Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
Ukraine and Romania Suffer Large-Scale DDoS Attacks
Killnet Claims Responsibility for Targeting Romanian AuthoritiesThe Computer Emergency Response Team of Ukraine and the National Bank of Ukraine are warning of massive DDoS attacks against pro-Ukrainian targets. The intelligence service in Romania, SRI, also warns of a similar type of attack targeting sites belonging to its national authorities.
See Also: Gartner Guide for Digital Forensics and Incident Response
According to the CERT-UA, the unknown threat actors are targeting compromised WordPress sites and injecting malicious JavaScript code called BrownFlood to perform the attacks.
"The mentioned malicious JavaScript-code can be placed in the structure of the main files of the website (HTML, JavaScript, etc.), including in base64-encoded form," the agency says.
This means that the codes are placed under the HTML structure of the main files in the websites and are base 64-encoded in order to avoid detection.
Romanian Sites Also Under Attack
"On April 29, 2022, starting with 04:00, a series of sites belonging to national authorities, respectively financial-banking institutions were the victims of a cyberattack of the Distributed-Denial-of-Service (DDoS) type. The attack caused the sites to be unavailable for several hours," according to the Romanian intelligence service, SRI.
Further investigation by the CYBERINT National Center within the Romanian Intelligence Service found that the attackers had exploited network equipment from outside Romania and taken control of the equipment by exploiting vulnerabilities to conduct these attacks on sites in Romania.
CYBERINT states that the attack was claimed by the pro-Russian Eastern Killnet group, which specializes in DDoS attacks. Its latest victims specifically include NATO and its allied members.
According to a post viewed by Information Security Media Group in the group's Telegram channel, Killnet, the group says that it does not wish to harm the people of other countries and it does not provide any hacking services to others. It says "the task of Killnet is to create maximum damage to the network info structure of enemy countries."
The agency says that the Killnet group has launched DDoS attacks on the sites of institutions in states such as the U.S., Estonia, Poland, the Czech Republic and also on NATO sites.
"The responsibility for ensuring the primary cybersecurity of the affected infrastructures does not belong to the Romanian Intelligence Service. However, given the scale of the attacks with an impact on national security, the CYBERINT National Center within the Romanian Intelligence Service is actively cooperating with the entities responsible for investigating cyberattacks and remedying their effects," the agency says.
On Friday, the national cybersecurity directorate and incident response team - Directoratul Național de Securitate Cibernetică or DNSC - said that a series of DDoS cyberattacks had affected the websites of several public institutions and private organizations in Romania.
"The websites of the Ministry of Defense, Border Police, Romanian Railways and a Banking institution were targeted by attackers seeking to affect the availability of the respective online services through a series of requests from multiple sources overloading the server traffic," it says.
Today, a series of #DDoS cyberattacks affected the websites of several public institutions and private organizations in Romania. The websites of the Ministry of Defense, Border Police, Romanian Railways and a Banking institution were targeted (1)https://t.co/262W4oGxCY#DNSC
— Directoratul Național de Securitate Cibernetică (@DNSC_RO) April 29, 2022
The official Twitter handle for the DNSC says that "Today, April 30, at approximately 2:30 AM, the http://dnsc.ro site was the subject of a DDoS attack. At 8:30 AM the website was already up and running without any problems."
Azi 30 Aprilie la aproximativ orele 2:30AM site-ul https://t.co/GdAaYFha9q a fost subiectul unui atac de tip DDoS. La orele 8:30AM site-ul web a fost deja repus in funcțiune, fără dificultăți.#DNSC
— Directoratul Național de Securitate Cibernetică (@DNSC_RO) April 30, 2022
When ISMG checked at the time of writing this story - 8:00 a.m. EST, April 30 - the official website for DNSC remained inaccessible from outside the country.
In further tweets, the agency recommends the implementation of appropriate measures for the protection of websites and cyber infrastructures.
Killnet's Recent Activities
Last week, several critical infrastructure entities in the Czech Republic were successfully targeted. In a press conference, the interior minister of the Czech Republic, Vít Rakušan, did not name the threat actor, but he attributed the attacks to Russian hackers. Rakušan also said no information or private citizen data was stolen in the attacks (see: Pro-Russian Killnet Group in DDoS Attacks on Czech Entities).
None of the Czech government authorities or international partners publicly attributed the DDoS attacks to a particular threat actor apart from Rakušan, who simply said the attacks were coming from Russia. Based on this lead, ISMG observed the chatter on various social media forums and Telegram channels, which led to the discovery of the recently formed Telegram channel Killnet, which was created on Jan. 24.
The Killnet group is known to support Russia, based on a video published by the group on Twitter, addressing the people of Russia and telling them to never doubt their country. Little is known about the group, but a joint cybersecurity alert published by CISA on Wednesday says that Killnet is an emerging threat actor and should be watched.
CISA says that the group has claimed credit for carrying out a DDoS attack against a U.S. airport, Bradley International Airport, in late March 2022, in response to U.S. material support for Ukraine.
The Killnet group in its Telegram channel has not only claimed responsibility for all the attacks mentioned earlier targeted at the Czech Republic but also claimed additional victims, including the defense department, a commercial bank, a cellular provider, a hosting company and two additional airports in Czech Republic - the Brno-Turany and Ostrava airports.
Ukrainian Alert
The malicious code called BrownFlood runs on the computers of users who visit malicious websites and then uses that computer's computational resources to generate an abnormal number of requests to attack objects - defined URLs - with the malicious JavaScript code.
"To detect similar to the mentioned abnormal activity in the log files of the webserver, you should pay attention to the events with the response code 404 and, if they are abnormal, correlate them with the values of the HTTP header 'Referer', which will contain the address of the web resource initiated a request," the alert from CERT-UA says.
CERT-UA has also released a nonexhaustive list of 36 compromised websites that contain BrownFlood code. The agency says it has taken measures to inform website owners of the threat, as well as relevant domain name registrars and hosting providers.
The Ukrainian CERT recommends that website owners take steps to detect and remove malicious JavaScript code and provide up-to-date support for website content management systems. It also recommends restricting access to website management pages.