01.09.2022

Main Cyber Highlights of August

EXECUTIVE SUMMARY

During the six months of the war, the Government Computer Emergency Response Team of Ukraine CERT-UA, which operates under the State Service of Special Communications, registered 1,123 cyberattacks. Most often, cybercriminals attacked the Government and local authorities. Also among the main targets are commercial and financial institutions, bodies of the security and defense sector, enterprises of the energy sector, transport industry, and telecom – all infrastructure that works for the livelihood of the population. 1

Main Cyber Highlights of August
Main Cyber Highlights of August

The Cybersecurity Center reports that the enemy continues disinformation campaigns through its groups, and the last month or a half has increased activity on the cyber front. Now one of their priorities is to reach the regional level: administrations, institutions outside of Kyiv, and more precise planning of operations to penetrate critical sectors. 2

During a briefing on August 10 at the Ukraine Media Center, Deputy Head of the National Police, Chief of the Criminal Police Mykhailo Kuznetsov said that since the beginning of the full-scale invasion of the russian federation, the Ukrainian cyber police, together with other law enforcement agencies, repelled and eliminated the consequences of 83 hostile cyber attacks, and also warned of more than 300 cyber attacks, which were at the stage of preparation.

In addition, according to the official, since the beginning of martial law, the cyber police have conducted more than 950 searches.

Cyber ​​police officers also identified more than 1,700 servicemen of the russian federation, who are involved in the commission of war crimes on the territory of Ukraine, and identified more than 850 propagandists of the «russian world». During the full-scale invasion of the russian federation, the cyber police identified 50 collaborators, 44 of whom have already been notified of suspicion, Kuznetsov added. 3

The independence and freedom of Ukraine do not give rest to the russian invaders. The enemy becomes more active on significant government dates. Therefore, it was expected that the attacks by the occupiers would intensify on the eve and on the day of the celebration of the most important national holiday for Ukrainians – Independence Day. In the sphere of increased danger are civil servants, military personnel, and workers of critical infrastructure, who can become an access point to the information systems of the state. 4

Ukraine in Cyberspace 

International Interaction

  • Polish hackers from the Anonymous-affiliated Squad303 group promised to expose European companies’ ties to russia. The Squad303 group reported on Twitter that the russian authorities included it in the list of the four most active hacker groups protecting Ukraine. 5
  • The IT Army of Ukraine calls on the Ukrainian and global IT community to support the #russiaIsATerroristState flash mob. The initiative was launched by Ukrainian IT experts. The goal is to change the name «russia» to «russia is a terrorist country» on all sites and online systems where it is possible to select a country or language. 6
  • Representatives of the Ukrainian authorities for the first time took part in the largest and most prestigious cyber security conference Black Hat USA 2022, which took place in Las Vegas. The acquired knowledge should become part of common knowledge that will make it possible to protect the civilized world from such threats. 7
  • The Ministry of Digital Transformation and State Service of Special Communications of Ukraine signed a memorandum of understanding in the field of cyber security with the Office of the Prime Minister of the Republic of Poland. 8

Financing and Development of the Cyber Sphere

  • The Ukrainian startup fund allocates grants of up to $35,000 for military-tech projects. These are projects in the field of defense, cyber security, infrastructure reconstruction, education, and health care. 9
  • With the support of the State Service of Special Communications, Cyberport. Institute was opened on the basis of the State Biotechnical University – a unique educational institution that will train specialists in cyber security, computer engineering, IT finance, the cryptocurrency market – and many others. 10

Prevention of Cyber Attacks

  • Odessa Mayor’s Office closed access to the deputy portal and the petition site due to hacker attacks that coincided with rocket attacks. 11
  • The government computer emergency response team of Ukraine CERT-UA is monitoring the activity of the UAC-0010 (Armageddon) group to understand their methods of conducting attacks and preventing threats. 12
  • The Security Service of Ukraine stopped the activities of the «FR Destructor» hackers, who had been terrorizing Ukraine with mass messages about «mining» for the past two years. 13
  • The SSU exposed an underground server center in Kyiv that russian hackers used for cyberattacks against Ukraine. 14

russia in Cyberspace

The Weakness of the Cyber Sphere

  • The number of hacker attacks on state authorities in the Stavropol Krai reached 2 million in six months. Over the past month, more than 70,000 hackers tried to interfere with the work of information authorities. 15
  • Since the beginning of 2022, hackers have stolen more than 300 secret databases from russian companies. According to InfoWatch analysts, the number of leaks this year has increased by 46% compared to the first half of 2021. Analysts predict an increase in attacks on the russian federation in the second half of the year, as cyber threats to russian businesses continue to grow due to the unleashed war. Large russian companies intend to increase their cyber security budgets by 15-20%. 16
  • According to Yulia Tsvetkova, director of personnel management of «rostech», there is an acute shortage of IT specialists in the russian labor market. 17

International Pressure

  • russian-language DUMPS platform offers DDoS attacks for $80 per hour, directed only to russia and belarus. 18
  • The US offers a reward of $10 million for information about the russian cybercriminals who created the Conti virus. 19
  • British intelligence called Ukraine an effective cyber defender, but russia lost the information war in Ukraine and in the West: «russia’s use of aggressive cyber tools after the full-scale invasion of Ukraine was irresponsible and indiscriminate, and its information operations were shoddy». 20

«Hacker Intentions»of the russians

  • On the morning of August 1, Killnet and KillMilk announced a «new-level attack» on the American military-industrial corporation Lockheed Martin, which produces the HIMARS MLRS, which the US supplies to Ukraine. 21
  • The Ministry of Digital Affairs of the russian federation plans to increase the cyber literacy of russians. 22
  • The head of Killnet publicly stated that the group managed to hack the website of Lockheed Martin, which works in the field of the US defense industry, and obtained 9 GB of «various information». 23

DETECTED ATTACKS 

Cyber Attacks on Ukraine 

Deface:

  • A video is posted on the website of the Brodiv City Council, which shows a russian hacker with a tricolor. 24
  • On the website of the Scientific Yearbook «History of Religions in Ukraine» there is an «appeal» of a virtual russian military. 25

Dos/DDos:

  • The cyber attack on the official website of Energoatom State Enterprise, which is the largest since the beginning of the full-scale invasion of the russian federation. 26

Cyber Attacks on russia 

Deface and Replace Information:

  • The broadcasts of channels selected by users have been replaced by videos about the fact that war will soon come to russia on the service for watching TV channels, Pager TV. 27
  • Anonymous hacked streaming services and television propaganda channels in russia to broadcast footage of the destruction of russian military assets. 28, 29
  • The russians mistook a drone for the Armed Forces thanks to IT specialists who hacked russian telegram channels about the occupied Kherson region. There they posted an announcement about collecting aid for a detachment of the russian military. 30
  • Ukrainian cyber activists hacked television in the occupied Crimea and included Zelensky’s address, reminding whose peninsula it is. 31
  • Information about the real functions of this unit, the main of which is the provision of disinformation, is posted on the page of the Center for Information Security of the FSB of the russian federation in Wikipedia. 32
  • Crimean Internet providers: «Miranda-media», «Farline» and «KRELCOM» congratulate Ukraine on Independence Day. 33, 34, 35

Data Dump:

  • Unknown people posted 70,000 files (749 GB) of Elvees, a russian manufacturer of integrated circuits and security solutions, including anti-drone technology, online. 36
  • Ukrainian hackers have hacked and posted about 600 GB of data of Right Line – the largest online banking software provider in russia and the CIS. 37
  • Hacker group Anonymous infiltrated the kremlin by hacking CCTV cameras. 38

Dos/DDos:

  • Anonymous reported the hacking of two large russian video conferencing services – Videomost and Webinar. 39
  • The website of Putin’s united russia party was attacked. 40
  • Attacks IT ARMY of Ukraine:

                 – Pension Fund of the russian federation. 41

                 – Post of russia. 42

                 – Platform for video communication and remote work – TrueConf. 43, 44

                 – Cabinet of the central bank of the mythical «dnr». 45

                 – Russian video conferencing products 46 and propaganda resources. 47

                 – Party «jUST rUSSIA – pATRIOTS – fOR tHE tRUTH».  48

                 – Bank services (in particular unistream.ru, koronapay.com, yoomoney.ru). 49, 50

                 – Job search site SuperJob. 51

                 – Big rosmedia (in particular ТАСС). 52

Cyber Attacks in the World 

CRYPTO SCAMS

Сriminal groups are increasingly defrauding investors with their fraudulent crypto applications. They are reaching out directly to U.S.-based investors in cryptocurrency, claiming to offer legitimate cryptocurrency investment services, and convincing to download fraudulent mobile apps. The FBI identified 244 victims who lost a total of $42.7 million in recent months through these scams. Сybercriminals are taking advantage of the recent trend of innovative financial institutions offering mobile apps to enhance user experience and increase legitimate investment. They use the names, logos, and other identifying information of legitimate USBUSs.

Crypto scams «are more pervasive than ever», according to a report by fraud prevention company Sift. Nearly three-quarters (73%) of the consumers said they see misleading content on at least a weekly basis, and two-thirds (65%) said that they see social networks as the «most dangerous» source of false information. Сrypto exchanges alone had seen a 140% uptick in «abuse» over the first quarter of this year. 53

RANSOMWARE

The U.S. Department of Justice seized about $500,000 from state-sponsored North Korean hackers who use Maui ransomware in their attacks. The seized cryptocurrency was returned to two healthcare providers who paid ransom demands to the group after falling victim to earlier cyberattacks.

DoJ and FBI leaders attribute the identification and funds’ seizure to the providers’ cooperation with law enforcement, which enabled the investigators to trace the cryptocurrency back to money launderers based in China. 54

MICROSOFT

Microsoft reported that roughly 10,000 businesses were attacked in a months-long adversary-in-the-middle (AiTM) campaign that raked in estimated millions in financial fraud. A large-scale phishing campaign that used AiTM (which is estimated to trace back at least as far as September 2021) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.

BEC scams caused more than $43 billion in global financial losses in more than 241,000 incidents between June 2016 and December 2021, based on financial institution filings reported to the FBI’s Internet Crime Complaint Center (IC3) unit. There was a 65% jump in identified global financial losses due to BEC scams between July 2019 and December 2021. 55

EUROPOL

Europol, the European Union law enforcement agency, announced the figures, according to which, in the last six years (within the No More Ransom project), European cops have helped around 1.5 million people and organizations decrypt files that were locked by hackers with ransomware, saving around $1.5 billion.

As of today, The No More Ransom project offers 136 free decryption tools for 165 ransomware variants, including Gandcrab, REvil, and Maze, according to Europol. 56

T-MOBILE 

T-Mobile has agreed to pay a $500 million settlement for «one of the largest and most consequential data breaches in US history». $350 million will go to the settlement fund and at least $150 million will go toward enhancing its data security measures through 2023. 

Plaintiffs say the company broke the terms of its own privacy policy by not properly disclosing information about the breach or building proper safeguards to reasonably protect data in the first place: the company did not rely on an industry-standard practice for data protection called «rate limiting». 57

CHECK POINT

Check Point Software’s mid-year security report reveals 42% global increase in cyber attacks with ransomware the number one threat. This year, ransomware actors have stepped up to nation-state level, targeting the entire country. The huge potential for financial gain means that ransomware is going to be around for a long time and will only get worse. 

The 2022 year started with the continued fallout of Log4j, one of the most serious zero-day vulnerabilities. One of the most era-defining moments of 2022 has been the ongoing russia-Ukraine war. Its impact on the cyber landscape has been unprecedented: cyberattacks entrenched as a state-level weapon.

Top CPR predictions for the second half of the year:

– Ransomware’s fragmented ecosystem;

– More diverse email infection chains;

– Hacktivism will continue to evolve;

– Continued attacks on blockchain and crypto platforms and the first attacks in the Metaverse. 58

 

The Cyber Digest has been prepared by GC3 analysts based on open source information (OSINT).

 

This report is available in PDF format at the link.

Global Сyber Сooperative Сenter (GC) continues working with companies, law enforcement and research organizations to neutralize cyber crime.