Security Operations

Russia-Ukraine war: related cyberattack developments

The Russian war against Ukraine began on February 24, 2022. This article tracks some of the related cyberattack developments as they unfold. The article is updated regularly and the most recent update was on April 19

On February 22, 2022, Sophos published an article looking at Russia’s history of cyberattacks during times of conflict and geopolitical tension. This companion article tracks what is currently unfolding related to the Russia-Ukraine war. Some of the news is clouded through the inevitable “fog of war” making accurate attribution or factual confirmation more difficult, and there can be a time delay before some news emerges from the war zone. The content included here represents Sophos’ best understanding of the facts at the time of publication.

[Update (2022-04-19)]: On April 12, the Ukrainian energy sector dodged a significant cyber-bullet. It appears that Sandworm, a Russian APT group, attempted to follow its 2016 attack with another industrial control system (ICS) attack against the Ukrainian power grid. However, the attackers were thwarted before they could achieve their objectives.

A report on the malware, dubbed Industroyer2 by ESET, outlines the evidence that it is an evolution of the malware used in the destructive attacks against Ukraine’s energy grid in 2016. It was specifically configured to take down safety components in the Ukrainian grid and to wipe systems running Windows, Linux and Solaris using malware called CaddyWiper, OrcShred, SoloShred, and AwfulShred.

It is significant that this malware was captured and neutralized before it could cause any further damage. The aggressive defense approach of critical infrastructure providers in Ukraine is paying off.

[Update (2022-04-12)]: On Tuesday, April 5, The Record reported on statements made by General Paul Nakasone, U.S. Cyber Command Chief and Director of the NSA. General Nakasone stated the U.S. was stepping up efforts to help protect and defend Ukraine’s network infrastructure as well as sending “hunt forward teams” to Eastern Europe to suss out any vulnerabilities the Russians might attempt to exploit.

On Thursday, April 7, Microsoft announced the take down of seven internet domain registrations associated with spying activities targeting the U.S., EU and Ukraine. While this will certainly will disrupt activities attributed to the threat actor known as Fancy Bear or APT 28, it isn’t difficult to register some new ones and continue on with business as usual..

In a possibly related story, on Friday, April 8, Ukraine’s SSSCIP issued another warning of continuing attacks via email targeting government officials and other parties, purporting to be documentation of war crimes against Ukraine .

Also on  Friday, the Associated Press reported that the Russians were confiscating or deleting all content from mobile phones belonging to refugees attempting to escape Russian-controlled areas.

Social media misinformation campaigns continue targeting all of us, and there have been reports of it being allowed to circulate widely in China, according to some tweets by Raphael Satter of Reuters. It is another reminder to avoid being an amplifier of unverified information.

[Update (2022-04-04)]: On Thursday, March 31, Thomas Brewster at Forbes published an article about the resilience and increasing lack of Ukraine’s internet and mobile networks. I recommend reading it. It will be interesting to observe whether the networks’ reliability increases or decreases as a result of Russia’s apparent slow retreat to Eastern Ukraine. I suspect internet availability was convenient for the invaders and that attacks on fiber connections and mobile transmission towers may now increase.

Also on March 31, Reuters reported that insurers facing hefty cyber insurance claims related to the Ukraine war. Cyber insurance policies have been increasing dramatically for some time, so this isn’t entirely surprising. However, measurable damages from cyber-attacks related to the war have been minimal to date.And lastly on March 31, J. A. Guerrero-Saade of SentinelOne published very interesting research on Twitter about the malware that disabled the ViaSat satellite modems (referenced previously.) The malware was in fact a “wiper”, and it erased the firmware entirely making the devices essentially “bricks.”
SentinalOne’s research was later confirmed by ViaSat.On Monday, April 4, the security service of Ukraine, SSSCIP, warned of phishing attacks purporting to be about “Information on war criminals of the Russian Federation.” This is a new low for phishing.Misinformation is still rampant, although we try to verify everything before we publish it here. And fortunately we have folks like those over at Bellingcat to help us see truth from fiction. For their April 4 report on accusations by the Russians that videos of evidence to support war crimes accusations in Bucha were doctored, they dove into the details to determine the veracity of said videos. Other media outlets have done the same. It appears the videos are not fakes. 

[Update (2022-03-31)]: On Wednesday, March 30, a UN meeting organized to discuss norms in cyberspace was harshly critical of Russia’s actions precipitating the war in Ukraine. The US called Russia’s role in trying to lead the establishment of norms “a mockery,” while Canadian representatives found it “surreal” that Russia was leading the conversation.

As reported previously, the ViaSat satellite network is still struggling to recover full capacity in Eastern Europe and Ukraine after attackers appeared to compromise the firmware of the satellite modems of tens of thousands of endpoints. On March 30, a ViaSat official acknowledged the attacks and reported that attackers are still attempting to disrupt their network and the recovery.

[Update (2022-03-29)]: On Thursday, March 24, Ukraine’s cybersecurity agency, SSSCIP, announced a bug bounty program to help secure Ukrainian government assets against cyber-attacks. This suggests concern about further attacks in the short term by the Russian Federation. Later the same day, US officials, in an off-the-record capacity, confirmed to the Washinton Post that the attacks against network operator ViaSat, which disrupted satellite services to the Ukrainian military, were believed to be a Russian operation.

On Friday, March 25, the group behind the development of a malware-as-a-service information stealer known by the name Raccoon Stealer, claimed it had ceased operations due to one of its developers in Ukraine being killed during the war. This is another indicator of how international these criminal groups are and that they aren’t necessary directly allied to the interests of any one nation-state.

Also on March 25, FiRST, an organization created to facilitate the international sharing of information about threats and attacks, announced it would be suspending the membership of Russia and Belarus in reaction to the sanctions and while it evaluated whether they would be allowed to continue threat sharing going forward.

In an unprecedented action, of which there have been many in this war, Ukraine has published the personal details of 620 alleged FSB agents on its public website. This “doxing” of spies working for Russia’s intelligence services may not have much real-world impact, but it is another chink in the armor for those responsible for helping to conduct this war.

Finally, throughout the day on Monday, March 28, Ukraine’s largest internet provider, Ukrtelecom, appeared to suffer from a near total loss of connectivity, allegedly due to a massive DDoS attack. Ukrtelecom is the primary internet provider for the Ukrainian military and government and the attacks appeared to be utilizing vulnerable WordPress sites, triggering amplification attacks every time someone visited a booby-trapped page. Ukraine has blamed Russia for the attacks.

[Update (2022-03-24)]: There has been a lot of speculation following the White House warning on Monday, March 21 about possible increased cyberattacks from Russia. The advisory was based on increased scanning activity, and what it means for organizations in general is: don’t be the low-hanging fruit. Scanning is opportunistic activity and by patching, employing multi-factor authentication and other recommended actions you make your organization a lot less interesting to adversaries.

On Tuesday, March 22, a few hours after the White House briefing, the UK’s National Cyber Security Centre (NCSC) pledged its support for the US’s call for increased cyber security precautions. This isn’t exactly surprising, but if you have operations in any country that is perceived as an adversary of the Russian Federation, you ought to heed this advice.

Also on March 22, in the wake of another compromised NPM package designed to cause harm to Russian and Belarusian users, the Russian cyber security agency, NKTsKI, issued advice to Russian developers to only use local software repositories that predate the invasion and to carefully check any further updates for sabotage. Not bad advice for anyone who has been blindly accepting updates from software repositories outside of their control.

There has also been an unconfirmed report that 18 companies of Russian meat processing giant Miratorg were hit with file encrypting malware, but no ransom was demanded. This is likely another vigilante/hacktivist activity, as assumed by the victims in a statement. They state that it will not impact food deliveries, which is in-line with other symbolic hacks so far against Russia. Noisy, but not likely to impact the war’s prosecution.

[Update (2022-03-22)]: On Wednesday, March 16, Hillary Clinton entered the fray. In an interview with MSNBC, Ms. Clinton encouraged Anonymous to launch “cyberattacks” against Russia. Elsewhere, attackers allegedly breached Transneft, a Russian oil pipeline company, and stole more than 79 gigabytes of emails, which they then supplied to the professional leak site DDoSecrets. Such actions increase tensions in the cyber realm.

After our earlier updates on attacks against international satellite internet provider, Viasat, CISA issued an advisory on March 18,, recommending that satellite internet operators and customers review security settings and lock down administrative access to devices.

Lastly, on Monday, March 21, US President Joe Biden and White House Cybersecurity Advisor, Ann Neuberger, issued statements. The statements advise that US intelligence is seeing Russian activity which suggests that, as the war moves toward a stalemate on the ground, focus may shift to retaliation against western entities in response to the severe sanctions imposed on Russia. While the threat may be vague, the message is clear. We need to step up our defenses and brace for a potential wave of attacks that may further disrupt supply chains and the economy, if successful.

[Update (2022-03-17)]: On Tuesday, March 15, Joseph Cox at Vice reported that Ukraine had detained a malicious insider who was allegedly providing technical assistance to Russian troops by routing calls for them and sending SMS text messages to Ukrainian troops suggesting they surrender.

In a follow-up to this weekend’s update, Raphael Satter at Reuters reported that a Ukrainian cybersecurity official had  disclosed in a statement that the Viasat satellite outage as the invasion begun was a “really huge loss in communications in the very beginning of war.”

On Wednesday, March 16, a social engineering approach appeared to succeed for Ukrainian newspaper Ukrainska Pravda, when it crafted a phish to determine if the Head of the Chechen Republic, Kadyrov, was in Ukraine as he claimed. The paper sent him a Telegram message saying it wanted to share a draft of a story for review, with a link. When he clicked the link to view the document, the paper logged his IP address and confirmed he was not in fact in Ukraine, but rather in Grozny.

Attacks supporting the war are still occurring online, but they remain mostly confined to Ukraine. The State Service of Special Communication and Information Protection of Ukraine released a statement noting that attacks have not abated and that they’ve weathered more than 3,000 DDoS attacks, with a peak of 275 DDoS attacks in a single day. The worst attack peaked at more than 100 Gbps.

Lastly, there appears to be a supply chain attack of the Node.js package repository, NPM. The authors updated the code to behave maliciously in Russia and Belarus. They later changed the code to leave an anti-war note on the desktop of every computer it executes on, along with some lyrics and a link to a YouTube video. This could cause massive problems for applications that don’t do a pre-install security review of updated components, as the affected components are downloaded over one million times a week. Unfortunately, such actions can result in a reluctance to update software packages, making millions of people less secure.

[Update (2022-03-15)]: From March 7, we began to see more information about the disruption to Viasat’s satellite service in Central and Eastern Europe (mentioned above on March 6.) Two reports were published speculating that a particular brand of modem used with the satellite downlinks had its firmware corrupted or had been sent management commands to disable them. On Friday, March 11, Reuters reported that Viasat had confirmed the firmware theory and that the US NSA, French ANSSI, and Ukrainian intelligence were looking into the attack.

On Saturday, March 12, CNN reported that there had been a dramatic rise in downloads of VPN software originating from Russia since the government began banning popular social media services like Twitter, Facebook and Instagram. Similar reports emerged for the use of secure messaging applications like Signal, and the Tor Browser. To evade blocking, many Tor users rely on a technology called Snowflake. The authors of Snowflake are encouraging others to participate as proxies to evade government blocks in Russia and other internet-censored states.

Kim Zetter wrote a great piece for Politico on March 12, and interviewed many former US government hackers and officials about the risk of escalation in nation-state attacks related to the war. Their conclusions are informed and similar to my own, which is that we shouldn’t expect directly attributable attacks from either side outside of the area of conflict. The bigger concern is that activity by civilian hacktivists or vigilantes might cause escalation due to the “fog of cyberwar” making it hard to tell if it is the US, Russia, or someone more anonymous.

As predicted, attacks from alleged hackivist groups are starting to create even more confusion and tension. Die Welt reported on Sunday, March 13 that the Russian oil giant Rosneft’s German subsidiary was inaccessible and that operations were partially disrupted. Disruption to Rosneft, part of the critical infrastructure in Germany responsible for keeping people warm in winter, is unlikely to go down well with the BSI.

Two more malware attacks against Ukrainian targets were discovered on Monday, March 14, neither of which has so far been positively attributed, but both fitting in with support for Russia’s goals. Bleeping Computer wrote about a phishing attack that delivered both a Cobalt Strike beacon and an additional piece of malware that looks like an information stealer and downloader. ESET discovered another wiper malware called CaddyWiper that seemingly had very limited distribution. It did not resemble the previous wipers, but, similar to the last one, was deployed using group policy objects (GPOs) and attempted to preserve the attacker’s foothold within the victim’s network.

There were also reports over the weekend and into March 14 that some bug bounty programs, in particular HackerOne, were restricting access to payouts for participants in Ukraine. As the day unfolded, Zack Whittaker from Tech Crunch got a statement from the CTO, Alex Rice, stating that they were sorting out the issues and they were due to sanctions on the eastern separatist provinces and that other Ukrainian hackers would be reimbursed. Turns out sanctions are harder to apply than it may appear.

[Update (2022-03-11)]: Raphael Satter at Reuters (@razhael) has been a great resource for cyber-related Ukraine news and on March 9, he reported on Ukraine’s move of its data centers outside of the country to maintain their access and availability. A similar plan was put in place in Estonia during the Russian DDoS attacks (referenced earlier in this post.) In the Estonian case it was mostly related to websites, while Satter’s report seems to be more concerned with the security of government data as a whole.

After calls for the formation of an “IT army” by Ukraine’s deputy prime minister, it appears that many people scrambled to acquire “hacking tools” to assist in the fight. Inevitably, as discovered by Cisco’s Talos group, someone booby-trapped the tool downloads by installing an information stealer. Initial analysis appears to show that the Trojan tool distributed via Telegram chat groups steals passwords, cookies, and cryptocurrency wallets.

Thomas Brewster, another authoritative journalist covering cyber conflict, for Forbes, is reporting on an alleged data breach at Roskomnadzor, the Kremlin’s internet censor. While the leaked information is interesting; if true, it could be useful in informing Russian citizens of what types of information have been removed from their media diet.

Finnish flights to a city near its border with Russia were cancelled on March 8 until at least March 16, due to alleged jamming of GPS signals (link in Finnish) by the Russian Federation. Finland responded appropriately for the safety of civilian aviation. However, this is a concerning development that could threaten the safety of non-participants in the war.

Brewster also reports that Ukrainian internet provider Triolan has been repeatedly hacked since the invasion began. The initial attacks coincided with the invasion on February 24, and were repeated on March 9, this time resetting routers and other infrastructure to factory defaults. Some devices cannot be configured remotely and may remain offline for some time due to the physical danger of accessing parts areas of Ukraine that are under active attack. This is a great reminder of the “fog of war” related to cyber activities during times of intense conflict. We often only hear details days or weeks after the actual events as communications are disrupted and prioritized for other more urgent reporting.

[Update (2022-03-08)]: Tuesday, March 8 was International Women’s Day. According to a tweet from Tarah Wheeler (@tarah), it appears that hacktivist activities against the rail systems in Belarus resulted in disruption and delays to Russian forces en route to the Ukrainian front. (Tarah’s work in cyber security is important and she’s well worth a follow.)

It also appeared that Russia’s secure communications technology, Era, is reliant on 3G/4G cellular networks, which have been disabled or compromised during the invasion, preventing soldiers from communicating securely without being surveilled. Secure communications are hard and it’s even harder when you are overly dependent on modern technology to make it work.

Reuters reported that EU telecoms ministers were meeting in Nevers, France to discuss the creation of a cybersecurity emergency response fund to help organizations disabled through cyber attacks. This appears to be prompted by the wiper attacks in Ukraine we reported on earlier in this post.

There were also reports of ransomware crews experiencing supply chain delays/issues due to the war in Ukraine. Brett Callow is probably correct in that in the short term we may experience a brief reprieve due to reorganizations after the Conti leaks as well as disrupted internet connections and sanctions against the Russian Federation.

[Update (2022-03-06)]: It continued to be a quiet time on the cyber front in the war in Ukraine. However, there were two significant updates over the weekend of March 5 to March 6.

First, beginning on February 24, customers of ViaSat in Central and Eastern Europe began experiencing disruptions and outages to their satellite internet service. On Saturday, March 5, a story in Germany’s Spiegel seemed to confirm suspicions (in German) that the outages were due to a booby-trapped firmware update that “bricked” the modems of downlinks causing permanent disablement until the affected units were replaced.

This was a significant finding. This service is reported to be used heavily by Ukrainians for internet access, as well as by the Ukrainian military, which seems to point the finger at the Russian security services. Further, the issue disabled communications with thousands of windmills in Germany, preventing their direct control by the energy company responsible for their management.

The problem? Attribution in cyber attacks. Attribution is hard at the best of times, and it is easy to draw conclusions that are incorrect before all the relevant evidence can be gathered. While the German security services seem confident that the incident is related to the war, it is far from solid enough evidence to consider responsive action, if it was deemed appropriate. Cyber conflicts are affected by the “fog of war” far more than traditional operations. If this was a deliberate attack by Russia, it would be the first since the beginning of the war that has resulted in significant collateral damage.

On Sunday, March 6, Anonymous, the loosely organized hacker collective, claimed credit for hacking several Russian TV stations and causing  their video streaming services to broadcast videos of the war, including the shelling of residential areas by invading Russian troops. While they posted this as “proof,” it has yet to be confirmed. The purported goal of the action was apparently to ensure Russian citizens are aware of the war and how it is being conducted.

[Update (2022-03-03)]: On Thursday, March 3, things continued to decelerate in the cyber realm, although that was not the case for the ground war. On the vigilante front we saw the emergence of a new Twitter account called @TrickbotLeaks that throughout  the day doxed alleged members of the Trickbot, Conti, Mazo, Diavol, Ryuk and Wizard Spiders crime groups. Most of this activity seemed to stem from the Conti leaks earlier in the week. Vitali Kremez has an interesting analysis on his feed.

Brian Krebs suggested this activity might cause problems for cybercriminals who have been talking about getting out of Russia while the going was good. It certainly could be a challenging time to escape the grasp of the authorities if Europol suddenly had reasons to pursue indictments or warrants for arrest.

Further, websites of municipal and regional governments in Russia-seized territories in the south of Ukraine were commandeered or hacked to display fake news suggesting that the Zelensky government had capitulated and surrendered to Russian forces. This was countered by Ukraine’s Security Service of Ukraine (SSU).

[Update (2022-03-02)]: On Wednesday, March 2, things settled down in the cyber realm, but that didn’t mean activity necessarily slowed. As communications disruptions intensified due to the ground fighting, there was a time delay in learning effectively what was happening inside Ukraine.

Ciaran Martin, former head of the UK’s Nation Cyber Security Centre (NCSC), published a detailed expert analysis of the cyber landscape in Ukraine so far and explained his views on how we got to where we are and what might come next. We highly recommend this article.

The Conti saga continued with the group officially deleting its existing virtual infrastructure and allegedly starting again somewhere new. This is not the outcome many of us hoped for, but it remains to be seen whether the gang can pull it all back together again. The nursery rhyme, “All the king’s horses and all the king’s men,” comes to mind.

Additionally, the leaked Conti chat logs revealed the group had purchased a zero-day vulnerability in Internet Explorer 11 to use in attacks at the end of 2020. This could be the first and closest thing to evidence we have that these groups are willing to spend some of their ill-gotten gains on acquiring expensive and exclusive unpatched exploits to further their crimes.

[Update (2022-03-01)]: Fallout from the Conti breach by a Ukrainian researcher continued on Tuesday, March 1, with another dump comprising almost all inside communications, source code and other operational information and plans. It will likely take some time for all of this to be sorted through to determine its significance, but it is the best inside look we have ever had of how a large-scale criminal ransomware operation operates.

A ransomware crew on Twitter known as TheRedBanditsRU tweeted a statement distancing itself from the war and was quoted as saying “We do not respect Putin as #leader of #Russia.” The crew claims that it is not attacking Ukrainian civilian targets, conspicuously suggesting it may still be targeting the Ukrainian government.

A pro-Ukrainian hacking group calling itself NB65 allegedly took down the servers controlling Russian military satellites. This remains unconfirmed, but, if accurate, might also be interfering with the ability of western spies to keep an eye on Putin’s plans. Further evidence that vigilantes can often be a liability rather than an asset.

Pravda received a hacked list of 120,000 identities allegedly representing detailed information on most of the Russian military forces involved in the war. This information appears to be a true doxing, but it is unclear how old the information is and if it represents the people currently actively involved in the conflict.

In addition, Proofpoint published research showing an increase in phishing targeting NATO officials. This is a timely reminder that we all need to expect an increase in this type of attempted compromise, especially during conflicts like this.

[Update (2022-02-28)]: Monday, February 28 was another complicated and busy day for cyber-attacks, with more than its fair share of confusion. There were more alleged leaks, and factions chose sides. Hactivist supporters of Ukraine hacked into electric car charger stations to display messages offensive to President Putin.

A Ukrainian researcher publicly leaked the internal communications of the Conti ransomware group. We learned that the group’s primary Bitcoin wallet has had upwards of $2,000,000,000 USD deposited in the last two years and that loyalty is far less prevalent in the criminal underground than among the rest of us.

The good news so far? The Russians have not used cyber-attacks to destroy or disrupt basic services in Ukraine. Malware and cyber-destruction have been minimal. We shouldn’t rest on our laurels though. This situation is unlikely to resolve itself in a way that will lower the risk of online attacks.

[Update (2022-02-26 and 2022-02-27)]: Over the weekend of February 26 and February 27 a number of things happened.

On the afternoon of Saturday, February 26, Mykhallo Federov, the vice prime minister of Ukraine and its minister of digital transformation, sent out a tweet imploring people with cyber skills to join a virtual IT army to help Ukraine attack Russian assets in retaliation for the hacking attacks Russia has allegedly perpetrated toward Ukraine. An “IT Army” post on a message platform included a list of 31 targets for supporters to attack.

Many people want to support Ukraine, but I advise against doing something like this to show support. Unless someone is working directly on behalf of a nation-state, they are likely to be committing a serious criminal offence.

In addition, a cybersecurity researcher on the Ukraine-Romania border reported that Ukraine’s border control systems had been hit with wiper malware to disrupt the departure of refugees.

And another ransomware crew released an official statement regarding the conflict: Lockbit 2.0 posted a message to its dark web site saying that it will never attack the critical infrastructure of any country and is not taking sides. It claims to be just a diverse group of “post-paid pentesters,” and that it is just business and “all we do is provide paid training to system administrators around the world on how to properly set up a corporate network.”

The statement was posted in eight languages alongside two JPEG images of the earth.

[Update (2022-02-25)]: By February 25, 2022, the conflict had moved from purely cyber-attacks to a ground war, and we are seeing activity from non-state actors who could cause additional disruption and impact outside the conflict zone.

First, a Twitter account representing Anonymous, the freely associated group of hacktivists, declared “cyber war” against the Russian government.

A few hours later, the prolific ransomware group, Conti, posted a message to their dark web site declaring their “full support of the Russian government.”

Both declarations increase the risk for everyone, whether involved in this conflict or not. Vigilante attacks in either direction increase the fog of war and generate confusion and uncertainty for everyone. The likelihood that other criminal groups based in the Russian theatre will ramp up attacks against Ukraine’s allies seems high.

By 20:00 UTC on February 25, Conti had deleted its previous statement, which appears to have been too antagonistic toward the U.S. Government. The new statement has lowered the tone a bit, suggesting they may only “strike back” in response to American cyber aggression. 

Another group going by the name CoomingProject allegedly posted a similar statement saying, “Hello everyone this is a message we will help the Russian government if cyberattacks and conduct against Russia.”  Their site is currently offline, and we were unable to confirm this post.

[Update (2022-02-24)]: At 02:00 local time on February, 24, 2022, the websites of the Ukrainian Cabinet of Ministers, and those of the Ministries of Foreign Affairs, Infrastructure, Education, and others were unreachable, according to CNN. By 06:00 local time on February 24, 2022, they appeared to be operating normally.

[Update (2022-02-23)]: On February 23, 2022 at around 16:00 local time in Ukraine, a wave of DDoS attacks was unleashed against the Ukraine Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, Cabinet of Ministers and the Security Service of Ukraine. The outages lasted about two hours and are so far unattributed. ESET and Symantec reported a new boot sector wiper being deployed at approximately 17:00 local time, which was precisely in the middle of this DDoS attack. It appears to have impacted a small number of organizations related to finance and Ukrainian government contractors. Symantec reported there was some spillover onto PCs in Latvia and Lithuania, likely remote offices of Ukrainian companies.