04.06.2022

Main Cyber Highlights of May

Main Cyber Highlights of May

Foto — pixabay.com

 

EXECUTIVE SUMMARY

russia’s war against Ukraine continues not only on the battlefield but also in cyberspace. Massive cyberattacks against state structures of Ukraine and business began long before the military invasion. With the start of hostilities, the attacks doubled from about 200 to more than 400 a month. With the help of cyber attacks, russia wants to create a humanitarian catastrophe in Ukraine, because hackers are trying to hinder the work of the energy sector, emergency services, communications, logistics [1].

Ukraine has gained unique experience in the use of cyberspace during the war. A powerful IT army has been created, which now has about 300,000 members. The state has united Ukrainian and international professionals [2].

Today, almost half a thousand employees of the State Service of Special Communication take part in the country’s cyber defense. Moreover, tens of thousands of specialists from other cybersecurity subjects of Ukraine, volunteers, and representatives of the international community make every effort every day to defeat the enemy on the cyber front.

During the three months of the war, 620 cyberattacks were detected, and more than 300 institutions received the help of cyber specialists [3].

russian criminals are once again trying to deprive Ukrainians of access to the Internet and truthful information, to sow panic. In addition, the russians are no longer even trying to hide their actions and spread reports of attacks on the Internet [4]. However, in general, most attacks on Ukraine fail and are successfully repulsed, which once again demonstrates the effective cybersecurity systems that Ukrainian representatives of government agencies and businesses have managed to build. According to Lviv Mayor Andriy Sadovy, the attack on the Lviv City Council was the largest in recent years. But «Moscow’s misfortunes could not cause serious damage, no matter how hard they tried. A small part of the services and computers of the city council employees were shut down» [5].

Since the beginning of the year, almost 36,000 attacks on the servers of the state authorities have been repulsed in Dnipropetrovsk region. This is ten times more than usual [6].

Among the 280 crimes that russia committed against journalists and media in Ukraine during the three months of the war, 32 cybercrimes and 50 threats were identified [7].

Since the beginning of March, there has been a steady trend of intimidation of journalists by threatening them with imprisonment in Siberia, torture and interrogation. Poetic threats began to be sent to journalists in April. In May, nuclear weapons threats were reported for the first time. Both central and regional media outlets received threats.

Ukrainian media sites are steadily suffering from constant cyber attacks by russians. Hackers change materials, place the russian flag, their Z and V symbols, and so on.

The EU condemns russia’s cyber-attack on Ukraine an hour before the Kremlin’s war, which caused disruptions not only in Ukraine but also in several EU countries. A statement from the EU High Representative on behalf of all 27 member states said the unacceptable cyber attack was further evidence of russia’s irresponsible behavior in cyberspace as part of its illegal and unprovoked invasion of Ukraine. Such behavior contradicts the expectations of all UN member states regarding the responsible behavior and intentions of states in cyberspace [8]. A joint statement from Canada’s foreign, defense and public security ministers said that Canada, along with the United States, Britain, Australia, New Zealand and EU member states, would continue to develop stable cyberspace «based on the application and respect of international law and responsible conduct. in cyberspace» [9].

All governments in democracies — the United States, Canada, the United Kingdom, most EU countries and others — offer their assistance to Ukraine in cyber defense. Ukraine is also supported by such leading companies as Microsoft, Google, Amazon, Cisco, Oracle and others [10].

Interpol Secretary General Jürgen Stoke told the World Economic Forum in Davos that cybercrime groups had become more sophisticated today. Hacking has become a global problem, and the actions of law enforcement officers at the national level make it difficult to detain criminals [11].

Singapore’s Minister of Communications and Information, Josephine Theo, said hacking was a threat to organizations around the world: «Cybercriminals are catching up with state cyber spies in terms of their level of training. This has become a matter of national security. The cybercrime world is profitable and self-financing, so it will prosper» [11].

Speaking at the international conference CYBERSEC FORUM «United in Cyber ​​Force» on May 17-18 in Katowice, Deputy Head of the State Service of Special Communication Alexander Potiy stressed that the development of the concept of cyber deterrence should be based on the experience of nuclear deterrence [12].

Ukraine has won two international CYBERSEC Awards in the field of cybersecurity. The organizers noted the heroic cyber defense, which was joined by the whole Ukrainian society, including the state apparatus, IT community and volunteers [13].

In total, since the russian invasion of Ukraine, the IT army has attacked about 2,000 russian resources. Many of them were attacked again [14].

The most active hacker groups fighting on the Ukrainian cyber front are [15]:

  • Anonymous;
  • Against The West (ATW) (related to Anonymous);
  • NB65 (related to Anonymous);
  • Thblckrbbtworld (acting on behalf of Anonymous);
  • HackenProof;
  • IT Army of Ukraine;
  • HackYourMom;
  • Guild of IT specialists.

A significant part of these groups are Ukrainian «hacktivists», who make a significant contribution to the protection of Ukraine’s cyberborders. russian propagandists and hackers are trying to copy this movement. russia has created the «Cyber ​​Army of Russia», which seeks to replicate the success of the IT army of Ukraine and mimic the «all-russian movement» [16].

Also, according to cybersecurity expert Konstantin Korsun, the opposition in cyberspace on the part of russia involved employees of the 18th FSB Center, hackers from the Central Intelligence Agency, representatives of «bot farms» and several other russian intelligence services [1].

The most active hacker groups fighting on ther russian cyber front are [15]:

  • Armageddon (UAC-0010)
  • Fancy Bear (APT28, Sofacy, Pawn storm, Sednit и Strontium)
  • Ghostwriter (UNC1151)
  • Sandworm (UAC-0082)
  • Scarab
  • TA416 (Mustang Panda, RedDelta, Temp.Hex)
  • Killnet
  • Legion

Strengthening Ukraine’s Cybersecurity

  • G7 countries will transfer technologies to Ukraine to protect against cyberattacks [17].
  • Ukrainian hackers have improved their cyber weapons against russia: the Liberator program has added the Multitarget feature, which enhances DDoS attacks and allows you to hit many targets at once [18].
  • Cybersecurity reform: the government wants to take control of the state domain GOV.UA [19].
  • Canada will provide valuable intelligence and cyber assistance to Ukraine to counter russian aggression [9].
  • Italian authorities claim to have prevented hacker attacks by pro-russian groups during the semi-finals and finals of the Eurovision Song Contest in Turin, Italy [20].
  • ICANN has allocated $ 1 million to Ukraine to fight russian hackers. These funds, according to the Minister of Digital Transformation Mikhail Fedorov, will be spent to support the stable operation of the domain system of our country [21].
  • The IT army has launched a new tool — a bot to automate cyber attacks against russia [22].

Weakening of russia in Cyberspace

  • In the «first cyber war» russia has no allies at all [23].
  • Kremlin hackers are creating fake Twitter profiles to support dictatorial policies [24].

CYBER ATTACKS ON UKRAINE

Dos/DDos:

  • Volyn site of «Konkurent» [25]
  • Kharkiv sites «Nakipilo», «Slobidsky Krai», KHARKIV Today and InsiderNews [26]
  • publication «Online» [27]
  • sites of Ukrainian telecom operators [4]
  • Internet network of Lviv City Council: part of working files published [5]
  • information resources of Ukrtelecom [28]
  • satellite internet Starlink [29]
  • site of the Institute of Mass Information [30]
  • Mykolayiv online publication «NikVesti» [31]
  • another cyber attack on Ukrtelecom [32]

Phishing/Malware:

  • mass distribution of JesterStealer malware using chemical attack [33]
  • APT28 cyberattack using CredoMap_v2 malware [34]
  • Cyber-attacks of the UAC-0010 group (Armageddon) using the malicious program GammaLoad.PS1_v2: sending e-mails with the topic «On holding a revenge action in Kherson!» [35]
  • Online fraud using the topic of «financial assistance under the UN social program» [36]
  • Fake chatbot of E-support and PrivatBank website [37]
  • Phishing resources similar to the official website of the Ministry of Internal Affairs of Ukraine [38]
  • Fraudulent scheme under the pretext of state aid payments [39]
  • Fake page of the site «To Help Is Simple» to receive financial assistance from the UN [40]

Other:

  • Zaporozhye sites infоrm.zp.ua and 061.ua [41, 42, 43], Volyn media «Volyn Online», «Racurs.ua», IA «Competitor» [44], the publication «Odessa. Online» received threats from hackers Noname057 [45]
  • Threats were received by Kharkiv sites KHARKIV Today, «Slobidsky Krai», «Nakipilo», InsiderNews, 057.ua [46]
  • Killnet hackers declare global cyber warfare in Ukraine (as well as some EU and US countries) [47]
  • Created three fake chatbots «Something flies» [48]

CYBER ATTACKS ON RUSSIA

The IT army of Ukraine in the period from 1 to 29 May attacked more than 1640 russian online resources [49, 50, 51, 52]:

  • the EGAIS system, which led to the shutdown of breweries
  • online shopping
  • tender grounds
  • electronic reporting systems (including 1C)
  • russian propaganda services
  • online sales of shoes for the aggressor’s army
  • aviation sector
  • services for business
  • russian media
  • russian application store NashStore, similar to the App Store and Google Play, had difficulties in the days of the announced launch. Import substitution did not work
  • russians had difficulty selling and renting real estate online
  • russian banks have long been unable to recover from previous attacks by the IT army and cope with new ones on their sites and online banking
  • banks
  • microfinance organizations
  • exchanges
  • RuStore application store
  • insurance services

Main Cyber Highlights of May

Statistics of attacks from disBalancer (tool Liberator DDoS-attacks) for three months of cyber warfare [53]:

Main Cyber Highlights of May

Hackers Anonymous Have Hacked:

  • Qiwi, the most popular electronic payment system in russia (NB65 erased 10.5 TB) [54].
  • LLC «Capital», a specialized accounting firm that cooperates with the SAFMAR Group, including PJSC «RussNeft» (leakage 20.4 GB) [55].
  • CorpMSP, a federal institution that provides support to small and medium-sized businesses, the controlling shareholder of which is the russian Federation [56].
  • rutube video hosting: almost 75% of the databases and infrastructure of the main version of the platform are affected, as well as 90% of the backup and cluster for database recovery [57].
  • russian Sberbank, the largest bank in Central and Eastern Europe [58].
  • Website, e-mail of Killnet members and hacker data published. Cyberwarfare was declared for russian hackers [59, 60].
  • Massive cyberattack on the official websites of the belarusian authorities for involvement in the invasion of Ukraine [61]. 

Other:

  • Darknet sells data to 31 million customers of Hemotest, a large russian network of medical laboratories [62].
  • According to the new decree of russian dictator Vladimir putin «On additional information security measures», from 2025 many organizations must stop buying software from unfriendly (all Western) countries, and plans to create regulations to respond to cyber threats [63].
  • The russian authorities have suffered a series of cyber attacks by the Chinese ART group [64].
  • Hacking of the built-in player of Smart TVs: anti-war statements appeared in the TV programs of russian satellite TV channels [65].
  • The group of hackers Obfuscated Dreams of Scheherazade created a site for telephone pranks on russian deputies, propagandists, military, intelligence and officials [66].

CYBER ATTACKS IN THE WORLD

REWARD

The U.S. Department of State’s Rewards for Justice is offering $10 million for information on six russian intelligence agents (GRU officers) involved in the 2017 NotPetya attacks. The malicious cyber activities collectively cost the U.S. entities nearly $1 billion in losses [67].

EUROPEAN COUNCIL

Member States, together with its international partners, strongly condemn the malicious cyber activity conducted by the russian Federation against Ukraine, which targeted the satellite KA-SAT network, operated by Viasat. This unacceptable cyberattack is yet another example of russia’s continued pattern of irresponsible behavior in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine [68].

MICROSOFT

Microsoft officials claim russian hacking in Ukraine has been extensive and intertwined with military operations. At least six different Kremlin-linked hacking groups have conducted nearly 240 cyber operations against Ukrainian targets, during the war on Ukraine. russia’s military attacks on Ukraine sometimes correlate with cyber-attacks, especially when it involves attacks on telecom infrastructure in some areas [69].

DARKNET

New dump shop dubbed «The KING CCARDS Shop» which offers compromised payment cards was appeared on the Darknet. The shop is available via Telegram bot.

RANSOMWARE

Over 35 ransomware families and 250 nation-state, ransomware, and cybercrime groups have been reported by Microsoft to be part of the ransomware-as-a-service landscape, according to ZDNet. Threat actors have been delegating tasks in attacks, with one group responsible for double extortion and another tasked with ransomware payload development. Moreover, affiliates could be tapped to deploy certain ransomware payloads [70].

SOPHOS

The Sophos’ annual study of the real-world ransomware experiences reveals the following noteworthy facts:

  • 66% of organizations were hit by ransomware in the last year, up from 37% in 2020;
  • backups are the #1 method used to restore data, used by 73% of organizations whose data was encrypted;
  • 46% of victims reported that they paid the ransom to restore data;
  • in Italy, where extortion payments are illegal, meaning organizations are not allowed by law to pay the ransom, 43% of those whose data was encrypted admitted that their organization paid up;
  • the average ransom payment came in at US $812,360, a 4.8X increase from the 2020 average of US $170,000 [71].

CONTI

The U.S. Department of State announced a reward of up to $10 million for information leading to the identification or location of leaders of the Conti ransomware organized crime group. The agency also offered an additional $5 million on information leading to the arrest and/or conviction of individuals conspiring to participate in a crime with the group. The department said the FBI estimates the group has over 1,000 victims over the last two years, with payouts exceeding $150 million, making Conti the costliest strain of ransomware ever documented [72].

 

Global cyber cooperative center (GC) continues working with companies, law enforcement and research organizations to neutralize cyber crime.