Main Cyber Highlights of July

EXECUTIVE SUMMARY

According to the State Service of Special Communication, since February 24, there have been 825 attacks on websites in Ukraine. The intensity of attacks remains high throughout the war — 548 resource hacking attempts were made in the 2nd quarter of the year. ¹

The State Service of Special Communication notes that attackers do not use hacking methods that are difficult to track. And about 60-70% of attempted interventions were simple phishing mailings. 90% of all attacks are carried out by military hackers of the russian federation and belarus, whose activities are financed by the authorities. ² Unlike the hacker groups associated with the Main Directorate of the General Staff of the Ministry of Defense of the russian federation (GRU) – in fact, russian military intelligence, hackers from the Foreign Intelligence Service of russia are believed to operate more covertly. ³

In June 2022, the SSU warned against and neutralized more than 140 cyber incidents and cyber attacks. ⁴ And in general, since the beginning of the full-scale aggression of the russian federation, the SSU neutralized more than 1.2 thousand cyber incidents and cyber attacks on the information systems of state authorities and critical infrastructure of Ukraine. ⁵

The operational center for responding to cyber incidents of the State Center for Cyber Protection of the State Service of Special Communication has published a report on the results of the System of Vulnerability Detection and Response to Cyber Incidents in the 2nd quarter of 2022. ⁶

In total, 19 billion events were processed, collected with the help of means of monitoring, analysis and transmission of telemetric information about cyber incidents and cyber attacks. The number of registered and processed cyber incidents increased to 64.

The main goal of hackers is cyberespionage, disruption of the availability of state information services and even destruction of information systems with the help of wiper programs.

In the 2nd quarter of 2022, a significant increase in the activity of hacker groups regarding the distribution of malicious software was recorded, which includes both data-stealing and data-destructive programs. Compared to the first quarter of 2022, the number of information security (IS) events in the «Malicious software code» category increased by 38%.

Most cyber incidents are related to hacker groups funded by the government of the russian federation. Current hacker groups that attacked the information resources of Ukraine:

• UAC-0010 (Gamaredon, Armageddon, PrimitiveBear);
• UAC-0056 (Lorec53, SaintBear, GraphSteal, GrimPlant);
• UAC-0028 (APT28, Fancy Bear, Iron Twilight, Sednit);
• UAC-0098;
• UAC-0082, UAC-0113.

In the 2nd quarter of 2022, the main targets of hackers from the russian federation were the Ukrainian mass media, the Government and local authorities. ⁶

After the start of the criminal aggression against Ukraine, russia significantly increased its hostile cyber activities against the EU countries and the whole world, which creates risks of side effects, misunderstandings and escalation of tension in the global dimension. This is stated in the Declaration of the High Representative of the EU on behalf of all the countries of the European Community, which was published on July 19 on the website of the European Council. ⁷

One of the main hacktivist groups that «embarrass» russia and its cyber security technologies remains Anonymous. One of Anonymous’s divisions, the MeshSec Turkish Hacktivist Crew, hacked a total of 2,785 russian websites. ⁸

In its attacks, the international hacker group Anonymous is guided by six main methods ⁹:

1. Hacking of databases.
2. Focus on companies that continue to do business in russia.
3. Blocking of sites.
4. Training of recruits.
5. Attack on media and streaming services.
6. Direct communication with russians.

Ukraine in Cyberspace 

International Interaction

At this year’s Madrid Summit, the Alliance updated the Comprehensive Assistance Package for Ukraine. In the field of cyber security, NATO will pay attention to building Ukraine’s capabilities, providing the necessary equipment and training personnel, as a result of which Ukraine should acquire the ability to protect its infrastructure from the most modern cyber attacks. ¹⁰

The State Service of Special Communication and the Government Office of the Republic of Slovenia for Information Security in the Cyber ​​Defense Sector have signed a Memorandum of Agreemennt. The document will provide an opportunity to join forces for the development and distribution of new technologies that contribute to the introduction of a secure global information space; as well as the development of joint approaches in countering cyber-aggression. ¹¹

The State Service of Special Communications and Information Protection has signed a Memorandum of Agreement on cooperation in the field of cyber security with the Cyber ​​Security and Infrastructure Security Agency of the US Department of Homeland Security (CISA). The USA, together with Ukraine, are the countries against which the largest number of cyber attacks are carried out. Therefore, the exchange of experience and joint efforts in countering cyber-aggression will enable both states to protect their own information resources much more effectively. ¹²

Financing of the Cyber Sphere

The Government of Ukraine provided UAH 1.2 billion for software updates and other measures to create a safe cyberspace.¹

russia in Cyberspace

«Hacker Intentions» of the russians

The KillNet group intends to attack the largest manufacturer of weapons for the United States and NATO, Lockheed Martin Corporation (in particular, the HIMARS MLRS of the American HIMARS MLRS). ¹³

The Ministry of Digital Affairs of the russian federation is going to legalize white hackers. ¹⁴

Cyberspies associated with russia’s foreign intelligence service carry out cyberattacks on NATO member states using cloud services to avoid detection. ³

Weakening of the Cyber Sphere

In russia, the record for the duration of DDoS attacks was updated several times in the second quarter. ¹⁵

The Ministry of Digital Affairs of russia is discussing with IT companies the separation of cyber security into a separate branch, since information security, being a part of the IT industry, enables specialized enterprises to take advantage of the benefits provided for the industry. ¹⁶

DETECTED ATTACKS 

Cyber Attacks on Ukraine 

Dos/DDos:

• IT infrastructure of DTEK; ¹⁷
• the official web portal of the State Archive Service of Ukraine has been temporarily suspended; ¹⁸
• the websites «Criminal.No» and «Niklife» have been attacked. ¹⁹

Phishing/malware:

• cyberattack UAC-0056 on state organizations of Ukraine using Cobalt Strike Beacon (sending letters with the subject «Specialized prosecutor’s office in the military and defense sphere. Information on the availability of vacancies and their staffing»); ²⁰
• attack by the UAC-0056 group on state organizations of Ukraine using the Cobalt Strike Beacon and the theme of a humanitarian disaster; ²¹
• online fraud using the theme of «monetary compensation»; ²²
• a cyber attack on the state organizations of Ukraine using the theme of OK “South” and the malicious program AgentTesla; ²³
• mass distribution of stealers (Formbook, Snake Keylogger) and use of RelicRace/RelicSource malware as a means of delivery; ²⁴
• cyber attacks of the UAC-0010 group (Armageddon) using the malicious program GammaLoad.PS1_v2; ²⁵
• online fraud using the subject of «aid from the Red Cross»; ²⁶
• a fake application «Cyber ​​Azov» developed by the russian hacker group Turla, which collects information about Ukrainians. ²⁷

Spreading fakes:

• cyber attacks aimed at blocking the operation of the FreeDOM marathon; ²⁸
• hacking of the exchange board in Rivne; ²⁹
• neutralized network of russian internet agents consisting of 5 people who «dispersed» destructive posts through social networks; ³⁰
• a cyber attack on the servers and networks of TAVR Media radio stations and the spread of fake news about the health problems of the President of Ukraine. ³¹

Leakage of the information:

• a criminal group that leaked data on defense enterprises and specialized institutions in the field of communications and information protection was neutralized, preventing the leakage of defense information through the darknet; ³²
• the russian hacker group RaHDIt made publicly available data on thousands of employees of the Main Directorate of Intelligence of the Military Department of Ukraine; ³³
• a Ukrainian hacker distributed stolen data about companies in closed hacker forums administered from the territory of the russian federation. ³⁴

Other:

• unknown people gained access and deleted the Facebook account of the editorial board «Criminal.No» and the publication’s YouTube channel. ³⁵

Cyber Attacks on russia 

DDoS 

The russian site of the IKEA company has been hacked. ³⁶

The official website of the Ministry of Finance of the russian federation has been hacked. ³⁷

More than 1,550 russian online resources have been attacked by the IT army of Ukraine in the period from June 27 to July 24 ^{38, 39}:

• congratulations on the Constitution Day of Ukraine are posted on the websites of state structures and state bodies of the russian federation;
• roscosmos website;
• CRM system;
• dozens of tender sites were paralyzed, including the largest – roseltorg (confidential data of almost 500,000 users was lost);
• websites of most russian cinemas;
• critically important online resources of the Ministry of Foreign Affairs of the russian federation;
• more than a hundred online stores of drones and military merchants of the russian federation;
• telecommunication services from Beeline and their online resources;
• russian mass media.

Attack statistics from disBalancer (the Liberator DDoS attack tool) for the first five months of the cyber war ⁴⁰:

Deface and Replace of Information:

• it is reported that on the website of the Belgorod medical center, in the section «treatment of drug addiction and alcoholism», Ukrainian hackers posted photos of russian leaders; ⁴¹
• Anonymous hackers reported the defacement of russian sites http://crmsdo.ru/, https://www.nichibo-motor.ru/, https://dennisya.ru/, http://www.risus-clinic.ru; ⁴²
• the website of the singer Gradsky became a mouthpiece of the truth about the war in Ukraine (on the main page you can see real losses of russian soldiers, calls to surrender and pro-Ukrainian clips); ⁴³
• the website for the supply of food products for the needs of the Irkutsk branch of Gazprom https://gazprompitanie38.ru/ hacked Anonymous; ⁴⁴
• YourAnonSpider hacked the secure host system https://secure-host.net; ⁴⁵
• NB65 hacked the website of Lysven Mechanical Plant LLC; ⁴⁶
• Turkish hacktivists hacked the russian sites https://zhksochi-park.ru/ and https://anatomia-mebeli.ru; ⁴⁷
• YourAnonSpider conducted an attack on the domain http://putin-vladimir.ru; ⁴⁸
• YourAnonSpider hacked the site https://ronnon.ru/index.html. ⁴⁹

Leakage of the Information:

• belarusian cyber-partisans made public the personal data of the Wagnerites; ⁵⁰
• Abatu posted 50,000 documents (600 MB of data) from the russian Arctic and Antarctic Research Institute; ⁵¹
• on the network, they offer to buy a database of customers of the Moscow Center of Trade and Industry (name, phone, purchased brand, sometimes email of about 50 thousand people; ⁵²
• the squad303 project made public several hundred phone numbers and e-mail addresses of deputies of the russian duma. ⁵³

Cyber Attacks in the World 

On July 1, 2022, the Department of Justice provided new strategic plan, were ransomware attacks and cybercriminals named as a key objective.  In a statement, the department said it intended to beef up its cybersecurity technological capabilities and to more aggressively pursue those who put U.S. government information or assets at risk.  The Justice Department aims to improve its ransomware attack response by September 2023 by promising to significantly increase the percentage of reported ransomware incidents from which investigative actions are conducted within 72 hours and by increasing the number of ransomware matters in which seizures or forfeitures are occurring by 10%. The DOJ will also enhance cybersecurity and fight cybercrime through four key strategies: deterring, disrupting, and prosecuting cyber threats; strengthening intergovernmental, international, and private-sector partnerships to fight cybercrime; safeguarding Justice Department data and information; and enhancing cyber resilience within the private sector and other government agencies.  ⁵⁴

A new report released by the State Service of Special Communications and Information Protection of Ukraine claims that while the months leading up to and immediately following the invasion included a flurry of 40 distinct critical cyberattacks, the frequency and volume has risen substantially over the second quarter of the year. ⁵⁵

The KrebsOnSecurity team provided a deanonymization report on the owner of the RSOCKS proxy botnet.  The RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple russian- language cybercrime forums. KrebsOnSecurity has identified its owner as a 35-year-old russian man, was born in Omsk and living abroad who also runs the world’s top spam forum RUSdot.  RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years.  The actor’s darknet moniker known as Stanx, and real-world identity – Denis Kloster. ⁵⁶

Due to the latest report of the Digital Shadows team, over 24 billion account usernames and passwords have been exposed by cyber-thread actors, as of this year.  That’s a 65 percent increase from 2020. The top 50 most common passwords are incredibly easy-to-guess and simply use the word “password” or a combination of easily remembered numbers. Offline attacks usually produce the best results for cracking passwords; 49 of the top 50 most commonly used passwords could be cracked in less than a second. Adding a special character to a basic ten-character password adds about 90 minutes to that time. Adding two special characters boosts the offline cracking time to around 2 days and 4 hours. ⁵⁷

Main ways and recommendations to protect companies and institutions the insider threats and mitigate risks of illegal sharing of sensitive information: 

• Use a hotspot: public Wi-Fi is convenient, but it’s not very secure. Don’t get started on connecting to non-password- protected Wi-Fi networks. 
• Don’t leave any computer unattended: It’s so simple, but even leaving for 30 seconds to get a coffee refill could mean trouble. Lock the screen and if the computer has to be left for a long period of time, put it in a safe. 
• Use a privacy screen: So many of us can easily look over someone’s shoulders at open PowerPoint presentations containing financial data, or sensitive emails about business deals. Blocking all this doesn’t take much, and it’s an inexpensive fix to keep out unwanted eyes. 
• Keep data sharing to a minimum: Use as little information as required when having sensitive conversations. Code names are also helpful, ensuring no specific company or project names are revealed. 
• Document security: Don’t screen share important documents or send them over business sharing and messaging tools. Make sure anything important gets encrypted before it’s shared. 
• Go incognito: Use incognito browser tools that automatically wipe personal actions so that if someone does access a work computer, they can’t view any recent activity – from browser history, and cookies and site data. This goes for not only a laptop, but also any handheld mobile devices.
  

The Cyber Digest has been prepared by GC3 analysts based on open source information (OSINT).