In January 2022, Avertium’s Cyber Threat Intelligence Unit published an emergency Flash Notice detailing Microsoft’s discovery of a ransomware-like malware just days after 70 Ukrainian government websites were defaced by groups that were allegedly associated with the Russian secret service. The malware ended up being a wiper and impacted the Ukrainian Foreign Ministry, the Ministry of Education and Science, and other state services in Ukraine.
The defacement of the websites came at a time when the threat of invasion by Russia into Ukraine was growing daily. The security incident was just the beginning of a string of cyber attacks that would take place between Russia and Ukraine. Initially, it appeared as if Russia had the upper hand as they were constantly attacking Ukraine’s digital infrastructure.
However, over the past five months, things have changed, and it appears that Russia and Ukraine are now on equal footing regarding their cyber war. From WhisperGate to Anonymous, let’s take a look at initial attacks, retaliation, and what Russia and Ukraine’s current cyber war means for the future of cyberwarfare.
In January 2022, Avertium addressed a wiper that defaced more than 70 Ukrainian government websites. The wiper was later attributed to Russia and was named WhisperGate. This wiper had two stages with the first stage being Whisper Gate’s tactical defense of disguising itself as ransomware. After the multi-stage malware executes via Impacket, it overwrites the MBR (Master Boot Record) on a system and includes a $10,000 Bitcoin ransom note. After the intended device powers down, the malware executes.
The second stage is described as a malicious file corrupter. After execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the downloaded link hardcoded in the downloader. The malware then locates files in certain directories using dozens of the most common file extensions and overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After over-writing, the destructor renames each file with a random four-byte extension.
Because WhisperGate happened at time of high tension between Russia and Ukraine, there was fear of a global impact – much like 2017’s NotPetya. NotPetya was a cyber attack against Ukraine that trickled down into other parts of the world and cost $10 billion global dollars. The attack left giant multinational corporations and government agencies unable to function. If an organization had any sort of business with Ukraine, they were affected by NotPetya.
Cyclops Blink and HermeticWiper, began targeting the Ukraine in February 2022. Cyclops Blink is a sandworm malware and has been in the wild since 2019. The malware targets network devices - deploying malware that uses a modular structure, allowing operators to deploy second-stage payloads to infected devices. It has been described by CISA as sophisticated, affecting WatchGuard deices.
HermeticWiper was right on its heels as it deployed on Ukraine’s computer networks. Discovered by ESET, HermeticWiper was believed to be in the works for two months. Similar to WhisperGate, HermeticWiper abuses legitimate drivers from EaseUS Partition Master software to corrupt data before finally rebooting the computer. At the time, the Ukraine didn’t confirm or deny the cyber attack, but the attack happened just as things were heating up between Russia and Ukraine.
After bombarding Ukraine with three wipers, Russia didn’t let up and continued their cyber attacks against the country with three more wipers – IsaacWiper, HermeticWizard, and HermeticRansom. HermeticWizard spreads HermeticWiper (aka DriveSlayer) across local networks via WMI and SMB. ESET observed that HermeticWizard is a worm that was deployed on a Ukrainian system on February 23, 2022. The malware starts by trying to find other machines on a local network before gathering known local IP addresses using certain Windows functions (i.e., GetTcpTable, GtAdapterAddresses, etc.).
HermeticRansom (aka PartyTicket) was also discovered by ESET, which is ransomware written in Go. It was used at the same time as the HermeticWiper campaign but has a much smaller deployment. ESET believes that the ransomware was deployed at the same time to hide the HermeticWiper’s actions, as it doesn’t use obfuscation mechanisms.
ESET discovered IsaacWiper at the end of February 2022, and it’s suspected that the threat actors used tools, like Impacket, to move laterally within networks and systems. ESET also observed a remote access tool called RemCom being deployed at the same time as IsaacWiper.
At this point during the conflict, Russia and Ukraine were clearly at odds but the three wipers were not attributed to Russia and the attackers remained unknown.
Not long after WhisperGate, Cyclops Blink, HermeticWiper, IsaacWiper, HermeticWizard, and HermeticRansom, Ukraine launched their own attack called RURansom. In early March 2022, a malware variant dubbed RURansom started targeting entities in Russia. The malware is a .NET-based wiper that encrypts files on victim’s computers and spreads like a worm within their network or through USB devices. Because RURansom causes irreversible destruction of encrypted files, it can’t be called ransomware. The note that is left behind is more of a declaration than a ransomware note. Also, ransomware infections demand a ransom for decryption keys but RURansom’s keys are random and aren’t stored anywhere.
Soon after Ukraine’s attack with RURansom, ESET discovered another wiper – CaddyWiper. This wiper was seen on March 14, 2022, just a couple of weeks after RURansom was discovered. According to a series of tweets published by ESET Research, CaddyWiper’s operators had control of their target’s network before they deployed the malware via Microsoft Group Policy Objects (GPO).
ESET Research also observed that one organization’s default GPO was abused to spread the malware. They further reported that CaddyWiper avoids erasing data on domain controllers – a tactic they more than likely use to keep access inside the organization while continuing to disturb operations. Again, Russia’s goal was to destroy everything it could.
There were two wipers that Russia deployed which flew under the radar – WhisperKill and DoubleZero. The wipers were active in January 2022 and went after Ukraine’s systems. WhisperKill is a malicious software designed to permanently erase files by overwriting their contents with 1MB of 0xCC character sequence. After further research, analysts discovered that WhisperKill is more than 80% similar to WhiteBlackCrypt ransomware – a ransomware which was active in March 2021.
On March 17, 2022, another wiper named DoubleZero was seen targeting Ukrainian enterprises as Russia invaded the country. This is another wiper that wasn’t heavily covered by the media. The wiper is a .Net-based implant that destroys files, as well as registry keys and trees on infected endpoints. According to Cisco Talos, DoubleZero begins by checking if the current endpoint is one of the domain’s controllers. Once the endpoint’s name is found, the wiper stops executing.
DoubleZero’s goal is to overwrite files in drives by destroying them – excluding a specific list of locations hardcoded in the wiper. It also seeks to destroy non-system files first before destroying system-related files. If system related files are destroyed while the overwriting of other files is pending, it will lead to instability and bricking the system. In these cases, it’s possible to recover the files from the disks that aren’t overwritten yet. After DoubleZero destroys, it then shuts down the system by using ExitWindowsEx API call. These actions render all machines inoperable.
Since the conflict between Russia and Ukraine, several cyber criminal gangs have chosen sides and have come forward regarding their plans to launch cyber attacks – Conti being one of those gangs. Conti is a Russian-speaking RaaS (ransomware-as-a-service) organization, who uses RaaS to deploy disruptive ransomware attacks that target critical infrastructure, like hospitals and government organizations.
While Russia attacked Ukraine, Conti took a pro-Russia stance - a stance which led to their chat logs being leaked weeks later by a Ukrainian patriot. What Conti didn’t expect was for their source code to be leaked along with the chat logs. The same Ukrainian patriot who leaked Conti’s old source code, leaked their newer one as well.
After the back and forth with deploying wipers, hacktivists started to take matters into their own hands. One hacktivist group that comes to mind is Anonymous. In April 2022, NB65 (linked to Anonymous) stole files from the Russian space agency, Roscosmos, and stated that Putin no longer had control over spy satellites. They shared the server information on Twitter. Conti’s leaked source code was used against them by NB65, as the hacktivists stole sensitive files from Roscosmos.
According to the NB65’s Twitter account, they are only attacking Russian organizations and they won’t stop until Russia stops attacking Ukraine. They also stated that payments received from their ransomware attacks will be donated to humanitarian efforts in Ukraine.
This is where we start to see the tables turn as it pertains to the cyber war between Russia and Ukraine. While it once appeared as though Russia had the upper hand, pro-Ukraine hacktivists made it clear that they wouldn’t let Ukraine go down without a good fight.
Anonymous, NB65, DoomSec, AgainstTheWest, and other hacktivist groups continued to bombard Russia with cyber attacks. In May 2022, Anonymous released 184 GB of emails from Metprom Group, a Russian metallurgic engineering and investment group. During the same month, it was reported that Anonymous, and its affiliate groups, compromised 90% of databases owned by different Russian organizations and government in support of Ukraine. Russian IT infrastructure was being targeted every other day – including State-run TV channels and online video streaming platforms.
Also in May 2022, DoomSec and AgainstTheWest announced via Twitter that they pwn’d Russia and leaked FSB names, IP addresses, emails, password hashes, and other confidential messages. They even shared a link where you can find the files.
Image 1: Tweet from DoomSec
At this point, Russia appeared to be having a hard time keeping up with the attacks and didn’t retaliate as much as researchers thought. As Anonymous and other hacktivist groups constantly attacked Russia’s networks and systems, Russia devised another attack plan – a disinformation campaign.
In May 2022, Russian backed hackers launched a disinformation campaign to cause discord, panic, and division amongst Ukrainians. The campaign falsely claimed that Ukrainian President Volodymyr Zelensky committed suicide in a military bunker in Kyiv. The message was that because the president couldn’t keep his country safe, he had no other choice but to end his life. This turned out to be false.
Also, in April 2022, there was a rumor circulating that Ukraine’s Azov regiment, a Ukrainian special operations unit within the country’s National Guard, sought revenge against Zelensky for abandoning his troops in Mariupol. Telegram was also used to spread disinformation regarding the Ukrainian government and its corruption and ineptitude. The campaigns weren’t launched by Russia’s government but were launched by Russian backed hackers who wanted to cause internal unrest amongst Ukrainians.
As of June 2022, Pro-Ukraine hacktivists are still consistently assailing Russia with cyber attacks. This month, Anonymous hacked Russia’s Public Chamber of the Krasnoyarsk and leaked 69k emails. The group also hacked into a weapons company that handles Russian Unmanned Aerial Vehicles, obtaining tactics and plans.
Image 2: Tweet from Spid3r
Also in June, Anonymous breached the website of the Russian Presidential Academy of National Economy as well as the Public Administration of Russian Federation, stating that they stand with Ukraine and won’t stop their attacks until Russian President Putin ends the war. Anonymous also took down the website of the National Intelligence Agency of Belarus.
Anonymous wasn’t the only one keeping busy. In mid-June 2022, the U.S. Department of Justice disrupted the Russian RSocks malware botnet used to hijack millions of computers and other IoT devices. The operation involved the FBI, as well as law enforcement from Germany, the Netherlands, and the United Kingdom.
According to Bill Toulas from BleepingComputer, the RSocks botnet was used to change residential computers into proxy servers, which would then allow the botnet’s customers to use them maliciously or appear as coming from a residential IP address. This kind of exploit could have been used for phishing operations, credential stuffing, or account takeover.
FBI agents began investigating the RSocks infrastructure in 2017 and during that time, 25,000 compromised devices were identified – many of them in the U.S. The devices were compromised via brute-forcing their passwords and installing software on breached computers. There were several large and private entities that were victims of the RSocks botnet, including universities, hotels, and an electronics manufacturer.
Now, there are reports of Russian intelligence agencies increasing their hacking and espionage operations and going after governments outside Ukraine, the U.S being the #1 target, according to Microsoft. The second target on Microsoft’s list was Poland with other popular targets being foreign ministries of NATO countries, think tanks, and critical infrastructure. Russia appears to be preparing to go after allied governments.
The Russian threat actor, Killnet, recently claimed responsibility for a DDoS attack on Lithuania (a European country). The group claimed the attack was in response to Vilnius’s decision to block transit of goods sanctioned by the European Union to the Russian exclave of Kaliningrad. Killnet stated that they’ll stop the DDoS attack when Lithuania lifts the blockade. So far, Killnet has disrupted 1652 of Lithuania’s web resources and Anonymous has officially launched a campaign to “take down” the Russian threat actor as a result.
Microsoft also stated that, by using artificial intelligence tools, they assessed Russia’s disinformation and propaganda campaign and found that their cyber influence operations increased the spread of Russian propaganda after the physical war began. It increased by 216% in Ukraine and by 82% in the United States.
In a rare public acknowledgement, the U.S. military confirmed that their hacking unit has conducted offensive cyber operations in support of Ukraine. The idea is to counter Russia in cyber space without escalating things to a physical war. President Biden pledged to leave Russia be as long as the U.S. and its allies aren’t attacked. However, after the U.S. and its allies imposed sanctions on the Kremlin, there is a serious chance of Russian cyber retaliation against U.S. infrastructure.
The physical war between Russia and Ukraine has been the topic of discussion for months, but what does the cyber war between the two countries mean for the future of cyber warfare? Researchers are saying that Russia’s strategically timed cyber attacks before the physical war, will likely be present in future conflicts across the globe.
The future of modern warfare could be much more complex, more sophisticated, and more destructive moving forward. Such as weaponizing the internet and social media to influence the public. However, cyber warfare is still secondary to actual war. Matt Marsden, Vice President of Tanium, stated that Cyber warfare won’t replace conventional war. He sees it as “a force multiplier and as a way to increase or decrease the effectiveness of conventional or kinetic military operations.”
Since the war began, Russian backed threat actors have launched cyber attacks against Ukraine consistently – some were successful and some failed. Ukraine successfully stopped a Russian cyber attack in April 2022, before it hit computers that controlled an energy firm’s high voltage substations. The threat actor was affiliated with Russia’s military intelligence agency, GRU. This feat implies that Russia has underestimated Ukraine’s military and cyber capabilities.
“I think the Russians expected a walk in the park. Ukrainians have learned from past Russian cyberattacks.” – Paul Capasso (Vice President of Strategic Programs at Telos.
Because of previous history, Ukraine has invested in improving their cyber defenses. In 2015 Ukraine suffered a destructive Russian cyber attack that affected their power grid. The attack left more than 200k people without power for several hours.
The second devastating attack they suffered at the hands of Russia was 2017’s Petya attack. The attack disrupted Ukrainian banks, government ministries, and key companies. Researchers state that as cyber warfare evolves, threat actors will continue to use wipers and DDoS attacks during war.
As we continue to watch the war between Russia and Ukraine, it’s important to remain vigilant and secure our cyber environments. The war could take a turn at any moment, so it’s important to remember the basics of cyber hygiene. Avertium offers the following services to help keep you organization safe:
The wipers we mentioned in our report have the potential to cause significant and widespread damage to critical infrastructure if deployed. Avertium urges you to implement the following recommendations per CISA:
Please click on the link for IoCs related to WhisperGate, HermeticWiper, RURansom, Cyclops Blink, Double Zero, WhisperKill, HermeticWizard, IsaacWiper, AcidRain, CaddyWiper, and NB65.
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.