Cyber attacks on Ukraine: DDoS, new data wiper, cloned websites, and Cyclops Blink
This Thursday morning, Russia started its invasion on Ukraine and, as predicted, the attacks in the physical world have been preceded and accompanied by cyber attacks:
- Renewed DDoS attacks have been launched against websites Ukrainian government agencies and banks
- New data wiper malware has been discovered on Ukrainian computers, as well as machines in Latvia and Lithuania
- Researchers have identified a web service hosting cloned copies of a number of Ukrainian government websites and the main webpage of the Office of the President, booby-trapped with malware
Also, UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have released details about a new malware targeting network devices, which they attributed to Sandworm (aka BlackEnergy), a threat actor that those agencies have previously attributed to the Russian GRU’s Main Centre for Special Technologies GTsST.
The DDoS attacks
This latest round of DDoS attacks started on Wednesday afternoon. As before, the targets were the websites of several Ukrainian banks and government agencies, including those of the Ukrainian Ministry of Defence, the Ministry of Foreign Affairs, the Ukrainian parliament, and the Security Service of Ukraine.
All except the last are currently accessible. Traffic directed to the website of the Ukrainian Ministry of Defence is passing through Cloudflare’s filters first. Access to Privatbank’s website is also moderated by a set-up aimed at thwarting bots.
Privatbank is working for me now, although the "Human Verification" page doesn't remember me when I refresh, which suggests a very aggressive bot-checking feature that's probably smart.
But now the website of Ukraine's SBU (their FBI) is also down. https://t.co/TmdikUdpIU
— Eric Geller (@ericgeller) February 23, 2022
A new data wiper: HermeticWiper
ESET researchers have discovered on Wednesday a new data wiper malware used in Ukraine.
“ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today,” the company shared.
Dubbed HermeticWiper, the malware has also been spotted by Symantec researchers.
New #wiper malware being used in attacks on #Ukraine
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591— Threat Intelligence (@threatintel) February 23, 2022
The victim organizations outside Ukraine appear to be Ukrainian government contractors with presences in those countries, per Symantec's Vikram Thakur.
— Dustin Volz (@dnvolz) February 23, 2022
According to ESET, the wiper binary has been signed with a legitimate code signing certificate (possibly compromised), abuses legitimate drivers from the EaseUS Partition Master software to corrupt the data, and then finally reboots the target computer.
“In one of the targeted organizations, the wiper was dropped via the default (domain policy) GPO meaning that attackers had likely taken control of the Active Directory server,” the company also added.
Cloned copies of Ukrainian government websites
Independent threat researcher Snorre Fagerland, Bellingcat and The Insider have unearthed a web service that “has played a role in past cyber-attacks linked to Russian state interests,” and found hosted on it cloned copies of a number of Ukrainian government websites.
“These cloned websites were created no earlier than November 2021, around the time when Russia’s latest round of escalations against Ukraine began,” Bellingcat said.
“Notably the cloned version of the site of the Ukrainian president is modified to contain a clickable ‘Support the President’ campaign that, once clicked, downloads a package of malware to the user’s computer.”
How these cloned websites would have been used is, of course, impossible to know, though the researchers found copied login pages that point toward phishing.
They also speculated about the malware’s ultimate goals, such as compromising the machines of tens or hundreds of thousands of Ukrainians and using them for DDoS attacks, and stealing credentials for social media accounts, for future use in online disinformation campaigns.
“There is no evidence that the infrastructure and malware behind [this web service] was used or linked to today’s cyber attacks experienced by Ukrainian government institutions,” Bellingcat researchers noted.
They also added that during the last two months, “the same threat actors were sending malware in over 35 different zip files via discord links,” aimed at high-value Ukrainian targets in the various ministries and the country’s nuclear agency.
Cyclops Blink malware “replaces” VPNFilter
The NCSC and the CISA have released details about Cyclops Blink, a new piece of malware targeting network devices that is ostensibly being used by the Sandworm threat actor.
“Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network attached storage (NAS) devices,” the NCSC said.
“The actor has so far primarily deployed Cyclops Blink to WatchGuard [firewall] devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.”
The malware collects device information, sends it to a command and control server, and is capable of downloading and executing files, as well as getting additional modules at a later date.
The most interesting thing about this malware is its persistence mechanism: the devices’ legitimate device firmware update process:
Cyclops Blink persistence throughout the legitimate update process
“This achieves persistence when the device is rebooted and makes remediation harder,” the NCSC noted.
More technical details about Cyclops Blink and indicators of compromise are available here. WatchGuard has also released a FAQ about it, a diagnosis and remediation plan, and detection tools.
“Following a thorough investigation, WatchGuard believes that the threat actor used a previously identified and patched vulnerability that was accessible only when firewall appliance management policies were configured to allow unrestricted management access from the Internet. This vulnerability was fully addressed by security fixes that started rolling out in software updates in May 2021,” the company noted.
WatchGuard was first informed by the FBI about the attack against its devices in late November 2021, so this widespread compromise does not seem to linked to the current situation in Ukraine. Nevertheless, given its alleged source, it might be a preparation for future attacks that may yet happen during this unfolding military conflict.
What to expect next?
Chester Wisniewski, Principal Research Scientist at Sophos, has pointed out that information warfare is how the Kremlin can try to control the rest of the world’s response to actions in Ukraine or any other target of attack.
“False flags, misattribution, disrupted communications, and social media manipulation are all key components of Russia’s information warfare playbook. They don’t need to create a permanent cover for activities on the ground and elsewhere, they simply need to cause enough delay, confusion and contradiction to enable other simultaneous operations to accomplish their objectives,” he told Help Net Security.
“Interestingly, the United States and United Kingdom are trying to preempt some of the misinformation campaigns, and this could limit their effectiveness. However, we shouldn’t assume the attackers will stop trying, so we need to remain prepared and vigilant.”
“While defense-in-depth security should be the normal thing to strive for at the best of times, it is especially important if we can expect an increase in the frequency and severity of attacks. The misinformation and propaganda will soon reach a fever pitch, but we must keep our nose to the ground, batten down the hatches and monitor for anything unusual on our networks as the conflict cycles ebb and flow and even when/if they end soon. Because as we all know, it could take months for evidence of digital intrusions due to this Russian-Ukrainian conflict to surface.”