Search This Blog

Showing posts with label Ukraine. Show all posts

Cyber Insurers Redefine State-Sponsored Attacks as an Act of War Amidst Legal Concerns


The U.S. government says that the consequences created by NotPetya were the result of a Russian cyberattack on Ukraine in 2017. This continues to be felt as cyber insurers alter coverage exclusions, further extending the definition of an “act of war.” One can conclude that the 5-year-old cyberattacks seem to be reshaping the cyber insurance industry. 

The parent company of brands like Cadbury, Oreo, Ritz, and Triscuit, ‘Mondelez’ was in fact impacted by NotPetya, where the manufacturing factories and production were interrupted, taking days for the companies’ staff to regain control of their computer systems. The business filed a claim for $100 million in losses to Zurich American, its property and liability insurer. Zurich, after initially agreeing to pay a portion of the claim — $10 million, later withheld payment, claiming the attack was an act of war and hence not covered by the policy. Mondelez later initiated legal action. 

Later, Mondelez and Zurich America allegedly agreed on the original claim of $100 million, but it was not until Merck's $1.4 billion lawsuit against Ace American Insurance Company for its NotPetya-related damages had been successful in January 2022. The claims made by Merck did not pertain to a cyber insurance policy, but rather to its property and casualty policy. 

Back in the year 2017, while cyber insurance policy was still a budding idea, several company giants filed claims for the exploit pertaining to NotPetya – the one due to which an exploit of an estimated $10 billion happened worldwide – against company assets and casualty policies. 

What Has Changed? 

Before the course of the COVID-19 pandemic, until 2020, these cyber insurance policies were being sold in a similar manner as that of a typical home or auto policy, where the company was the least concerned about their cybersecurity profile, or the tools they would use in order to secure and defend its network or data, or its general cyber hygiene. 

But since numerous ransomware attacks hit the organizations that were built off of lax cybersecurity, insurance carriers eventually started altering their requirements, prioritizing their requirements to acquire such policies, says Alla Valente, senior analyst at Forrester Research. 

Currently, the business model for cyber insurance is substantially distinctive from other policies, marking the cyber insurance policies of 2017 as obsolete. 

What is an “Act of War”? 

Every sort of insurance policy, including cyber insurance policies, has a "War Exclusion." A war exclusion clause generally says that no damages resulting from hostile or warlike activities by a state or its agents are covered. Usually, this exclusion is applicable to a “hot war,” like the one we have witnessed in Ukraine in recent times. Although, courts are beginning to consider cyberattacks as potential acts of war, without the declaration of war or any land troop, aircraft, or any material battlefield. The state-sponsored attacks themselves constitute a war footing, as noted by the carriers. 

The terms of cyber policies from Lloyd's of London will now change in April 2023, excluding liability losses brought on by state-sponsored cyberattacks. As stated by Tony Chaudhry, Lloyd’s underwriting director, in a Market Bulletin published in August 2022, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber-related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage." 

In regards to this, Forrester's Valente notes that businesses may have to keep their large cash deposits aside if they ever face a state-sponsored attack. Only if the insurance carriers are successful in claiming in court that a state-sponsored attack is, by definition, an act of war, no business will then have coverage unless they specifically negotiate that into the contract to eliminate the exclusion. 

Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg says that, when purchasing cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms,"

"Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms," he adds.  

Ukraine’s Cyber-Defenses Have Been Exemplary, Says Lindy Cameron


It has always been a necessary task to defend one’s digital life in order to secure critical systems and services. In recent years, the UK has witnessed a range of online threats, varying from ransomware threats, and online frauds, to the cybersecurity risks that the country garnered with the return of war in Europe.

Considering the changes in the entire cybersecurity landscape over the past year, the UK needs a whole-of-society response to combat the ever-evolving online threats, risks, and vulnerability, in order to secure the nation’s online status. 

Working with allies and partners in both the public and private sectors, the National Cyber Security Centre (NCSC) has contributed to a significant effort to increase our country's resilience at each level. Along with reflecting on significant achievements and challenges faced over the past, its Annual Review sheds light on what can we learn from the past year to combat the threats and perplexities that lie ahead. 

The invasion of Ukraine was one of the biggest problems for cybersecurity. While Russia's harsh and devastating war aimed to change the world's physical geography, its effects were felt everywhere, including in cyberspace. 

“While Russia’s brutal war has sought to redraw the physical map, its consequences have been felt in cyberspace,” says Lindy Cameron, CEO of the National Cyber Security Centre. 

NCSC, as a part of GCHQ, could monitor cybersecurity threats and has cautioned of increased cyber risks because of Russian hostility from the beginning of 2022. It has additionally published expert guidelines to aid organizations strengthen their defenses, and has collaborated extensively with partners to make sure that vital enterprises, infrastructure, and society as a whole are as robust as possible. 

Ransomware continues to present one of the greatest risks to UK businesses and organizations, and we have already witnessed the adverse repercussions that attacks may have on operations, finances, and reputations of organizations, resulting in the widespread wreck for consumers. 

The NCSC has published expert guidance to aid organizations to take measures to secure themselves online and continues to urge CEOs to take the matter seriously and should not be left to the technical experts. 

Since last year, NCSC has helped contain hundreds of thousands of upstream cyberattacks, while as well reinforcing preparedness for the same. Moreover, helping organizations and institutions gain a better understanding of the nature of threats, risks, and vulnerabilities downstream. 

By addressing these challenges, NCSC ensures the UK to emerge as a global cyber-power in the future. Its overall plan for doing so is outlined in the National Cyber Strategy, which acknowledges that thriving cyber skill and growth in the ecosystem is important to maintain this advantage and support the diversity of talent at its core. 

In the past year, initiatives like CyberFirst have collaborated with thousands of young people from all across the country, while NCSC has supported businesses for Startup programs, generating hundreds of millions of pounds in investments. 

“This is a source of great optimism for me and my team as we look ahead to 2023. But cybersecurity is a team sport and it is only through mobilising the whole of society that we can achieve our goal of making the UK a safe place to live and work online,” adds Cameron.  

Russia- Linked Sandworm Enacted Ukrainian Telecoms for Injecting Malicious Code


It was discovered that a Russian-based hacker known as Sandworm, impersonating Ukrainian telecommunications, targeted its entities and injected malware into them, leading to software infections throughout the country. 
 
The Sandworm is a group of hackers that are closely connected with the foreign military intelligence service of the Russian government called the GRU as a military unit 7445. It is an Advanced Persistent Threat (APT) group, which was responsible for several cyberattacks including on Ukrainian energy infrastructure. 
 
The recorded future was spying over the operations of government as well as private sectors. As per the report of “recorded future”, the rise in activities of Sandworm has been noticed since August 2022, tracked by the Computer emergency response team of Ukraine (CERT-UA). It is obvious from the frequency with which the Sandworm has been observed employing DNS domains for control and command infrastructure that it is a ruse to attack Ukrainian computers. 
 
Recorded Future further added in the report that, the APT group found a new infrastructure of UAC-0113, which imitates the operators such as Datagroup, and EuroTrans Telecom, which were responsible for placing DarkCrystal RAT, previously. 
 
The Recorded Future’s report entails “Identified staging infrastructure continues the trend of masquerading as telecommunication providers operating within Ukraine and delivers malicious payloads via an HTML smuggling technique that deploy Colibri Loader and Warzone RAT malware.” 
 
This new infrastructure of Advanced persistent threat group UAC-0113 distributed the commodity malicious ISO Colibri Loader and Warzone RAT by using HTML smuggling. This smuggling technique uses legalized features of HTML and JavaScript to inject malicious codes under security controls. 
 
The super-hacker team of Russia, Sandworm, is popularly known for its cyberattacks on the Ukrainian electrical grid in 2015 and 2016. In further research, it was also found responsible for the dropping of a botnet known as “Cyclops Blink”, which subjugated internet-connected firewall devices, etc from WatchGuard and ASUS. 
 
This APT group had also captured U.S. software under its cyberattacks, due to which the U.S government announced a reward of $10 million for providing the information of the hackers behind this Russian threat actor group. 
 
There are several examples of domains being used as masquerade such as the domain “datagroup[.]ddns[.]net”, tracked by CERT-UA, in June. It impersonated the data group as its online portal. Another example of deception is Kyivstar, in which the domain “kyiv-star[.]ddns[.net” was used by Sandworm against Ukrainian telecom services.

Anonymous Attacks Russian Taxi Company, Causes Traffic Jam


Yandex Taxi Hacked

Russia has been one of the main targets of hackers since the country launched a war against Ukraine. The most recent attack was targeted against Yandex Taxi, a ride hailing service. 

The news first came out on reddit.com. Yandex Taxi belongs to Yandex, Russia's leading IT corporation, also known as Russian Google. 

One should note that the EU sanctioned the company's co-founder Arkady Volozh for “de-ranking and removing,” any info related to Russian attacks against Ukraine.

About the incident

Once Yandex Taxi app was hacked, the anonymous threat actors made a massive traffic jam in Moscow, Russia. 

On 1st September 2022, the drivers complained after they saw an unusual gathering of Taxis in Moscow's western area. 

It happened because the hackers booked all the available taxis to a same address, and a massive traffic jam happened as various Yandex Taxi drivers got stuck due to being trapped in a particular location. 

The cabs were directed towards Kutuzovsky Prospekt, one of the main avenues in Moscow, it is also famous for the Stalinist-era building known as Hotel Ukraina (Hotel Ukraine).

The traffic jam was there for three hours. Yandex's security team immediately looked into the issue and promised to better the algorithm to avoid such incidents from happening again in the future. 

Who is behind the attack?

The online hacktivist group Anonymous claims responsibility for the attack. Someone compromised the Yandex app and did a frustrating mix-up of taxis. 

The hackers avoided the company's security mechanisms and made multiple fake orders, directing all the drivers to a single location. 

In a similar incident that happened last year, Yandex in its blog post said:

"This is just one of many attacks aimed not only at Yandex but also at many other companies in the world. The attacks have been going on for several weeks, their scale is unprecedented, and their source is a new botnet about which little is known so far."


Hacked Ukrainian Radio Stations Propagates Misinformation Regarding President Zelensky’s Health

 

The hackers targeted Ukrainian radio operator TAVR Media on Thursday to spread fake news that Ukrainian President Volodymyr Zelensky was hospitalized and is in a critical condition. 

Anonymous attackers broadcasted reports that the Ukrainian President was in an intensive care ward and that his duties were being temporarily performed by the Chairman of the Ukrainian parliament Ruslan Stefanchuk, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) stated. 

"Cybercriminals spread information that the President of Ukraine, Volodymyr Zelenskyy, is allegedly in intensive care, and his duties are performed by the Chairman of the Verkhovna Rada, Ruslan Stefanchuk," the SSSCIP said in an update. 

The Kyiv-based holding firm is one of Ukraine’s largest broadcasters and manages nine major radio stations, including Hit FM, Radio ROKS, KISS FM, Radio RELAX, Melody FM, Nashe Radio, Radio JAZZ, Classic Radio, and Radio Bayraktar. 

TavrMedia wrote on Facebook that it is working “to solve the problem,” but did not provide additional details. The company also emphasized that "no information about the health problems of the President of Ukraine Volodymyr Zelenskyy is true." 

The false reports, which were broadcasted during prime time, between 12 and 2 p.m., also forced Zelenskyy to take to Instagram, stating, "I have never felt as healthy as I do now." 

It remains unclear how the hackers breached TAVR Media. Multiple hackers from across the globe have tried to capitalize on the ongoing conflict between Russia and Ukraine to launch a barrage of cyberattacks. 

In a related development, the Computer Emergency Response Team of Ukraine (CERT-UA) also issued a warning regarding macro-laden PowerPoint documents being leveraged to deploy Agent Tesla malware targeting state organizations of Ukraine. 

This is not the first instance that hackers have targeted Ukrainian media. According to Cloudflare, online media, publishing, and broadcasting firms were targeted by more distributed denial-of-service attacks (DDoS) in the second quarter of 2022 than in any other industry. 

Earlier this year in June, the malicious actors also targeted the Ukrainian streaming service Oll.tv and replaced the broadcast of a football match between Ukraine and Wales with Russian propaganda. In February, Ukraine’s national public broadcaster suffered a DDoS attack, according to its general producer Dmytro Khorkin.

Russian Group Attack on Bulgarian Refugee Agency

 

A ransomware group that shares strong ties with Russia warned on Wednesday that it will publicly post the files it has stolen from the Bulgarian government agency that is responsible for the refugee management.

LockBit 2.0 published a notice on the dark website saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date. It's worth noting that there was no specific post for a ransom demand. 

According to the Sofia Globe, a news organization in the country’s capital, nearly 5.7 million Ukrainian refugees have fled their country since February and approximately 230,000 fled to Bulgaria, while 100,700 are remaining in the country. 

The official website of the agency remains active, however, a notice on the site’s home page reads, “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable.”

Press contacted an official for a comment on the same matter but the agency didn’t immediately respond to the email. Later, a spokesperson at the Bulgarian embassy in Washington, D.C., said that he did not have information on the incident and would look into the matter. 

LockBit 2.0 is an updated version of LockBit, a ransomware variant that first was spotted in September 2019, as per the cybersecurity firm Emsisoft. Originally known as ABCD ransomware, LockBit is famous for the file extension appended to encrypted files, with the extension later updating to “LockBit”.  Moreover, in September, the group made headlines for launching its own leak website. 

“This is simply the latest in a very long list of hits on organizations which provide critical services...,” said Brett Callow, a threat analyst at Emsisoft. 

“...Hospitals, [search and rescue], fire departments, and charities for the disabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the sooner we find a way to deal with the problem, the better.”

Attackers are Employing Multiple Malwares to Target Ukrainian System

 

Amid Russia-Ukraine war, cybersecurity experts have witnessed a sudden increase in the number of wiper malware deployments. Since February 24, Ukrainian security experts have unearthed at least seven new types of malwares employed by attackers to target Ukraine: AcidRain, WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. 

Earlier this week, AT&T cybersecurity published a blogpost detailing the different types of wiper malware which we have covered below. 

WhisperKill 

On the night of January 14, anonymous hackers attempted to secure access to and deface the websites of more than 70 Ukrainian government agencies, according to Ukraine’s security service. The malware successfully defaced 22 websites and severely damaged six. 

How it operates: The malware downloads a payload that wipes the Master Boot Record (MBR), then downloads a malicious file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the compromised devices. 

HermeticWiper 

A month after, on February 23rd 2022, ESET Research discovered a new Wiper called HermeticWiper being used against hundreds of Ukrainian systems. The hackers then used a shell company to issue a certificate that allows bypassing detection capabilities, such as Microsoft Defender SmartScreen and built-in browser protections. 

The malware collects all the data it wants to delete to maximize the impact of the wiping, it uses the EaseUS Partition Master driver to overwrite the selected parts of the disk with random data.

IsaacWiper 

A day after the initial assault with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before. 

This wiper malware iterates through the filesystem, enumerates files and overwrites them. The behavior is similar to ransomware activity, but in this case, there is no decryption key. Once the data has been overwritten, it is lost. 

AcidRain 

On March 15, a new strain of wiper malware called AcidRain was discovered by researchers at SentinelLabs. AcidRain wiper was used in an attack against the Viasat KA-SAT satellite broadband service provider. 

The attacker gained access to the management infrastructure of the provider to deploy AcidRain on KA-SAT modems used in Ukraine. The wiper employed was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from devices. 

CaddyWiper 

The first version of CaddyWiper was unearthed by ESET researchers on March 14 when it was used against a Ukrainian bank. Then it was employed again during the attack on the Ukrainian energy company on April 12. 

The Wiper overwrites files on the computer with null byte characters, making them unrecoverable. This malware can be executed with or without administrator privilege. In both cases, it causes lethal damage to the target machine. 

DoubleZero 

On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Dubbed DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program. 

The wiper erases files in two ways: by overwriting them with zero blocks of 4096 bytes (FileStream.Write method) or using NtFileOpen, NtFsControlFile API calls (code: FSCTL_SET_ZERO_DATA). 

To prevent further assaults, researchers recommended keeping systems up to date and sharing knowledge regarding cybersecurity. In addition, attacks can be avoided by having periodic backup copies of key infrastructure available.

Biden Prolongs National Emergency Amid Increasing Cyber Threats

 

In the backdrop of the Russia-Ukraine conflict, the increasing risk of cybersecurity threats against U.S. national security, economy, and foreign policy has prompted President Joe Biden to extend the state of national emergency which was originally declared by former President Barack Obama in April 2015. 

The national emergency period has been extended after the Cybersecurity and Infrastructure Security Agency has published a warning regarding possible Russian state-sponsored cyberattacks against U.S. organizations following the invasion of Ukraine. 

The war between Russia and Ukraine will be the main topic at Thursday's NATO meeting, in which Biden's administration will rally western allies and announce a new round of financial sanctions against the Russian government, and Biden is expected to announce sanctions on hundreds of Russians serving in the country's lower legislative body, it is being observed that further sanctions will increase cybersecurity threats against U.S government. 

Last month, U.S. organizations have been altered by the CISA and the FBI regarding the potential spillover of data wiping attacks against Ukraine. 

"Significant malicious cyber-enabled activities originating from or directed by persons located, in whole or in substantial part, outside the United States continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. Therefore, I have determined that it is necessary to continue the national emergency declared in Executive Order 13694 with respect to significant malicious cyber-enabled activities," said Biden. 

On Tuesday, Biden's national security adviser Jake Sullivan said that the administration believes that right now "they have effective posture today for what's necessary today," but further he said that Biden and NATO allies will discuss "longer-term adjustments to NATO force posture on the eastern flank."

Anonymous Wages a Cyber War Against Russia, Targets Oligarchs

Anonymous continues its attacks against Putin and Russia, recently, the latest attack is targeted against the Russian investment agency 'Marathon Group.' Anonymous keeps attacking Russian firms owned by oligarchs, last week, the group announced the hacking of Thozis Corp and in the most recent incident, the group claims responsibility behind the Marathon group hack. Marathon group is a Russian investment firm, the owner is oligarch Alexander Vinokuro, the EU sanctioned him recently. Vinokurov is the son-in-law of Russian Foreign Minister Lavrov. Anonymous breached the organization's systems and leaked 62,000 emails (a 52 GB archive) through DDoSecrets (Distributed Denial of Secrets). 

DDoSecrets is a non for profit whistleblower website launched in 2018. "JUST IN: #Anonymous has hacked & released 62,000 emails from the Marathon Group, a Russian investment firm owned by oligarch Alexander Vinokurov, currently under EU sanctions. Vinokurov is also the son-in-law of Russian Foreign Minister Lavrov" tweets @YourAnonTV. The group also takes responsibility for the hacking of Belarus government website associated with Volozhin Economy, a city in the Minsk region of Belarus. 

"Anonymous makes an intrusion into a website of the Government of Belarus dedicated to the Economy of Volozhin, a Belarusian city in the Minsk region" tweets @Anonymous_Link. The Anonymous group tweeted that due to the nature of the leak, DDoSecrets is willing to offer the data to journalists and researchers. "Hackers leaked 15GB of data stolen from the Russian Orthodox Church's charitable wing & released roughly 57,500 emails via #DDoSecrets. #DDoSecrets noted that due to the nature of the data, at this time it is only being offered to journalists & researchers," tweets @YourAnonTV What else has Anonymous done to Russia? 

In March, Anonymous declared to wage a "cyber war" against a Russia. Since then, Anonymous has claimed responsibility for launching various attacks on the Russian government, news websites and organizations, and leaked data of prominent firms like Roskomnadzor, a federal agency which censors Russian media. "Many CIS files were erased, hundreds of folders were renamed to "putin_stop_this_war" and email addresses and administrative credentials were exposed," said Jeremiah Fowler, cybersecurity company Security Discovery's Co-founder.

Viasat: Acid Rain Virus Disable Satellite Modems

 

The cyberattack which targeted the KA-SAT satellite broadband service to erase SATCOM modems on February 24 used a newly discovered data wiper virus. It impacted thousands in Ukraine and thousands more across Europe. 

A cybersecurity firm, SentinelOne, claims to have discovered a malware sample, which disrupted internet connectivity on February 24. The malware, called AcidRain, which was also likely utilized in the Viasat breach, is a Unix executable application which is meant to attack MIPS-based devices. This could indicate the attackers' lack of experience with the filesystem and firmware of the targeted devices, or their desire to create a reusable tool.

The same sample came from SkyLogic, the Viasat operator in charge of the damaged network, which is also situated in Italy. The software sample was also tagged with the moniker "ukrop," which could be a reference to the Ukraine Operation. 

The researchers underscored that Viasat did not offer technical indicators of compromise or a detailed incident response report. Instead, rogue commands damaged modems in Ukraine and other European countries, according to the satellite industry. The SentinelOne duo were perplexed as to how valid orders could produce such mayhem in the modem, "scalable disruption is more feasibly performed by delivering an update, script, or executable," they added. 

The program wipes the system and various storage device files completely. AcidRain executes an initial repetitive replacement and removal of non-standard files in the filesystem if the malware is launched as root "Juan Andres Guerrero-Saade and Max van Amerongen," SentinelOne threat experts, revealed. 

The wipers overwrite file structures with up to 0x40000 bytes of data or utilize MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) service calls to erase data on compromised devices. 

The fact Viasat has supplied nearly 30,000 modems to get clients back online since the February 2022 attack and is still shipping more to speed up service restoration, suggests that SentinelOne's supply-chain threat scenario is correct. The IOCTLs used by this virus also resemble those used by the VPNFilter malware 'dstr' wiper plugin, a destructive program linked to Russian GRU hackers. 

The Ukrainian Computer Emergency Response Team recently stated a data wiper known as DoubleZero had been used in assaults on Ukrainian businesses. On the same day that Russia invaded Ukraine, they discovered IsaacWiper, a data wiper, and HermeticWizard, a new worm which dropped HermeticWiper payloads. ESET has discovered a fourth data-destroying malware strain called CaddyWiper, which wipes data across Windows domains and eliminates user data and partition information from associated drivers. 

Microsoft discovered a sixth wiper, now known as WhisperGate, in mid-January, which was being used in data-wiping attacks targeting Ukraine while masquerading as ransomware.

Ukraine War: Major Internet Provider Suffers Cyber-Attack

 

A cyber-attack was launched against a significant Ukrainian internet provider. Ukrtelecom is working to restore service after it believes it was the victim of an attack. The network was shut down to "safeguard the vital network infrastructure." 

Ukrtelecom JSC is Ukraine's monopolist telephone company, also active in Internet service providing and mobile markets. Yuriy Kurmaz, the CEO of the company stated in a statement: “In order to protect the critical network infrastructure and not interrupt services to the Armed Forces, other military bodies and users of critical infrastructure, we were forced to temporarily restrict internet access to most private users and business customers.” 

Netblocks, an international internet monitoring organisation, stated it was the company's biggest outage since the beginning of the Russian invasion last month, with connectivity down to 13% of what it was before President Vladimir Putin announced the war. 

They said on Twitter: “Update: Ukraine's national internet provider Ukrtelecom has confirmed a cyberattack on its core infrastructure. Real-time network data show an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia.” 

According to the BBC, other people in Ukraine using various internet providers had no problems. In terms of geographical coverage, Ukrtelecom is the largest internet provider, although Kyivstar is the largest in terms of customer numbers. 

The United Nations has confirmed 1,179 civilian deaths and 1, 860 civilian injuries since the war began in late February, but the total is believed to be substantially higher. Furthermore, the attack has triggered a humanitarian crisis, with more than 10 million people forced to evacuate their homes, with 3.8 million of them seeking refuge in neighbouring nations.

Chinese Hacker Scarab Targets Ukrainian System, CERT-UA Warns

 

Ukraine’s Computer Emergency Response Team (CERT-UA) released evidence last week regarding a malicious campaign tracked as UAC-0026, which SentinelLabs associated with China-linked Scarab APT. threat actors. 

Scarab APT was first spotted in 2015, but researchers believe it has been active since at least 2012, conducting surgical assaults against multiple nations across the globe, including Russia and the United States. 

Threat actors are targeting the Ukrainian system by distributing malware via phishing messages using weaponized documents that deploy the HeaderTip malware. The phishing texts employ a RAR-archive titled “On the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which contains the EXE-file of the same name. The malicious document employed in the campaign spotted by CERT-UA mimics the National Police of Ukraine. 

“Running the executable file will create a lure document ‘# 2163_02_33-2022.pdf’ on the computer (applies to a letter from the National Police of Ukraine), as well as a DLL file with the MZ header ‘officecleaner.dat’ and the BAT file ‘officecleaner’ removed. .bat,’ which will ensure the formation of the correct DLL-file, run it and write to the Windows registry to ensure consistency. The mentioned DLL-file is classified as a malicious program HeaderTip, the main purpose of which is to download and execute other DLL-files.” 

The HeaderTip samples employed by Chinese hackers are 32-bit DLL files written in C++. The malware executes backdoor capabilities and is also used as a first-stage malware. CERT-UA, which did not mention China or Scarab in its alert, added that identical attacks were observed in September last year. According to SentinelOne, it was able to tie UAC-0026 to Scarab through an analysis of the malware employed in the assault. 

“Further relationships can be identified through the reuse of actor-unique infrastructure between the malware families associated with the groups,” SentinelOne explained, adding that there is sufficient evidence depicting that the author of the malware is employing the Windows operating system in a Chinese language setting. 

“Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes,” SentinelOne concluded.

FBI Witnesses Rising Russian Hacker Interest in US Energy Firms

 

Since the outbreak of Russia's war against Ukraine, the FBI has detected an uptick in Russian hackers' interest in energy firms, though it gives no evidence that a specific attack is planned. 

According to an FBI advisory received by The Associated Press on Tuesday, Russian hackers have assessed at least five energy businesses and at least 18 other companies in sectors such as military and financial services for vulnerabilities. None of the companies is identified in the advisory. 

Scanning a network for vulnerabilities or flaws is widespread, and it does not always mean that an assault is on the way, though it can be a sign of one. Nonetheless, the FBI's Friday warning highlights the Biden administration's increased cybersecurity concerns as a result of Russia's war in Ukraine. The White House said on Monday that there was "evolving intelligence" suggesting Russia was planning cyberattacks against critical infrastructure in the United States. 

At a White House press briefing, Anne Neuberger, the White House's deputy national security advisor for cyber and emerging technologies, expressed disappointment that some critical infrastructure firms have failed to repair known software vulnerabilities that Russian hackers may exploit. The FBI advisory lists 140 internet protocol, or IP addresses it claims have been linked to critical infrastructure scans in the United States since at least March 2021. 

According to the alert, scanning has grown since the beginning of the war last month, leading to a greater likelihood of future incursions. The FBI acknowledges that scanning activity is frequent, but the IP addresses have been linked to the active exploitation of a foreign victim, which resulted in the victim's systems being destroyed, according to the advisory.

Ukrainian Security Researcher  Source Code for New Conti Malware Has Been Exposed

 

The source code of a fresh version of the Conti ransomware has been disclosed by a Ukrainian security researcher. This is the latest in a string of leaks sparked by the criminal group's support for Russia. Conti is a ransomware gang based in Russia which uses a ransomware-as-a-service (RaaS) business model. While some ransomware demands are in the millions of dollars, Coveware thinks the average Conti demand is just over $765,000. 

The renowned Conti ransomware organization published a statement soon after Russia launched its incursion of Ukraine, warning this was prepared to strike the key infrastructure of Russia's adversaries in revenge for any assaults on Russia. 

In response, an anonymous user created the "Conti Leaks" Twitter account and began distributing materials supposedly stolen from the cybercrime ring. The first set of disclosures included correspondence sent within the Conti organization in the preceding year. More chat logs, credentials, email addresses, C&C server information, and source code for the Conti ransomware and other malware were included in the second phase. 

After a period of inactivity of more than two weeks, the Twitter account resurfaced over the weekend, releasing what looks to be the source code for a newer version of Conti. Previously, some speculated that the leaker was a Ukrainian security researcher, while others speculated that he was a rogue employee of the Conti group. Messages were leaked and shared. 

The discharge of ransomware source code, particularly for advanced operations such as Conti, can have catastrophic consequences for corporate networks and consumers. This is due to the fact other threat actors frequently exploit the disclosed raw code to create their own ransomware attacks. In the past, a researcher released the source code for ransomware called 'Hidden Tear,' which was soon adopted by several threat actors to begin various operations.

Anonymous Rises Again Amid Russia Ukraine War

 

Anonymous, the international hacktivists collective has surfaced again, this time, the group claims to have hacked RoskoAmnadzor (known as Federal Service for Supervision of Communications, Information Technology and Mass Media), a federal Russian agency. Anonymous has also claimed that it stole more than 360,000 files. You have mostly read about Russian banning VPNs, Telegram, or email services, however, there's a particular agency that bans these services. 

It's called Roskomnadzor, a major federal executive agency that is responsible for handling, managing, and censoring Russian media. "Anonymous also targeted and hacked misconfigured/exposed Cloud databases of Russian organizations. Tho shocking aspect of the attack was the fact that Anonymous and its affiliate hackers hacked 90% of Russian Cloud databases and left anti-war and pro Ukrainian messages," Hackread reports. 

Details about the attack 

The size of the leaked data is 820 GB, most of these database files in the database related to Roskomnadzor's data are linked to the Republic of Bashkortostan, Russia's largest provinces. The full dataset is now available on the official website of Distributed Denial of Secrets (aka DDoSecrets), a non for profit whistleblower organization. However, it should be noted that initially started as an Anonymous affiliate shared Roskomnadzor's data with DDoSecrets and the agency itself is not responsible for the attack. Besides this, the first announcement of the data leak came from a journalist and co-founder of DDoSecrets Emma Best in March 2022. 

YourAnonNews, a famous representative of the Anonymous collective also tweeted about the attack. Anonymous has openly sided with Ukraine over the ongoing war with Russia, the Russian government has restricted all important sources of information, especially news and media outlets, and Roskomnadzor was told to block Facebook, Twitter, and other online platforms. 

Hackread reports, "While Twitter launched its Tor onion service, authorities in Russia have also amended the Criminal Code to arrest anyone who posts information that contradicts the government’s stance. Nevertheless, since Roskomnadzor is a major government agency responsible for implementing government orders Anonymous believes the Russian public must have access to information about what is going on within Roskomnadzor."

Ukraine’s “IT Army” Struck with Info-stealing Malware

 

Pro-Ukrainian actors should be cautious of downloading DDoS tools to attack Russia, according to security experts, because they could be booby-trapped with data-stealing malware. 

Mykhailo Fedorov, Ukraine's vice prime minister, called for a volunteer "IT army" of hackers to DDoS Russian targets in late February. Cisco Talos, on the other hand, claims that opportunistic cyber-criminals are attempting to take advantage of the subsequent outpouring of support for the Eastern European country. It specifically detected Telegram posts offering DDoS tools that were actually malware-loaded. An organisation calling itself "disBalancer" offers one such tool, named "Liberator,". Although authentic, has been spoofed by others, according to Cisco. 

It explained, “The file offered on the Telegram page ended up being malware, specifically an infostealer designed to compromise unwitting users. The malware, in this case, dumps a variety of credentials and a large amount of cryptocurrency-related information, including wallets and metamask information, which is commonly associated with non-fungible tokens (NFTs).” 

Since none of the malicious spoofs is digitally signed, there is no way to distinguish them apart from the real DDoS tool, according to the vendor. Because the perpetrators of this harmful behaviour have been disseminating infostealers since November, Cisco concluded that it is not the work of fresh people, but rather those aiming to profit from the Ukraine conflict. 

However, Cisco warned that if Russia is subjected to a continuous DDoS attack, such techniques could proliferate. 

It concluded, “In this case, we found some cyber-criminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state. We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.” 

The discovery comes as the Russian government revealed this week that hackers targeted an externally loaded widget used to collect visitor statistics and caused temporary disruptions on numerous agency websites. 

Pro-Ukrainian hacktivists have also been seen searching for and deleting Russian cloud databases, according to security researchers.

New RURansom Wiper Targets Russia

 

The new RURansom malware, according to Trend Micro researchers, is not what it appears to be. Initially assumed to be a new strain of ransomware, the bug's developers appear to have reasons other than financial gain, as the name implies. 

So far, no active targets have been discovered, according to security experts. However, this could be as the wiper is targeting specific Russian companies. The malware's creators are open about their motivations for distributing it. A message is stored in the RURansom code variable that is responsible for the ransom note. 

"On February 24, President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr President. There is no way to decrypt your files. No payment, only damage," reads the note in Russian. 

The malware, as per Trend Micro, was written in the .NET programming language. The worm transmits by copying itself under the name "Russia-Ukraine war update" in Russian. To have the most impact, the file replicates itself to all removable media and mapped network shares. The malware encrypts the files once it has been deployed. The encryption is applied to all files and even though .bak files are not encrypted, the malware deletes them. Each file is given a unique encryption key by the encryption algorithm. There's no way to decrypt the files because the keys aren't kept anywhere, therefore the malware is classified as a wiper rather than ransomware. Some variants of the malware, according to researchers, first check if the user's IP address is in Russia. 

"In cases where the software is launched outside of Russia, these versions will stop the execution, showing a conscious effort to target only Russian-based computers," the authors claimed in the report. 

Wiper Warfare: 

This isn't the first time a wiper malware has been used in this war. Just before Russian soldiers invaded Ukraine, security experts discovered a disk-wiping malware. The wiper contains driver files that gradually corrupt the infected computer's Master Boot Record (MBR), rendering it inoperable. The attackers allegedly utilized official EaseUS Partition Master drivers to acquire raw disc access and modify the disc to render the machine inoperable, according to Crowdstrike. 

Since the malware's certificate was issued to Hermetica Digital Ltd., a legitimate Cyprus-based company, the wiper was dubbed HermeticWiper. The new malware has been dubbed 'DriveSlayer' by other researchers. CISA issued a warning about malware that was targeting Ukrainian businesses, along with tips and strategies for preparing and responding to the attack. Later, security researchers fleeing Ukraine claimed that the wiper software was used to hinder refugees fleeing Ukraine's civil war, forcing officials to resort to pen and paper.

Ukrainian CERT Alerts Citizens of Phishing Attacks Using Hacked Accounts

 

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of new phishing attacks directed at Ukrainian citizens, which use hijacked email accounts belonging to three separate Indian businesses to infiltrate their inboxes and steal sensitive data. 

The emails arrive with the subject line "" (meaning "Attention") and pretend to be from a domestic email service named Ukr.net, but the sender's email address is "muthuprakash.b@tvsrubber[.]com," according to the agency. The messages allegedly alert recipients of an unauthorised attempt to log in to their accounts from an IP address based in Donetsk, Ukraine, and urge them to change their passwords immediately by clicking on a link. 

CERT-UA noted in a Facebook post over the weekend, "After following the link and entering the password, it gets to the attackers. In this way, they gain access to the email inboxes of Ukrainian citizens." 

The fact that TVS Rubber is an automotive company situated in the Indian city of Madurai suggests that the phishing emails were distributed through an already compromised email account. In a further update, CERT-UA stated that it had discovered an additional 20 email addresses used in the attacks, some of which belonged to sysadmins and faculty members at the Ramaiah University of Applied Sciences, an academic institution in Bengaluru, India. 

An email address from Hodek Vibration Technologies Pvt. Ltd., an India-based automotive company that designs and manufactures dampers for cars, light and heavy commercial vehicles, and other industrial equipment, is also featured in the list. 

"All these mailboxes have been compromised and are being used by the Russian Federation's special services to carry out cyberattacks on Ukrainian citizens," the agency said. 

The news comes as NATO states unanimously approved to admit Ukraine as a "Contributing Participant" to the Cooperative Cyber Defence Centre of Excellence (CCDCOE), as Russia's military invasion of the country entered its second week and cyber strikes poured down on government and commercial targets. 

"Ukraine's presence in the Centre will enhance the exchange of cyber expertise, between Ukraine and CCDCOE member nations. Ukraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises and training," Col Jaak Tarien, director of CCDCOE, said in a statement.

IsaacWiper, The Third Wiper Spotted Since the Beginning of The Russian Invasion

 

Recently, ESET cyber researchers have discovered a new data wiper, named as IsaacWiper, that is being used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine. 

After the HermeticWiper attack, the new wiper came to light on 24th February within an organization that was not infected with the HermeticWiper malware (aka KillDisk.NCV), which contaminated hundreds of machines in the country on February 23. 

The cybersecurity firms ESET and Broadcom’s Symantec have discovered that the infections followed the DDoS attacks against various Ukrainian websites, including the Cabinet of Ministers, Ministry of Foreign Affairs, and Rada. 

“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper,” Jean-Ian Boutin, ESET Head of Threat Research, said. In a new blog post, the company stated that the IsaacWiper attack likely “started shortly after the Russian military invasion and hit a Ukrainian governmental network.” 

The organization has revealed the technical details of the second attack on 1st March. It said that based on the observations it looks like the attacks were planned for months, though the organization did not name any particular entity or group for the attack. IsaacWiper and HermeticWiper have no code similarities and the former is less sophisticated than the latter. 

Once the network is infected, IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. 

Then IsaacWiper wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator. The ESET has published concluded analysis report,  saying that “at this point, we have no indication that other countries were targeted. However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entity.” 

Tesla CEO Musk Issues Warning Regarding the Use of Starlink Terminals in Ukraine

 


The CEO of the electric vehicle manufacturer Tesla (TSLA) SpaceX chief Elon Musk has issued a warning regarding the future of Starlink satellite broadband service in Ukraine, given the current scenario of uncertainty in the country post the Russian invasion. 
 
In his warning message on Twitter, Elon Musk wrote there is a high chance of the Starlink satellite internet service being targeted. It is worth noting that internet connectivity in Ukraine plummeted by 20% on 26 February, according to a report from Reuters. "Important warning: Starlink is the only non-Russian communications system still working in some parts of Ukraine, so probability of being targeted is high. Please use with caution," Musk tweeted.  
 
Elon Musk’s SpaceX activated the Starlink internet service in Ukraine after the country’s minister of digital transformation and first Vice Prime Minister, Mykhailo Fedorov, requested Musk to send Starlink stations because of the Russian invasion had crippled the country’s internet service considerably.  
 
The terminals resembling home satellite dishes arrived in the country in less than 48 hours. Moreover, the technology is apparently working as advertised, and the Ukrainian government has thanked the Tesla CEO for his assistance.   
 
However, multiple skeptics claimed that Musk was using the invasion of Ukraine as a publicity stunt. One Twitter user asked if the technology could really be under the threat of a Russian cyberattack. Musk clarified that it did already happen to all Viasat Ukraine user terminals on the first day of the Russian invasion of Ukraine.  
 
Starlink antennas that resemble home satellite television dishes, are not designed to be used while in motion, and it was not clear what Musk meant by the tweet, Tim Farrar, a consultant in satellite communications, stated. 
 
Musk's warning comes after John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab project, tweeted last week that Russian President Vladimir Putin controls the “air above” so that users’ uplink transmissions become viable targets for airstrikes.  
 
Additionally, security researcher Nicholas Weaver from the University of California at Berkeley stated that every Ukrainian citizen using a Starlink device should consider Starlink a “potential giant target.” That’s because if Russia uses a specialized plane aloft, it can easily get detected and target the location, putting the user at high risk.