The Majority of Incidents Entailed Malware Distribution, Phishing and Intrusion Attemptso
May 31, 2022 The majority of the attacks are tracked as coming through Russia. (Source: ISMG)
Three months after Russia’s ongoing invasion of Ukraine began, the country takes a look back at the turbulence the nation has faced in its cyber sphere during Q1 2022, and considers the way ahead.
The Cyber Rapid Response Team of the State Cyber Defense Center (SCPC) Ukraine that operates under the State Service of Special Communications and Information Protection of Ukraine, shared a report with Information Security Media Group which highlights the fact that Ukraine has faced nearly 14 million suspicious cybersecurity or information security events in the first three months of the year alone.
Of these 78,000 were treated as critical, the SCPC tells ISMG. It adds that 63% of the suspicious events were detected within ministries and organizations while another 35% affected regional government administrations.
The statistics have been gathered from SCPC’s security operations center which monitors and detects malicious activity as well as system and network anomalies at several cyber defense facilities across Ukraine. It analyzes the data obtained from network devices [such as active sensors, firewalls, vulnerability scanners], workstations and servers, authorization systems, and internal and external cyber threat data sources, to identify the threats, the SCPC says.
Nearly a quarter of these sources of data have come from internal (9%) and external (15%) cyber threat data sources and a striking majority of 35% from vulnerability scanners and intrusion detections systems, the report says.
The SCPC divided these information security or cybersecurity incidents into various categories and types to better understand the motives of Ukraine’s adversaries. The categorization found that malware distribution, phishing or data collection through intrusion, and intrusion attempts into critical systems are the primary motivations and methods used by Ukraine’s adversaries.
Source: SCPC Report
The majority of the attacks are unsurprisingly tracked as coming through Russia but the SCPC says that other major countries from which the source of these attacks has been tracked back include China, South Korea, the U.S., India, and Bangladesh, among others. But the SCPC clarifies that this does not necessarily mean that the cyberattacks have been attributed to these countries. “The tracking has been done based on the number of positives targeting Ukrainian regions from other countries’ IP addresses and IP location is only a country’s delegation name.” Anyone can use a virtual private network or other resources to direct via another country’s IP address, the SCPC says.
When it comes to the regions in Ukraine that have been targeted during these cybersecurity events, the SCPC says, Kharkiv, Kyiv, Dnipro, and Lviv, top the list.
Source: SCPC Report
These cybersecurity events primarily been initiated via phishing and unpatched vulnerabilities, followed by DoS/DDoS attacks, the SCPC’s report shows. This coincides with a recent report that found state-sponsored threat actors not only from Russia but also from China, Iran and North Korea are using Ukraine war-related themes for phishing (see: State-Sponsored Actors Using Russia-Ukraine War for Phishing).
Active Threat Groups
The most active groups that attacked Ukraine in Q1 2022 were representatives of the Russian federation, which includes some military-backed threat actors too, the SCPC claims. Some of the more notable ones are:
Armageddon/Gamaredon – UAC-0010
IcedID/Trickbot – UAC-0098
Sandworm – UAC-0082
APT28/Strontium – UAC-0028
APT29/Nobelium/Cozy Bear – UAC-0029
SunSeed/Asylum Ambuscade – UAC-0064
InvisiMole – UAC-0035
KillNet – UAC-0108
Beware of Gamaredon and Killnet’s DDoS Attacks
Researchers at China-based cyber threat intelligence company, 360 Qihoo reportedly found a series of DDoS attacks launched by the Russia-affiliated group Gamaredon which it calls to be APT-C-53. It also reported that the group has released the code of a DDoS Trojan called LOIC which is an open source software found on GitHub.
This malware copy was found between March 4 and March 5, just a few days after the Russian invasion of Ukraine began, the researchers note.
During monitoring of a batch of C2 servers, which the researchers at Qihoo believe to belong to the threat group, Qihoo found multiple C2 servers distributing an open-source DDoS Trojan program LOIC which is compiled in [.]net.
“The distribution of the LOIC Trojan may be the prelude to a new round of DDoS attacks,” the researchers say.
The attacks are not restricted to within Ukraine, and on Monday Italy’s Computer Security Incident Response Team issued an alert to raise awareness about the potential risk of cyberattacks against its national entities.
The Italian CSIRT also refered to DDoS attacks which the country suffered during the Eurovision music competition held in Turin (see: Italian Police Repel Online Attempt to Disrupt Eurovision).
At the time, the “Killnet” group had vowed reprisals for blocking Russia from the annual music competition and in past couple of days, Killnet’s operators have been actively posting messages on its Telegram channel about attacks against Italy.
“Following the malicious campaigns perpetrated by Russian-linked actors and the DDoS attacks that occurred between May 11 and 21, against national subjects, as part of the monitoring activities carried out by CSIRT Italy, signals and threats continue to be detected of possible imminent attacks to damage in particular public national subjects, private subjects that provide a public utility service or private subjects whose image is identified with the country of Italy,” the Italian CSIRT alert says.