Ukraine Tracks a Record Number of Cyber Incidents During WarHackers Steal CCTV Footage to Study Efficacy of Missile Strikes and Drone Attacks
The tempo of cyberattacks against Ukrainian critical infrastructure has intensified this year - the second year in which Kyiv is fending off a Russian war of conquest.
In the first 10 month of this year, Ukraine's national computer emergency response team, CERT-UA, logged 2,054 cyber incidents, compared to 2,194 for the entirety of 2022, said Viktor Zhora, deputy chairman of Ukraine's State Service of Special Communications and Information Protection. Three-quarters of the incidents involved civilian infrastructure, Zhora told a cybersecurity conference in Dublin on Thursday.
Hackers' top goals are to steal information on the disposition of forces, infiltrate organizations that provide critical infrastructure services and steal people's personal information from organizations across a number of sectors, including insurance and healthcare, said Zhora, who addressed the IRISSCON conference, held by IRISSCERT - short for the Irish Reporting and Information Security Service - via video link.
Since Russia launched an all-out invasion on Feb. 24, 2022, the most dangerous hacking incidents have typically traced to Russia's GRU military intelligence group, he said. The greatest number of attacks this year appear to have been launched by the Federal Security Service, or FSB. Other threats include the SVR foreign intelligence service, embassies and partner agencies, and some groups in Russia's Ministry of Defense. Government hackers are "joined by cybercriminal groups, and also so-called hacktivist groups - united via Telegram channels - which are less skilled but more numerous," he said.
Russian targeting continues to evolve. In the beginning of the war, many attacks focused on "destroying our systems and breaking our resistance," Zhora said. While those types of attacks have continued, he said, there has been a rise in attacks targeting law enforcement and prosecutors' systems, seeking information on suspected Russian spies and evidence pertaining to war crimes. He said hackers have also attempted to gather information on the efficacy of Russian missile strikes and unmanned aerial vehicle attacks, including by stealing CCTV footage local to targeted sites.
Multiple cybersecurity experts have said one surprise pertaining to the conflict has been the absence of cyberattacks being used in close coordination with kinetic attacks (see: Ukraine's Cyber Defense Success: Top Takeaways).
Even so, Russia continues to refine its abilities on multiple fronts, including attacks that target operational technology environments.
Including the Stuxnet malware built earlier this century to target centrifuges in Iran, security experts have counted only eight unique strains of malware built by attackers to hit OT environments, said Rik Ferguson, vice president of security intelligence for cybersecurity vendor Forescout, speaking at IRISSCON. Much of that has been attributed to Russia and used to hit Ukraine's power grid, he said.
Historically, such attacks required customizing the malware for the precise infrastructure being used by a victim organization. Typically, this demanded that attackers build a test lab that has the same hardware and runs the same version of the software as the facility to be targeted, according to security experts.
More recently, there's evidence that "they're evolving into 'living off the land,' using legitimate OT tools to conduct attacks," which helps them avoid having to develop highly customized malware, Ferguson said, referencing recently released research from Google Cloud's Mandiant threat intelligence group (see: Russian Sandworm Hackers Caused Power Outage in October 2022).
"Living off the land" refers to using legitimate tools to penetrate and traverse a victim's network, in part to help evade defenses, including anti-malware tools.
Google Cloud's Mandiant threat intelligence group last week reported that in an attack it helped mitigate last year, attackers used such tactics to hit a Ukrainian OT environment. The firm attributed the attacks to the GRU's Sandworm hacking team, which has pummeled Ukraine with cyberattacks for nearly a decade.
"The actor first used OT-level living off the land techniques to likely trip the victim's substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine," Mandiant said. "Sandworm later conducted a second disruptive event by deploying a new variant of CaddyWiper in the victim's IT environment." CaddyWiper is destructive malware designed to wipe systems.
Mandiant said the CaddyWiper attack failed to do much damage or to affect hypervisor or industrial control systems - including for supervisory control and data acquisition. In addition, a self-proclaimed hacktivist group called CyberArmyofRussia_Reborn boasted about CaddyWiper infecting systems before it had actually encrypted any systems, suggesting that supposed Russian hacktivist groups have close ties to intelligence services.
"Due to a series of operator errors, UNC3810 was unable to complete the wiper attack before the Telegram post boasting of the disrupted network," Mandiant previously reported. "Instead, the Telegram post preceded CaddyWiper's execution by 35 minutes, undermining CyberArmyofRussia_Reborn's repeated claims of independence from the GRU."
Forescout's Ferguson said that while many of the threat actor groups aligned with Russia primarily run distributed denial-of-service attacks and phishing campaigns, "absolutely we see that hacktivists are targeting OT," based on attack attempts detected by Forescout's honeypots. These attacks aren't just automated, but also appear to involve hands-on keyboard maneuvers. Attackers log in and actively try to exploit known vulnerabilities that might be present in environments.
"This is not just opportunistic; this is highly targeted," he said.