Cyberattack on Ukraine pt. 2

Home / News / Cyberattack on Ukraine pt. 2

In recent weeks, there has been a significant increase in the number of reported cyber attacks against Ukrainian institutions, organizations and the wider population. Ukraine is no stranger to cyber attacks, and the timeline below highlights the most important incidents to date.

The targeting of critical infrastructures is of particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water, healthcare, financial institutions, transport and communication services can have catastrophic consequences for the civilian population.

January 13, 2022 – Virus wipe out WhisperGate data attacks on all sectors

Microsoft has identified a malicious malware operation (labeled WhisperGate) that targets multiple organizations in Ukraine. This malware first appeared on victims’ systems in Ukraine on January 13, 2022. It is estimated to be designed to appear as ransomware but without a ransom recovery mechanism and is designed to destructively disable target devices, not obtaining a ransom. Victims belong to many governmental, nonprofit and IT organizations.

The effects are not yet known.

January 14-15, 2022 – Change in the content of government websites – Belarus APT Group – UNC1151

On January 14, 2022 Orthodox New Year, more than 70 Ukrainian government websites were destroyed with political images and statements in Russian, Ukrainian and Polish, and temporarily stopped working. Most of the sites were restored within hours. The attack crippled large parts of the government’s public digital infrastructure, including the most used online government service website, Diia. Diia also plays a role in responding to the coronavirus in Ukraine and encouraging vaccination. It also overpowered the headquarters of the Cabinet of Ministers, ministries of energy, sports, agriculture, veterans’ affairs and ecology.

The purpose of such attacks is to destabilize the internal situation in the country and spread chaos in society.

February 15-16, 2022 – DDoS attack on financial and public sector websites

DDoS attack described as the largest so far in Ukraine. Many Ukrainian websites have been excluded from the internet and have influenced the websites of banks, governments and the military. The scale of the attacks was moderate, with sites recovering within hours; the intention is supposed to induce a feeling of panic.

Consequences:

  • At least 10 Ukrainian websites were unavailable, including the Ministry of National Defense, the Ministry of Foreign Affairs and the two largest state-owned banks.

  • Banks’ customers reported problems with online payments, banking applications and, in very few cases, access to ATMs.

  • These attacks were combined with fake SMS messages sent to Ukrainian telephones in order to cause panic

February 15, 2022 – Spam SMS / disinformation campaign

Customers of one of the state-owned banks began to receive information via SMS about technical failures of ATMs. Ukrainian cyber police confirmed that this information is false.

February 22-March 7, 2022 Phishing and DDoS attacks on Ukrainian targets in the public, military and information sectors – FancyBear / APT28, Ghostwriter / UNC1151, Mustang Panda or Temp.Hex

FancyBear / APT28, a cybercriminal attributed to Russia, GRU, has launched several large phishing campaigns targeting ukr.net users, UkrNet is a Ukrainian media company. In the last two campaigns, attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to phishing pages with credentials.

Ghostwriter / UNC1151, a Belarusian threat actor, has run phishing campaigns against Polish and Ukrainian governments and military organizations over the past week.

Mustang Panda or Temp.Hex, a Chinese threat actor, targeted European entities with baits linked to the Ukrainian invasion. Google TAG has identified malicious attachments with file names such as “Situation at EU borders with Ukraine.zip”, which download and run additional malicious files. Targeting European organizations represented a departure from Mustang Panda’s regularly observed goals in Southeast Asia.

DDoS trials continue against many Ukrainian websites, including the Ministry of Foreign Affairs, the Ministry of the Interior, as well as services like Liveuamap to help people find information.

Consequences:

  • Risk of compromising personally identifiable information

  • Restrict access to information

  • Destabilization of civil infrastructure

February 23, 2022 – DDoS attack on websites

The websites of several Ukrainian banks and government departments, including the Ministry of Foreign Affairs, the Ministry of Defense, the Ministry of the Interior, the Security Service (SBU), and the Cabinet of Ministers became inaccessible after a major DDoS attack. Most of the other sites went online within two hours of the attack, but for others, delays and crashes continued until the next day.

February 23, 2022 – “HermeticWiper” malware attack on the financial, private and public sectors

A number of organizations in Ukraine have been affected by a cyber attack, infecting hundreds of computers. The attack involved a new data deletion malware called HermeticWiper – a destructive malware that can delete or damage data on the target computer or network. The doormat was detected in Ukraine, Latvia and Lithuania, and its targets are financial organizations and government contractors. Technical analysis shows that the attack mechanism was built at least six weeks before the attack.

Over 100 organizations from the financial, defense, aviation and IT services sectors in Ukraine were damaged.

February 24, 2022 – DDOS attack on the news site

The Kyiv Post reports that his side was subjected to incessant cyber attacks during the Russian-Ukrainian armed conflict. A DDOS attack crippled their systems, and they had to find alternative ways to post their messages by posting abridged articles on Facebook, Twitter, and LinkedIn. There were logistical problems related to a non-functioning personnel system and much more difficult communication between employees.

It was certainly an attempt to limit the public’s access to up-to-date, reliable, objective information during a growing conflict.

February 24, 2022 – “IsaacWiper” malware attack on government entities

ESET has identified another cleaner in Ukrainian government networks that affects organizations that have not been attacked by HermeticWiper and have no similarity in code with it. On February 25, the attackers dropped a new version of IsaacWiper with debug logs, indicating that the attackers were unable to clean some of the affected computers. The malware has been developed / used since at least October 19, 2021.

February 24, 2022 – Public sector phishing campaign delivering “SunSeed” malware – probably Belarus APT Group – UNC1151

A phishing campaign was observed using an email account of a member of the Ukrainian armed forces, which may have been compromised, to target European government personnel involved in logistics management of refugees fleeing from Ukraine. The researchers point out that there was a clear preference for referral to people with responsibilities related to transport, financial and budget allocation, administration and movement of people in Europe.

February 25, 2022 – Cyber ​​attack on the border control post

There was a cyber-erasure attack at the Ukrainian border inspection post, which slowed down the process of allowing refugees to enter Romania.

February 25, 2022 – Ukrainian university websites hacked – Brazil Threat Actor Group – theMx0nday

The Wordfence team identified a cyberattack against Ukrainian universities that coincided with Russia’s invasion of Ukraine, and resulted in at least 30 compromised websites of Ukrainian universities.

theMx0nday has publicly stated that it supports Russia in the conflict.

February 24-25, 2022 – Attack on a satellite website

According to Orange, a network of “nearly 9,000 subscribers” to the satellite internet service provided by its subsidiary Nordnet, France does not have internet after a “cyber incident” on February 24 in Viasat, the US satellite operator of which it is a customer .

Eutelsat, the parent company of the bigblu website, also confirmed AFP on Friday that around a third of the 40,000 bigblu subscribers in Europe, Germany, France, Hungary, Greece, Italy and Poland were affected by the Viasat failure.

In the US, Viasat said Wednesday that a “cyber-incident” has caused a “partial network failure” for customers “in Ukraine and beyond” in Europe who rely on its KA-SAT satellite.

February 28, 2022 – Attacks of the Trojan “Foxblade” (aka HermeticWiper) on the public / private sector and the military

On February 24, Microsoft uncovered a new series of offensive and destructive cyberattacks targeting Ukraine’s digital infrastructure. These include attacks against the financial sector, agriculture, emergency response services, humanitarian aid, and energy sector organizations and companies.

Cyber-theft attempts of a wide range of data have also been reported, including personally identifiable information (PII) related to health, insurance and transportation, as well as other government data collections.

Microsoft noted a well-orchestrated battle in the information ecosystem where the ammunition is disinformation, undermining the truth and sowing the seeds of discord and distrust.

Consequences:

  • Difficulties in accessing finance, food and energy for the civilian population

  • Destabilization of civil infrastructure

  • Disinformation

  • Risk of compromising personally identifiable information

March 4, 2022 – Malware attacks on non-governmental organizations

Amazon reports that there are several situations where malware has specifically targeted charities, NGOs, and other aid organizations to spread confusion and cause disruption.

The goal is to disrupt the supply of medicines, food and clothing during an armed conflict.

March 5 – Phishing attacks using compromised accounts

The Ukrainian Computer Emergency Response Team (CERT-UA) warned of new phishing attacks targeting citizens by using compromised email accounts belonging to three different Indian entities to crack their inboxes and steal confidential information.

In addition to threats to critical infrastructure and civilian facilities, cyber attacks sow mistrust and restrict access to accurate information or spread false information. They can also be very destructive and create a sense of fear and insecurity, and even lead to the final and irreversible displacement of people.

In view of the above, we keep our fingers crossed for organizations such as Anonymous – responding offensively to attacks against Ukraine. We also consistently hope that the conflict will be ended as soon as possible.

Related articles

Ukraine - history of cyber attacks - part 1
TRELLIX ABOUT LOG4J
Cybersecurity Standards overview
Please be advised that our website is using cookies for marketing, statistical and functional reasons. In order to optimize the content on our website and to adapt them to your individual needs, we use informations saved using cookies on users’ end devices. Cookies can be controlled by the user through the settings of their web browser. By contiuning to use our website without changing your web browser settings, you are accepting the use of cookies.
I accept More info