Beyond the disturbing images of the invasion of Ukraine that began February 24 are the invisible cyberattacks that preceded it and continue to be waged on Ukraine by Russian state-sponsored and other threat actors, which also threaten the West.
Vedere Labs, Forescout’s threat intelligence and research team, is closely monitoring the evolution of cyber activities connected to the Russian-Ukrainian conflict. We continue to gather information regarding active threats; tactics, techniques and procedures (TTPs); Indicators of Compromise (IoCs); and mitigations. Watch for updates to this post as we distill further intelligence. Here is what we know so far:
- Malware – We have seen the use of data wiper malware variants including WhisperGate and HermeticWiper as well as a new malware called Cyclops Blink. As the cyberattacks unfolded, the UK National Cyber Security Centre (NCSC-UK) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a report that attributes Cyclops Blink to the well-known Sandworm threat actor [linked to Russia’s Main Intelligence Directorate (GRU)], which apparently developed the new strain to replace the popular VPNFilter malware. There is currently no known link between Cyclops Blink and the ongoing conflict, but the discovery sheds light on the evolution of cyber capabilities by Russian state-sponsored actors.
- Other incidents – There have been several DDoS attacks and website defacements targeting Ukrainian organizations, as well as a website clone used to spread malware.
- Threat actors – Several groups have declared support for either side in the conflict. Over the past week, we have identified at least three active threat actors through malicious domain name requests. The first is a cybercriminal group that uses the DarkSide ransomware and is believed to be based in Eastern Europe (due to Russian language found in their code). The second is associated with Emotet, a botnet strain and cybercrime operation believed to be based in Ukraine. The third is linked to the Russian Foreign Intelligence Service (SVR) and uses Sunburst malware, best known because of SolarWinds.
Vedere Labs conducted a technical analysis of the malware, incidents and actors related to the conflict. Following is a summary of our findings.
Analysis of malware related to the Russia-Ukraine conflict
Our analysis of WhisperGate, Hermetic Wiper and Cyclops Blink is ongoing. Download our briefing notes for more information, including technical analyses, IoCs that can help identify them and recommendations on how to mitigate them.
On January 15, Microsoft announced they had uncovered a two-stage destructive malware targeting Ukrainian organizations, which they dubbed WhisperGate. The initial infection vector used to deploy the malware is not yet known. There is no evidence of any 0-days or known vulnerabilities being exploited in any stage of the malware, nor are there yet signs of it being used to target anything other than Ukrainian organizations.
After the initial report, researchers on Twitter uncovered more samples related to WhisperGate, including a stage 3, which is much more complicated. The first stage overwrites the master boot record (MBR) of affected systems, rendering them unusable. The second stage downloads stage 3. The third stage disables system defenses, wipes files and deletes itself.
Although the malware displays a ransom note, there is no recovery mechanism, and this is believed to be a decoy. The true goal of the malware seems to be destruction of files and systems rather than financial gain via ransomware.
On February 23, the threat intelligence community began observing a new wiper malware sample circulating inUkrainian organizations. The wiper relies on a legitimate partition management driver, EaseUS Partition Master (empntdrv.sys), to corrupt the MBR of infected Windows machines and delete data. The driver is signed by adigital certificate belonging to a Cyprus-based company called Hermetica Digital Ltd. After corrupting the MBR,the malware reboots the infected machine, resulting in a boot failure. A script is available to detect executables signed by the same certificate.
According to researchers from ESET, at least in one case, the threat actors had access to a victim’s network fordeploying the malware.
On February 23, CISA and the NCSC-UK released a report about Cyclops Blink, a new malware developed by the Sandworm group to replace VPNFilter. Cyclops Blink is a malicious Linux Executable and Linkable Format (ELF) executable that currently targets devices running the 32-bit PowerPC architecture. The malware contains a core component and additional modules executed as child processes that can upload and download files, extract device information and update the malware. Command and Control communication uses a custom binary protocol underneath TLS, and messages are individually encrypted.
Cyclops Blink has been associated with a large-scale botnet targeting network devices used in small and home offices (mainly WatchGuard Firebox) and active since 2019. NCSC-UK has analyzed two known samples.
Website defacements, DDoS attacks and website clones
Vedere Labs has observed four major cyber incidents unrelated to malware:
- On January 14, about 70 Ukrainian government websites were defaced. Attackers included text in Ukrainian, Russian and Polish saying, “Be afraid and wait for the worst.” On the same day, the websites were taken offline and then restored.
- Starting on the afternoon of February 15, websites of several Ukrainian banks and government agencies, including Privatbank (the largest bank in Ukraine), Oschadbank, the Ukrainian Ministry of Defense, the Ministry of Foreign Affairs, the Ukrainian parliament and the Security Service of Ukraine were targets of DDoS attacks. There have been two waves of attacks, one on February 15 and another on February 23.
- On February 23, Bellingcat reported on a web service hosting cloned copies of several Ukrainian government websites that had been modified to serve malware when visitors click on a specific link. The malware deployed by the websites was linked to previous attacks targeting Ukraine in
We are continuing to monitor these and other incidents.
Threat actors supporting either side
Several hacking groups are currently supporting either side of the conflict and trying to inflict damage via cyberattacks. Here are examples of groups and actions:
- On February 25, the Anonymous hacking collective declared a “cyber war” against Russia. So far, it has managed to disable the Russian state news website.
- On February 27, the Cyber Partisan hacking collective compromised railway systems by encrypting data on servers, databases and workstations. As a result, some trains could not run, which the collective hoped would slow Russia’s invasion via Belarus.
- The famed Conti ransomware group seemed to side with Russia, based on communications from some members. However, one Ukrainian member of the gang hacked their internal communications platform and leaked messages (in Russian) from January 29, 2021, until February 27, 2022. The messages are currently being analyzed by the security community. Some of the confirmed content shows the relationship between Conti and the TrickBot and Emotet malware groups.
The escalation of the cyber conflict to include these groups is worrying because their motivations and agendas are not entirely clear and can change quickly. At this point, there is no evidence that any of these groups is targeting organizations not involved in the conflict. However, Russian groups, especially, could try to affect businesses in countries that are currently imposing economic sanctions on Russia, such as the U.S. and EU countries.
How Forescout helps protect you against emerging cyber threats
The Forescout platform delivers automated cybersecurity across your digital terrain to help maintain continuous alignment of your security framework and your digital reality. The platform provides in-depth cyber asset visibility for networks and enables effective, real-time management of cyber risks. Forescout customers should:
- Update the eyeInspect Command Center with the IoCs contained in our full briefing note, as well as the regular IoC and CVE updates on the Forescout Community Portal
- Import the IoCs into the eyeSight IoC Scanner
- In case an IoC is detected, implement control policies that limit network access to possibly compromised hosts
Vedere Labs can provide Forescout customers with further targeted support and overwatch of their installation and threat landscape via the eyeInspect Cloud uploader. This enables the automatic upload of anonymized malicious behavior to the Global Cyber Intelligence Dashboard, so that Vedere Labs can perform intelligence and investigation activities that translate into recommendations, reports and threat feeds to better detect and prevent attacks.
For more information about how Forescout can help, contact your Forescout customer representative.