UPDATE February 26, 2022, 04.40 AM (EST): This blog has been updated with details of posts of the Conti ransomware group and Anonymous.
UPDATE February 27, 2022, 05.50 AM (EST): This blog has been updated with details of new IoCs, a list of IoC sources, and claimed Nvidia breach.
UPDATE February 28, 2022, 06.50 AM (EST): This blog has been updated with details of threat actors taking sides.
The Russian invasion of Ukraine has caused a substantial increase in cyberattacks. What’s happening in cyberspace related to the Russia-Ukraine war? How does it affect the countries and organizations all around the world? How can a company detect cyber attacks associated with this war? What are the IoCs that need to be monitored? The SOCRadar Research Team did a thorough analysis to find the answers that you can find all below.
The Russian invasion of Ukraine has caused a substantial increase in cyberattacks. The public and private organizations can be impacted even before they are not located in the region. Therefore, the SOCRadar analyst team, monitoring the situation from its early hours, has gathered initial findings in this blog post.
Here is what you should know about the cyber repercussions of the Russian-Ukraine war:
Beginning from January 13, 2022, various companies in Ukraine were infected with harmful malware designed to render targeted machines useless. The malware deleted victims’ machines before passing itself off as a ransomware attack without offering a ransom payment and recovery mechanism.
The first wave of cyberattacks on February 15th, mostly potent DDoS, targeted Ukrainian government organizations. Several agencies, including the Ministry of Foreign Affairs and the Security and Defense Council, were impacted.
Following the Russian troops’ invasion, the second wave of DDoS attacks started on February 23. The target included government agencies and two of the largest state-owned banks. Attacks were paired with some disinformation attempts in which SMS were sent to customers falsely claiming the ATMs were out of order.
In addition to DDoS attacks, two malware equipped with significant destructive capabilities has been found in the attacks. HermeticWiper is utilized to delete the data in a digital device that cannot be recovered. Recently discovered Cyclops Blink is employed to exfiltrate data from the network.
Underground groups such as Anonymous and Conti ransomware groups have picked their sides in the cyber conflict. The largest hacktivist initiative, Anonymous, launched a virtual war against Russia. Conti, the notorious ransomware gang, decided to stand with Russia threatening to attack any rivals’ critical infrastructure.
Dark web forums have become a show-off platform for warring factions. Detected by SOCRadar, several posts have been published alleging that sensitive information from the government organizations was leaked.
You can also find lists of IoCs, TTPs, and Yara rules in this article.
What Happened So Far?
During the 2021–2022 Russian – Ukrainian crisis, a series of cyberattacks took down more than a dozen of Ukraine’s government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council.
After recognizing territorial claims of self-declared separatist republics in eastern Ukraine, Russian force deployments in these regions coincided with two massive DDoS attacks (Distributed Denial-of-Service) with destructive malware implications targeting Ukraine.
The first wave of cyber-attacks on Ukraine started on February 15th, and the second one on February 23rd, made many Ukrainian governments, military, and bank websites inaccessible.
Russian cyberattacks against Ukraine have led hackers, ransomware gangs, and companies to pick upsides. Underground groups publicly expressed their side in the military conflict.
In the underground world, the actors have diverse decisions. Conti, the notorious ransomware group and claimed to be a state-sponsored threat actor, announced that they will strike back if cyber-attacks are conducted against Russia. In two different posts, the group states that they would target the opposite countries’ critical infrastructure on its official website.
Which Cyber Threat Actor Takes Which Side in the Ukraine-Russia War?
Many different cyber threat actors who continue their operations on the dark web have actively participated in the Russia-Ukraine war in cyberspace. During the conflict that has lasted for nearly a week, many threat actors have declared their sides or switched sides. Many threats, from hacktivist groups to ransomware gangs, announced their support for one of the warring parties.
First, the Anonymous group announced that it had declared its support for Ukraine. After this announcement, some websites belonging to Russia’s state and private sector became unavailable.
In another tweet, Anonymous TV, an account close to Anonymous, claimed that Anonymous leaked the database of the Russian Ministry of Defense website. The group also claimed to breach Tetradr, a Belarusian weapon manufacturer and leaked about 200GB of emails.
Conti ransomware group, which has made a name for itself with its organized ransomware attacks, announced that it sided with Russia. It was noted that the group exhibited a slightly softer attitude in the second statement made later. In this statement, Conti claimed that they did not support the war. Some insiders not happy with Conti’s support for Russia leaked inside jabber chats of the group.
The CoomingProject group, which has been selling/sharing the data it has obtained from critical institutions since 2021 on Russian-speaking hacker forums, was also among the hacker groups that sided with Russia. The Cooming Project has announced that they will respond if the Russian government targets a cyberattack.
LockBit announced that it was not a party to the war. Noting that there are hackers from different nationalities within the group, the group stated that people from many countries, not only from Ukraine and Russia but also from China to the USA, are working for them. “Business is important to us, and we all take an apolitical stance. We are only concerned with money.”
Along with Anonymous, another hacktivist group targeting Russia is AgainstTheWest. In the statement made by the group, it was stated that the systems of various Russian government institutions were infected with ransomware, attacked with data-destroying malware, and all the data were seized.
The Red Bandits, known for their data breach attacks, CyberGhost, and Sandworm groups, known for their hacking and DDoS attacks, were shared on the hacker channels that they were Russian supporters. It is known that the Raidforum Admins group, which came to the fore with cyber sanctions against Russia, is in the ranks of Ukraine.
Some groups that carried out DDoS attacks on behalf of Ukraine are as follows as of February 27: “IT Army of Ukraine, BlackHawk, and Anonymous Liberland & PWN Bar hack team.” It is understood that the ransomware group called Belarussian Cyber Partisans is a supporter of “free Ukraine,” as far as it is followed on Twitter channels.
On the other side, the Lapsu$ extortion group claimed to breach Nvidia, one of the largest technology manufacturers in the world. The US and western sanctions in retaliation for Russia’s invasion of Ukraine shut off the supply from leading US groups such as Intel, AMD, and Nvidia at Russia’s military and its tech industry. After the sanction decision, Russian origin hacker groups allegedly shared data about hashes of Nvidia’s employees on a Telegram Channel monitored by SOCRadar.