasion of Ukraine has been a hybrid war from the start, a mix of conventional military strategy — traditional “boots on the ground” — and a slightly more unconventional, digital or cyberwar. On the morning of February 22, 2022, the world woke to the news that Russia had moved troops into two separatist regions of eastern Ukraine. Russia started to conduct attacks to Ukraine on February 24. Before physical attacks Russia did several cyber attacks towards IT systems in Ukraine.

Here are links to some material on the cyber side of this war:

How the Eastern Europe Conflict Has Polarized Cyberspace
The war between Russia and Ukraine is advancing. People everywhere are deciding who they will support. The same dynamic happens in the cyberspace. Hacktivists, cybercriminals, white hat researchers or even technology companies are picking a clear side, emboldened to act on behalf of their choices. Historically, Russia has had superiority over Ukraine in the cyberspace. And last week, Ukraine was attacked by destructive wiping malware. However, the situation is starting to change, as most of the non-nation cyber state actors are taking the side of Ukraine. To defend itself, the Ukrainian government has created an international IT army of hacktivists.

As war escalates in Europe, it’s ‘shields up’ for the cybersecurity industry
In unprecedented times, even government bureaucracy moves quickly. As a result of the heightened likelihood of cyberthreat from Russian malactor groups, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — part of the Department of Homeland Security — issued an unprecedented warning recommending that “all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”

Digital technology and the war in Ukraine
All of us who work at Microsoft are following closely the tragic, unlawful and unjustified invasion of Ukraine. This has become both a kinetic and digital war, with horrifying images from across Ukraine as well as less visible cyberattacks on computer networks and internet-based disinformation campaigns. We are fielding a growing number of inquiries about these aspects and our work, and therefore we are putting in one place a short summary about them in this blog. This includes four areas: protecting Ukraine from cyberattacks; protection from state-sponsored disinformation campaigns; support for humanitarian assistance; and the protection of our employees.. Also:

Ukraine: Cyberwar creates chaos, ‘it won’t win the war’
There have been at least 150 cyberattacks in Ukraine since Russia’s invasion. Their effect is mainly psychological, and experts say they won’t decide the war.
Russia’s invasion of Ukraine has been a hybrid war from the start, a mix of conventional military strategy — traditional “boots on the ground” — and a slightly more unconventional, digital or cyberwar.
The global technology company Microsoft has said its Threat Intelligence Center (MSTIC) detected “destructive cyberattacks directed against Ukraine’s digital infrastructure” hours before the first launch of missiles or movement of tanks on February 24.
Those attacks, which Microsoft dubbed FoxBlade, included so-called wipers — malicious software or malware — that make their way inside computer networks and literally wipe the data from all connected devices.
Cybersecurity experts in Germany have said there have been over a hundred cyberattacks, in various forms, since then. But their effect has mainly been psychological.

Why Russia Hasn’t Launched Major Cyber Attacks Since the Invasion of Ukraine
In the relatively short and rapidly evolving history of cyber conflict, perhaps nothing has been established with greater certainty and more widely accepted than the idea that Russia has significant cyber capabilities and isn’t afraid to use them—especially on Ukraine. In 2015, Russian government hackers breached the Ukrainian power grid, leading to widespread outages. In 2017, Russia deployed the notorious NotPetya malware via Ukrainian accounting software and the virus quickly spread across the globe costing businesses billions of dollars in damage and disruption.
As tensions escalated between Russia and Ukraine, many people were expecting the conflict to have significant cyber components.
But as the invasion continues with few signs of any sophisticated cyber conflict, it seems less and less likely that Russia has significant cyber capabilities in reserve, ready to deploy if needed. Instead, it begins to look like Russia’s much vaunted cyber capabilities have been neglected in recent years, in favor of developing less expensive, less effective cyber weapons that cause less widespread damage and are considerably easier to contain and defend against. For instance, many of the cyberattacks directed at Ukraine in the past month have been relatively basic distributed denial-of-service attacks.
Given Russia’s past willingness to deploy cyberattacks with far-reaching, devastating consequences, it would be a mistake to count out their cyber capabilities just because they have so far proven unimpressive. And it’s all but impossible to prove the absence of cyber weapons in a nation’s arsenal. But the longer the conflict goes on without any signs of sophisticated cyber sabotage, the more plausible it becomes that the once formidable Russian hackers are no longer playing a central role in the country’s military operations.

Crowd-sourced attacks present new risk of crisis escalation
An unpredictable and largely unknown set of actors present a threat to organizations, despite their sometimes unsophisticated techniques.
Customers who are typically focused on top-tier, state-sponsored attacks should remain aware of these highly motivated threat actors, as well. Misattribution of these actors carries the risk of nations escalating an already dangerous conflict in Ukraine. Based on data from our fellow researchers at Cisco Kenna, customers should be most concerned about threat actors exploiting several recently disclosed vulnerabilities, highlighting the importance of consistently updating software and related systems.

Russia, Ukraine and the Danger of a Global Cyberwar
On the morning of February 22, 2022, the world woke to the news that Russia had moved troops into two separatist regions of eastern Ukraine. At the time of writing, it is not yet a full invasion of Ukraine, but Russia did conduct attacks on February 24, hitting cities with airstrikes and artillery in what was called a “special military operation” by Russian President Vladamir Putin.
Russia has been waging its own cyberwar against Ukraine for many years.
Since the beginning of 2022, however, it seems that Russian cyber activity against Ukraine has increased. This includes evidence that wiper malware has again disrupted some Ukrainian government networks, and attacks from the FSB-linked Gamaredon have targeted around 5,000 entities, including critical infrastructure and government departments. So far, however, there has not been the same scale of disruption as occurred in 2015, 2016 and 2017.
The purpose of such cyber activity is to weaken critical infrastructure, damage government’s ability to respond to any aggression, and to demoralize the population.
The U.S. has been warning the rest of the world against a potential widening scope of Russian cyber activity, and that cyber defenses generally should be tightened.
“Part of the worry,” said Willett, “is that cyberattacks against Ukraine might bleed over, like NotPetya, to affect other countries and cause wider damage unintentionally. There is some concern that the Russians may intentionally do stuff more widely, but that would probably be in retaliation for something that the U.S. or NATO might do.
This raises the whole question of ‘attribution’. The received belief is it is impossible to do accurate cyber attribution. ““It would be a mistake for any one nation to think it could attack another without being known,” said Willett.That is absolutely wrong,” said Willett.
But accidents happen. The two iconic cyberweapons have been Stuxnet and NotPetya. It is assumed that the U.S. developed Stuxnet (although this has never been admitted). NotPetya has been confidently attributed to the Russian government. Both malwares escaped from their assumed targets into the wider world. This was probably accidental – but similar accidents could lead to wider implications during a period of global geopolitical tension.
On the morning of February 24, 2022, Russian troops invaded Ukraine. This was accompanied by a further increase in cyber activity.

Ukraine Digital Army Brews Cyberattacks, Intel and Infowar
Formed in a fury to counter Russia’s blitzkrieg attack, Ukraine’s hundreds-strong volunteer “hacker” corps is much more than a paramilitary cyberattack force in Europe’s first major war of the internet age. It is crucial to information combat and to crowdsourcing intelligence.
Inventions of the volunteer hackers range from software tools that let smartphone and computer owners anywhere participate in distributed denial-of-service attacks on official Russian websites to bots on the Telegram messaging platform that block disinformation, let people report Russian troop locations and offer instructions on assembling Molotov cocktails and basic first aid.
The movement is global, drawing on IT professionals in the Ukrainian diaspora whose handiwork includes web defacements with antiwar messaging and graphic images of death and destruction in the hopes of mobilizing Russians against the invasion.
The cyber volunteers’ effectiveness is difficult to gauge. Russian government websites have been repeatedly knocked offline, if briefly, by the DDoS attacks, but generally weather them with countermeasures.
It’s impossible to say how much of the disruption — including more damaging hacks — is caused by freelancers working independently of but in solidarity with Ukrainian hackers.
A tool called “Liberator” lets anyone in the world with a digital device become part of a DDoS attack network, or botnet. The tool’s programmers code in new targets as priorities change.

Ukraine Cyber Official: We Only Attack Military Targets
A top Ukrainian cybersecurity official said Friday a volunteer army of hundreds of hackers enlisted to fight Russia in cyberspace is attacking only what it deems military targets, prioritizing government services including the financial sector, Kremlin-controlled media and railways.
Victor Zhora, deputy chair of the state special communications service, also said that there had been about 10 hostile hijackings of local government websites in Ukraine to spread false text propaganda saying his government had capitulated. He said most of Ukraine’s telecommunications and internet were fully operational.
Zhora told reporters in a teleconference that presumed Russian hackers continued to try to spread destructive malware in targeted email attacks on Ukrainian officials and — in what he considers a new tactic — trying to infect the devices of individual citizens.

Army of Cyber Hackers Rise Up to Back Ukraine
An army of volunteer hackers is rising up in cyberspace to defend Ukraine, though internet specialists are calling on geeks and other “hacktivists” to stay out of a potentially very dangerous computer war.
According to Livia Tibirna, an analyst at cyber security firm Sekoia, nearly 260,000 people have joined the “IT Army” of volunteer hackers, which was set up at the initiative of Ukraine’s digital minister Mykhailo Fedorov.
The group, which can be accessed via the encrypted messaging service Telegram, has a list of potential targets in Russia, companies and institutions, for the hackers to target.
It’s difficult to judge the effect the cyber-army is having.

Russia Releases List of IPs, Domains Attacking Its Infrastructure with DDoS Attacks
Russia Blocks Access to Facebook Over War
Russia’s state communications watchdog has ordered to completely block access to Facebook in Russia amid the tensions over the war in Ukraine.
The agency, Roskomnadzor, said Friday it decided to cut access to Facebook over its alleged “discrimination” of the Russian media and state information resources. It said the restrictions introduced by Facebook owner Meta on the RT and other state-controlled media violate the Russian law.

Cyberattack Knocks Thousands Offline in Europe
Thousands of internet users across Europe have been thrown offline after what sources said Friday was a likely cyberattack at the beginning of Russia’s offensive in Ukraine.
According to Orange, “nearly 9,000 subscribers” of a satellite internet service provided by its subsidiary Nordnet in France are without internet following a “cyber event” on February 24 at Viasat, a US satellite operator of which it is a client.
Eutelsat, the parent company of the bigblu satellite internet service, also confirmed to AFP on Friday that around one-third of bigblu’s 40,000 subscribers in Europe, in Germany, France, Hungary, Greece, Italy and Poland, were affected by the outage on Viasat.
In the US, Viasat said on Wednesday that a “cyber event” had caused a “partial network outage” for customers “in Ukraine and elsewhere” in Europe who rely on its KA-SAT satellite.
Viasat gave no further details, saying only that “police and state partners” had been notified and were “assisting” with investigations.
General Michel Friedling, head of France’s Space Command said there had been a cyberattack.

Cybercriminals Seek to Profit From Russia-Ukraine Conflict
Dark web threat actors are looking to take advantage of the tensions between Russia and Ukraine, offering network access and databases that could be relevant to those involved in the conflict, according to a new report from Accenture.
Since mid-January, cybercriminals have started to advertise compromised assets relevant to the Russia-Ukraine conflict, and they are expected to increase their offering of databases and network access, with potentially crippling effects for the targeted organizations.
Just over a month ago, soon after the destructive WhisperGate attacks on multiple government, IT, and non-profit organizations in Ukraine, threat actors started to advertise on the dark web access to both breached networks and databases that allegedly contained personally identifiable information (PII).
Amid Russian invasion, Ukraine granted formal role with NATO cyber hub
Ukraine was granted the formal role of “contributing participant” to the hub, known as the Cooperative Cyber Defence Centre of Excellence (CCDCOE), by its 27-member steering committee, the organization announced. “Ukraine’s presence in the Centre will enhance the exchange of cyber expertise, between Ukraine and CCDCOE member nations, ” Col.
Jaak Tarien, the institution’s director, said in a statement.

This Ukrainian cyber firm is offering hackers bounties for taking down Russian sites
In the days following Russia’s invasion of Ukraine, dozens of hacking groups have taken sides in the conflict, launching attacks on various organizations and government institutions. Cyber Unit Technologies, a Kyiv-based cybersecurity startup, has been particularly outspoken on Tuesday, the company started a campaign to reward hackers for taking down Russian websites and pledged an initial $100, 000 to the program.

High Above Ukraine, Satellites Get Embroiled in the War
While the Russian invasion rages on the ground, companies that operate data-collecting satellites find themselves in an awkward position.
Some researchers are worried that the reliance on satellite imagery has given too much power to the companies that control this technology. “There’s companies like Maxar and Planet that are privately owned and they have the final say on whether or not they want to share the information, ” says Anuradha Damale. The role of private companies in conflicts such as Ukraine means commercial satellites could become targets. In the days before Russia invaded, US space officials warned satellite companies that the conflict could extend into space.

CISA Releases Advisory on Destructive Malware Targeting Organizations in Ukraine
CISA and the Federal Bureau of Investigation have released an advisory on destructive malware targeting organizations in Ukraine. The advisory also provides recommendations and strategies to prepare for and respond to destructive malware. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats.

US firms should be wary of destructive malware unleashed on Ukraine, FBI and CISA warn – CNNPolitics
EU Activates Cyber Rapid Response Team Amid Ukraine Crisis

Amid rapid escalation in the Russia-Ukraine conflict derived from historical grievances and qualms with Ukraine’s plan to join the military alliance NATO, the world’s network defenders remain on high alert. And on Tuesday, the European Union confirmed that it will activate its elite cybersecurity team to assist Ukrainians if Russian cyberattacks occur.

UK alludes to retaliatory cyber-attacks on Russia
The UK government alluded yesterday that it might launch offensive cyber operations against Russia if the Kremlin attacks UK computer systems after an invasion of Ukraine.

Amazon: Charities, aid orgs in Ukraine attacked with malware
Charities and non-governmental organizations (NGOs) providing critical support in Ukraine are targeted in malware attacks aiming to disrupt their operations and relief efforts seeking to assist those affected by Russia’s war. Amazon has detected these attacks while working with the employees of NGOs, charities, and aid organizations, including UNICEF, UNHCR, World Food Program, Red Cross, Polska Akcja Humanitarna, and Save the Children.

Ransomware Used as Decoy in Destructive Cyberattacks on Ukraine
Destructive ‘HermeticWiper’ Malware Targets Computers in Ukraine

Just as Russia was preparing to launch an invasion of Ukraine, Ukrainian government websites were disrupted by DDoS attacks and cybersecurity firms reported seeing what appeared to be a new piece of malware on hundreds of devices in the country.
The new malware, dubbed “HermeticWiper” by the cybersecurity community, is designed to erase infected Windows devices. The name references a digital certificate used to sign a malware sample — the certificate was issued to a Cyprus-based company called Hermetica Digital.
“At this time, we haven’t seen any legitimate files signed with this certificate. It’s possible that the attackers used a shell company or appropriated a defunct company to issue this digital certificate,” explained endpoint security firm SentinelOne, whose researchers have been analyzing the new malware.
The malware has also been analyzed by researchers at ESET and Symantec. Each of the companies has shared indicators of compromise (IoCs) associated with HermeticWiper.
ESET first spotted HermeticWiper on Wednesday afternoon (Ukraine time) and the company said hundreds of computers in Ukraine had been compromised.

HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine
On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations. Our analysis shows a signed driver is being used to deploy a wiper that targets Windows devices, manipulating the MBR resulting in subsequent boot failure. This blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow organizations to stay protected from this attack. This sample is actively being used against Ukrainian organizations, and this blog will be updated as more information becomes available. Also:

HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine
The day before the invasion of Ukraine by Russian forces on February 24, a new data wiper was unleashed against a number of Ukrainian entities. This malware was given the name “HermeticWiper” based on a stolen digital certificate from a company called Hermetica Digital Ltd. This wiper is remarkable for its ability to bypass Windows security features and gain write access to many low-level data-structures on the disk. In addition, the attackers wanted to fragment files on disk and overwrite them to make recovery almost impossible.

In Ukraine, Online Gig Workers Keep Coding Through the War
Freelancers or gig workers who piece together work on online platforms are a hidden engine of the Ukrainian economyand the world’s. They work as software engineers, project managers, IT technicians, graphic designers, editors, and copywriters. And they work for everyone.
Invading Russian forces have plunged freelancers’ home offices into chaos and uncertainty. Vlad, a video editor in southern Ukraine, says he’s grown accustomed to the air alarm signal, and hiding until it has passed. Now there are battles 30 miles from his home. “But as long as there is water, electricity, and internet, I can work, ” he says.
“Because we all need to live for something, eat

Leaving Russia? Experts Say Wipe Your Phone Before You Go
Russians fleeing President Vladimir Putin’s regime as it cracks down on anti-war sentimentand rumors of martial law grow louderare being advised to wipe their phones, especially of any traces of support for Ukraine. If they don’t, experts say they may face detention. They’re starting by deleting messages on Signal, Telegram or any app that promises security. For those leaving the country, they’re deleting the apps themselves, and urging others to do the same. Russian media has first-hand accounts of lengthy interrogations at the border, along with phone and laptop searches, though Forbes could not corroborate those claims.

Why ICANN Won’t Revoke Russian Internet Domains
The organization says cutting the country off would have “devastating” effects on the global internet system.
Ukraine on Monday asked ICANN to revoke Russian top-level domains such as .ru, .рф, and .su; to “contribute to the revoking for SSL certificates” of those domains; and to shut down DNS root servers in Russia. Fedorov argued that the requested “measures will help users seek for reliable information in alternative domain zones, preventing propaganda and disinformation.”
Ukraine’s request to cut Russia off from core parts of the internet has been rejected by the nonprofit group that oversees the Internet’s Domain Name System (DNS). CEO Göran Marby of the Internet Corporation for Assigned Names and Numbers (ICANN) said the group must “maintain neutrality and act in support of the global internet.”
“Our mission does not extend to taking punitive actions, issuing sanctions, or restricting access against segments of the internet—regardless of the provocations,” Marby wrote in his response to Ukraine Vice Prime Minister Mykhailo Fedorov.

TikTok Was Designed for War
As Russia’s invasion of Ukraine plays out online, the platform’s design and algorithm prove ideal for the messiness of war—but a nightmare for the truth.


  1. Tomi Engdahl says:

    The Fall and Rise of Russian Electronic Warfare The Ukraine invasion has become an old-fashioned slog, enabling Russia to unleash its electronic weapons

  2. Tomi Engdahl says:

    Näin Venäjä levittää propagandaa Ukrainalta miehittämillään alueilla: uhkailee toimittajia, vaihtaa koulukirjoja ja ammentaa neuvostohistoriasta
    Miehitetystä kaupungista paennut toimittaja, mediatutkija ja Venäjän turvallisuuspalvelun asiakirjat kertovat, kuinka Venäjä pyrkii vaihtamaan Ukrainassa totuuden toiseksi.

  3. Tomi Engdahl says:

    Refrigerator and dishwasher semiconductors drive RWS of Russian tanks

    SOFIA ($1=1.91 Bulgarian Levs) — Semiconductors from refrigerators and dishwashers brought as “spoils” from the war in Ukraine control the remote weapon systems of Russian tanks. Such a statement was made by US Commerce Secretary Gina Raimondo in a statement to the Senate nearly two months ago. “We have reports from Ukrainians that when they find Russian military equipment, it’s full of semiconductors that they took out of dishwashers and refrigerators,” Raimondo told a Senate hearing.

    Robin Patterson, a spokesman for the Commerce Department, said Ukrainian authorities told Raimondo that when they opened up captured Russian tanks, they found components intended for refrigerators and commercial and industrial machinery. Semiconductors, telecommunications equipment, lasers, avionics, and marine technology are subject to Russian export controls.

    Since the beginning of the war in Ukraine, social media has been full of photos of Russian soldiers burdening household appliances. A part of the “spoils of war” goes to the homes of Russian soldiers, others appear to the Uralvagonzavod for “reuse”.

  4. Tomi Engdahl says:

    Hakkerit kyykyttävät itä­naapurin ”paperista” kyber­puolustusta – näin Anonymous ”nolasi” Venäjän

  5. Tomi Engdahl says:

    Ukraine war: Russia accuses US of direct role in Ukraine war

  6. Tomi Engdahl says:

    Putin on laatinut itselleen pakosuunnitelman sodan häviämisen varalta, sanoo kovista väitteistään tunnettu Telegram-kanava

    Vladimir Putin ‘preparing plans for evacuation’ if Ukraine overcomes his troops in war that has lasted 162 days so far

    The Russian President and close allies are reportedly putting plans in place, with one country in mind it will evacuate to, should Ukrainian soldiers defeat Russian troops in the war.

  7. Tomi Engdahl says:

    Movie torrents hijacked to send tips on bypassing Russian censorship

    A team of Ukrainian cyber-activists has thought of a simple yet potentially effective way to spread uncensored information in Russia: bundling torrents with text and video files pretending to include installation instructions.

    Named “Torrents of Truth,” the initiative is similar to “Call Russia,” a project to help break through Russian propaganda and open people’s eyes to what’s happening in Ukraine.

    The initiative creates torrents that contain a text file with a list of credible news sources that Russians can trust and instructions on downloading and installing a VPN to secure anonymity from ISPs.

  8. Tomi Engdahl says:

    Ukraine Situation Report: U.S. Sending More Rockets As HIMARS Achieves ‘Rock Star’ Status
    U.S.-supplied rocket artillery systems gain a cult pop-culture following in Ukraine as they are used to pound Russian positions.

  9. Tomi Engdahl says:

    Sähkökriisi uhkaa Eurooppaa – Ranska joutunut sulkemaan jopa parikymmentä ydinvoimalaansa
    Tuula Laatikainen31.7.202213:45
    Ranskan ydinvoimaloiden turvallista toimintaa hankaloittaa nyt korroosio.

  10. Tomi Engdahl says:

    Euroopan suurin ydin­voimala Ukrainassa on vaurioitunut pahasti tulituksessa, kertoo voimalan käytöstä vastaava yhtiö

  11. Tomi Engdahl says:

    Sotatieteiden tohtorilta karu arvio Ukrainasta: Todella synkkä käänne
    Ukrainan tilannetta Uuden Suomen blogissaan arvioivan sotatieteiden tohtorin Jarno Limnéllin mukaan Venäjän hyökkäyssota Ukrainassa on kääntynyt kansanmurhaksi, joka tähtää ukrainalaisten kansallisen identiteetin hävittämiseen.

  12. Tomi Engdahl says:

    Venäjältä 360 miljoonan sakot Googlelle vaatii yhtiötä piilottamaan “erikois­operaatioon” liittyvän sisällön
    VENÄLÄINEN tuomioistuin on määrännyt 21 miljardin ruplan eli noin 360 miljoonan euron suuruiset sakot teknologiajätti Googlelle.
    Tiedotusvälineitä Venäjällä valvovan Roskomnadzorin mukaan Google ja sen alaisuudessa toimiva YouTube eivät ole suostuneet poistamaan alustoiltaan “kiellettyä materiaalia”. Käytännössä tämä tarkoittaa kaikkea Kremlin vastaista informaatiota ja etenkin sellaista, joka käsittelee Venäjän hyökkäyssotaa Ukrainassa. Viranomainen vaatii Googlea poistamaan alustoiltaan kaiken sellaisen materiaalin, joka käsittelee Venäjän “erikoisoperaatiota”, tukee “terrorismia ja ääriliikkeitä”, mainostaa “alaikäisten hengelle ja terveydelle vaarallisia aiheita” tai mainostaa “kiellettyihin joukkotapahtumiin osallistumista”.

  13. Tomi Engdahl says:

    Venäläinen haittaohjelma leviää “Tavoitteena tietojen varastaminen Venäjän tiedustelupalvelulle”
    Tietoturvayhtiö Palo Alto Networks kertoo tiedotteessaan venäläisryhmä Cloaked Ursan hyökkäyksistä, joiden tavoitteena on ollut luultavasti tietojen varastaminen Venäjän tiedustelupalvelun käyttöön. Palo Alto Networks kertoo, että naamioitu tunkeutumisyritys on kohdistanut hyökkäyksensä Google Drive- ja DropBox-pilvipalveluihin. Näihin palveluihin on yritetty tunkeutua Cobalt Strike -ohjelmistoa hyödyntämällä. Yhtiön tiedotteessa kerrotaan, että tunkeutumisyritykset ovat kohdistuneet esimerkiksi Portugalissa ja Brasiliassa sijaitseviin eri maiden suurlähetystöihin. Hyökkäyksessä on pyritty kalastelemaan tietoja valheellisella tapahtumakutsulla, jossa on käytetty haitallista HTML-tiedostoa. Jos kohde avaa tiedoston, mahdollistaa se Cobalt Strike -ohjelmiston käytön saastuttajana ja sallii hyökkääjälle pääsyn tietoihin. Erityisen vaaralliseksi hyökkäysyrityksen tekee sen kyky naamioitua suojausohjelmistolta. Erityisesti Venäjän tiedustelupalvelun kohteena näissä hyökkäyksissä ovat olleet Nato-maiden suurlähetystöt ja näiden käyttämät pilvipalvelut, tiedotteessa kerrotaan. Alkup.

  14. Tomi Engdahl says:

    Google catches Turla hackers deploying Android malware in Ukraine
    Google’s Threat Analysis Group (TAG), whose primary goal is to defend Google users from state-sponsored attacks, said today that Russian-backed threat groups are still focusing their attacks on Ukrainian organizations. In a report regarding recent cyber activity in Eastern Europe, Google TAG security engineer Billy Leonard revealed that hackers part of the Turla Russian APT group have also been spotted deploying their first Android malware. They camouflaged it as a DDoS attack tool and hosted it on cyberazov[.]com, a domain spoofing the Ukrainian Azov Regiment. “This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services, ” Leonard explained.

  15. Tomi Engdahl says:

    Popular vehicle GPS tracker gives hackers admin privileges over SMS
    Vulnerability researchers have found security issues in a GPS tracker that is advertised as being present in about 1.5 million vehicles in
    169 countries. A total of six vulnerabilities affect the MiCODUS MV720 device, which is present in vehicles used by several Fortune 50 firms, governments in Europe, states in the U.S., a military agency in South America, and a nuclear plant operator. The risks stemming from the findings are significant and impact both privacy and security. A hacker compromising an MV720 device could use it for tracking or even immobilizing the vehicle carrying it, or to collect information about the routes, and manipulate data. For example, MiCODUS GPS trackers are used by the state-owned Ukrainian transportation agency, so Russian hackers could target them to determine supply routes, troop movements, or patrol routes, researchers at cybersecurity company BitSight say in a report today.

  16. Tomi Engdahl says:

    Inside The Russian Cybergang Thought To Be Attacking Ukraine – The Trickbot Leaks
    Threat intelligence specialist Cyjax has today published an in-depth analysis delving deep into the heart of the Trickbot cybergang. Months of painstaking research through hundreds of leaked documents has resulted in what is possibly the most comprehensive breakdown of a significant international cybercrime syndicate I’ve seen. Covering everything from membership and management to operational infrastructure, these are the Trickbot Leaks.

  17. Tomi Engdahl says:

    Meet Mantis the tiny shrimp that launched 3, 000 DDoS attacks
    The botnet behind the largest-ever HTTPS-based distributed-denial-of-service (DDoS) attack has been named after a tiny shrimp. Likewise, the Mantis botnet operates a small fleet of bots (a little over 5, 000), but uses them to cause massive damage specifically, a record-breaking attack.

  18. Tomi Engdahl says:

    Anti-Russian denial-of-service app actually infects pro-Ukrainian activists
    An app which purported to launch distributed denial-of-service (DDoS) attacks against the internet infrastructure of Russia, was in reality secretly installing malware on to the devices of pro-Ukrainian activists. As researchers at Google’s Threat Analysis Group (TAG) describe, the Moscow-backed Turla hacking group created a website purporting to belong to Ukraine’s Azov regiment.

  19. Tomi Engdahl says:

    EU warns of Russian cyberattack spillover, escalation risks
    The Council of the European Union (EU) said today that Russian hackers and hacker groups increasingly attacking “essential” organizations worldwide could lead to spillover risks and potential escalation.
    “This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation, ” the High Representative on behalf of the EU said Tuesday. “The latest distributed denial-of-service (DDoS) attacks against several EU Member States and partners claimed by pro-Russian hacker groups are yet another example of the heightened and tense cyber threat landscape that EU and its Member States have observed.”

  20. Tomi Engdahl says:

    Cyber Command shares bevy of new malware used against Ukraine
    U.S. Cyber Command on Wednesday disclosed dozens of forms of malware that have been used against computer networks in Ukraine, including 20 never-before-seen samples of malicious code. The indicators of compromise were shared with the command’s Cyber National Mission Force
    (CNMF) by the Security Service of Ukraine, that country’s law enforcement authority and intelligence agency. The disclosure is part of what has become a regular effort by Cyber Command and other U.S.
    agencies to highlight hacking tools used by foreign adversaries like Russia, China, Iran and North Korea to blunt the impact of their digital operations.

  21. Tomi Engdahl says:

    Vulnerabilities in GPS tracker could have “life-threatening”
    Researchers at BitSight have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular vehicle tracking device.
    Exploiting these vulnerabilities could potentially put drivers in danger and disrupt supply chains. In fact, there are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.

  22. Tomi Engdahl says:

    Ukrainian Radio Stations Hacked to Broadcast Fake News About Zelenskyy’s Health
    Ukrainian radio operator TAVR Media on Thursday became the latest victim of a cyberattack, resulting in the broadcast of a fake message that President Volodymyr Zelenskyy was seriously ill. “Cybercriminals spread information that the President of Ukraine, Volodymyr Zelenskyy, is allegedly in intensive care, and his duties are performed by the Chairman of the Verkhovna Rada, Ruslan Stefanchuk, ” the State Service of Special Communications and Information Protection of Ukraine
    (SSSCIP) said in an update.

  23. Tomi Engdahl says:

    Näin Anonymous nolasi Venäjän Pelätty puolustusmuuri onkin vain “paperiripustus”
    Kyberturvallisuusfirma Security Discoveryn perustajajäsen Jeremiah Fowler on pitänyt silmällä Anonymous-hakkerikollektiivin toimintaa ryhmän julistettua Venäjälle kybersodan maan hyökättyä laittomasti Ukrainaan.

  24. Tomi Engdahl says:

    Venäjän hyökkäys Ukrainaan muutti kyberympäristöä dramaattisesti Tilanne tulee pahenemaan
    Ukrainan sota on muuttanut kyberympäristöä dramaattisesti ja hyökkäykset ovat lisääntyneet valtavasti organisaatioissa kaikilla sektoreilla, kertoo tietoturvayhtiö Check Pointin uusi trendiraportti.
    Hyökkäykset aiheuttavat myös huomattavaa haittaa jokapäiväiselle elämälle. Yrityksiä uhkaavat eniten kiristyshyökkäykset, mutta myös pilvessä tehtävät toimitusketjuhyökkäykset ovat lisääntymässä.
    Valitettavasti tilanne tulee vain pahenemaan, varsinkin kun kiristysohjelmat ovat nyt organisaatioiden ykkösuhka Check Point Softwaren varatutkimusjohtaja Maya Horowitz sanoo tiedotteessa.

  25. Tomi Engdahl says:

    How one Ukrainian ethical hacker is training cyber warriors’ in the fight against Russia
    In the Ukrainian hacker community, Nikita Knysh is a household name.
    The 31-year-old former employee of Ukraine’s Security Service (SBU) founded cybersecurity consulting company HackControl in 2017 and launched a YouTube channel about internet security and digital literacy. It has about 8, 000 subscribers. When the war broke out in Ukraine, Knysh took up a weapon his computer and began fighting back against Russia in cyberspace. He wasn’t alone: thousands of volunteers were ready to try to hack Russia while its troops were destroying Ukrainian cities and killing people on the ground. “I realized that we should take control of the situation, ” Knysh told The Record. “Our government didn’t have a cyber army’, so we built it ourselves.” To teach Ukrainians the basics of digital guerrilla war, Knysh launched a website called “HackYourMom Academy, ” a guide to hacking. The website is free to use and is available in Ukrainian, Russian and English.

  26. Tomi Engdahl says:

    Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
    The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs). Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads. In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.

    Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
    Cobalt Strike is commercial threat emulation software that mimics a quiet, long-term embedded actor in a network. This actor, known as Beacon, communicates with an external team server to emulate command-and-control (C2) traffic. Due to its versatility, Cobalt Strike is commonly used as a legitimate tool by red teams but is also widely used by threat actors for real-world attacks. Different elements of Cobalt Strike contribute to its versatility, including the processes that encrypt and decrypt metadata sent to the C2 server. In a previous blog, “Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding, ” we learned that the encrypted metadata is encoded for an HTTP transaction. In this blog post, we will detail and demonstrate the data encryption and decryption algorithm, key generation and extraction, metadata encryption and decryption, and metadata schema definitions. One of the interesting components is how the encryption and decryption algorithm works during C2 traffic communication and why this versatility makes Cobalt Strike an effective emulator that is difficult to defend against.

  27. Tomi Engdahl says:

    Palvelunestohyökkäys kaatoi eduskunnan verkkosivut, venäläinen hakkeriryhmä kertoo tehneensä hyökkäyksen
    Eduskunnan verkkosivut kaatuivat tiistaina iltapäivällä. Puoli viiden aikaan sivuille ei päässyt, mutta noin kello 16.50 eduskunnan sivut vaikuttivat toimivan taas, joskin hitaasti. Venäläinen hakkeriryhmä
    NoName057(16) ilmoitti Telegram-kanavallaan tehneensä verkkohyökkäyksen Suomen eduskunnan sivuille, minkä vuoksi sivut eivät toimineet. Eduskunnan tiedotteen mukaan eduskunnan ulkoisia verkkosivuja vastaan kohdistuu palvelunestohyökkäys, joka alkoi noin kello 14.30. Tiedotteen mukaan eduskunta pyrkii rajaamaan hyökkäystä yhdessä palveluntoimittajien ja Kyberturvallisuuskeskuksen kanssa..

  28. Tomi Engdahl says:

    Venäjälle ei enää myydä komponentteja

    Euroopan komponenttien jakelumarkkinat kasvoivat puolijohteiden osalta 33,4 prosenttia ja passiivisissa sekä sähkömekaanisissa komponenteissa 19,6 prosenttina vuodentakaiseen verrattuna. DMASS-järjestö kuitenkin arvioi, että loppuvuoden osalta ennusteiden teko on vaikeampaa. Venäjälle komponentteja ei enää myydä.

    Pula komponenteista vaikuttaa edelleen Euroopan komponenttien jakeluliiketoiminnassa, mutta niihin liittyy nyt osittaista helpotusta joillakin tuotealueilla. Tästä huolimatta jakelijat myivät huhti-kesäkuussa puolijohteita 3,09 miljardilla eurolla eli kolmanneksen enemmän kuin vuosi sitten. Passiivikomponenteissa myynnin arvo nousi 1,51 miljardiin euroon.

    Kaikkiaan jakelijat myivät komponentteja toisella neljänneksellä 4,6 miljardilla eurolla. Summa on 28,5 prosenttia suurempi kuin viime vuonna.

  29. Tomi Engdahl says:

    Karu totuus paljastui: Pakotteet pettivät, Venäjää aseistetaan amerik­kalaisella teknologialla
    Reutersin ja brittiläisen tutkimuslaitoksen julkaiseman raportin mukaan Venäjälle liikkuu yhä hurja määrä amerikkalaisia komponentteja pakotteista huolimatta.

  30. Tomi Engdahl says:

    ”Totaalinen katastrofi” – Upin Jussi Lassila arvioi, että Amnesty saattoi lahjoittaa Venäjälle syyn siviilien murhiin
    Upin Jussi Lassilan mukaan Venäjä voi käyttää raportissa esitettyjä väitteitä hyödykseen.

  31. Tomi Engdahl says:

    USCYBERCOM Releases IoCs for Malware Targeting Ukraine

    The United States Cyber Command (USCYBERCOM) this week released indicators of compromise (IoCs) associated with malware families identified in recent attacks targeting Ukraine.

    The malware samples were found by the Security Service of Ukraine on various compromised networks in the country, which has seen an increase in cyber activity since before the beginning of the Russian invasion in February 2022.

    USCYBERCOM has released 20 novel indicators in various formats representing IoCs identified during the analysis of recently identified malware samples, but has not shared further information on the attacks.

    “Our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cyber security, just as we are sharing with them. We continue to have a strong partnership in cybersecurity between our two nations,” USCYBERCOM notes.

  32. Tomi Engdahl says:

    Ukrainian Website Threat Landscape Throughout 2022
    The Russian invasion of Ukraine began on February 20, 2022. By mid-March it was clear the cyber-war had begun, and the attacks have been consistent ever since. Prior to this, on March 1, 2022, Wordfence reported on an attack campaign on Ukrainian university websites. In response, we deployed our real-time threat intelligence to all sites running Wordfence with a .ua top-level domain (TLD). In the following months, we have continued to monitor the situation, and to block attack attempts aimed at Ukrainian websites.


Leave a Comment

Your email address will not be published. Required fields are marked *