EXECUTIVE SUMMARY
The majority of cyberattacks on Ukraine are carried out from the russian federation and the Republic of Serbia. russia has fostered cyber terrorism for years, effectively starting its cyber aggression against the civilized world with the 2007 attacks on Estonia. Over the past eight years, our country has been one of the main targets of russian hackers.
The third stage of the cyber war is now underway, and russia’s attacks are directed mainly against civilian infrastructure.1
The enemy does not have a defined strategy – the attack is an opportunistic, chaotic activity aimed at finding vulnerabilities and weaknesses in the defense; attempts to gain access to networks, information systems, and only then – determination of what to do with this access, what damage to cause. 2
Ukraine conducts test attacks against its systems: a team has been created that constantly, 24/7, tests systems and attacks them. Thanks to this, it was possible to find many vulnerabilities in the direction of critical infrastructure by January and prevent further problems. This is how Ukraine managed to survive the cyber war. 3
Over the past six months, the level of coordination between cyber security entities has increased significantly. All subjects work synchronously under the coordination of the National Security Council. An interdepartmental working group under the auspices of the NCCC developed the Procedure for the interaction of cyber security entities during response to cyber incidents/cyber attacks.4
The creation of cyber security infrastructure made it possible to protect Ukrainian web resources and databases from russian attacks. No basic registry and no critical state service was stopped, and the state worked stably and responded quickly to the challenges of the war. As a result, the functioning of the state was removed from the physical and virtual impact of the aggressor. 5
From April to June 2022, researchers from the Google TAG (Threat Analysis Group) unit, which monitors state-sponsored cyber activities, recorded “an increase in the number of financially motivated threat actors targeting Ukraine, the activities of which appear to be closely related to criminals , which are supported by the russian government.” TAG points to a “blurring of lines between financially motivated and government-sponsored groups in Eastern Europe,” an indicator that attackers often adapt their targets to geopolitical interests in the region. 6
Foreign business is actively studying the experience of the russian-Ukrainian cyber war, because it perfectly understands that in the future the problem of resisting the aggressive actions of states and numerous groups of hackers in cyberspace will become one of the key for the further development of both their companies and states in general. And no one can feel safe or think that they will not be of interest to hackers. 7
Ukraine’s experience in cyber warfare will have an extraordinary impact on the formation of cyber security architecture in the future.
UKRAINE IN CYBER SPACE
International Interaction
Representatives of the State Service of Special Communications took part in the NATO International Cyber Security Summer School (ICSSS). 8
The State Service of Special Communications of Ukraine and the National Cyber Security Directorate of Romania signed a memorandum of understanding in the field of cyber security cooperation. 9
Oleksandr Potii, deputy head of the State Service of Special Communications, met with Karol Molenda, commander of the Polish Cyberspace Defense Forces. This is the first meeting of the parties, aimed at implementing the memorandum of understanding in the field of cyber protection, signed on August 22 between the Governments of Ukraine and Poland. 10
The agreement was signed in Brussels between the Government of Ukraine and the European Commission regarding Ukraine’s accession to the EU program “The Digital Europe Programme”. 11
In the USA, the Blue & Yellow Heritage Fund was launched, which will invest in Ukrainian startups in the following areas: cyber security and defense, technologies and AI, production automation, robotics, energy, etc. 12
The government of Estonia is one of the most active providers of assistance and support to the Ukrainian authorities in defense against russian cyberattacks. Estonia supported the continuity of Ukrainian digital services in the cloud and from outside Ukraine, and the Estonian government and local technology companies provided material support to Ukraine, including free equipment for monitoring and countering cyber attacks. 13
Elimination of Cyber Threats
Cyber specialists of the Security Service of Ukraine liquidated 2 bot farms: in the Kyiv region and in Odesa. The “army of bots” in almost 7,000 accounts was used to spread destructive content. 14
The SSU notified the organizer of a powerful bot farm (fake accounts involving almost 11,000 cards of one of the Ukrainian mobile operators) in the Carpathian region of suspicion, and also neutralized another bot farm in Kyiv, which “cooperated” with russian PR companies. 15, 16
The SSU neutralized a hacker group that “hacked” almost 30 million accounts of Ukrainian and EU citizens. 17
In total, since the beginning of the year, the SSU has neutralized 35 bot farms and is initiating increased responsibility for their creation. 18
A hacker from the Kherson Region who hacked private accounts of Internet users and sold data will be tried in Lviv. 19
Protection of the Cyber sSphere
The national telecom operator Kyivstar received certification for the provision of the “protection against DDoS attacks” service. 20
A “Dialogue on Cyber Security” was held in Kyiv, during which issues related to the creation of a National Plan for responding to emergency situations in cyberspace and strengthening the protection of critical infrastructure facilities were discussed. 21
RUSSIA IN CYBER SPACE
Hacker Intentions” of the russians
The Sandworm group masquerades as Ukrainian telecommunications providers. This is how criminals try to deceive Ukrainian organizations and infect them with malicious software. 22
IP addresses used by Sandworm (Recorded Future).
The Weakness of the Cyber Sphere
russia lacks tens of thousands of cybersecurity specialists: about 5,000 specialists work in the field of cybersecurity in the country, and today the need is twentyfold. 23
Roskomnadzor noted that since the beginning of 2022, there have been about 60 large leaks of personal data in russia, during which 230 million records with personal information of russians became publicly available. Not only personal data such as name, address, and phone number are compromised, but also medical data, data on behavioral characteristics, and consumer preferences of people. 24
Cyber Attacks on Ukraine
Dos/DDos:
Phishing/Malware:
Other:
Cyber Attacks on russia
Dos/DDos:
More than 6,400 russian online resources were attacked by the IT army of Ukraine in the period from August 29 to September 25:34, 35
Attack statistics from disBalancer (the Liberator DDoS attack tool) for the first six months of the cyber war 36:
Deface/replace of the Information:
Data Dump:
Anonymous:
Cyber Attacks in the World
FBI
The FBI issued a public service announcement warning investors that cybercriminals are increasingly exploiting vulnerabilities in decentralized finance (DeFi) platforms to steal cryptocurrency.
Between January and March 2022, cybercriminals stole $1.3 billion in cryptocurrencies, almost 97 percent of which was stolen from DeFi platforms. 53
The premier provider of cyber threat intelligence, Intel 471, released The 471 Cyber Threat Report about the most impactful over the past year cyber threats and predictions for the future. Established that the main threats include compromised access and data, ransomware, return of Emotet malware and exploitation of vulnerabilities.
Evolving threats include hacktivism, one-time password (OTP) bypass services, supply chain attacks and information-stealer malware. Expecting increase in ransomware attacks and a demand for network access. 54
National Police of Ukraine
National Police of Ukraine successfully busted a crypto cybercrime group operating “call centers” that targeted locals and European Union citizens. Scammers allegedly offered to help foreigners affected by crypto scams and suggested investment packages in crypto, gold, oil, and securities. 55
InterContinental
Cyberattack brought down InterContinental Hotels’ booking systems. The statement from the InterContinental Hotels Group (IHG) says the company is working to resolve the issue as soon as possible and to assess the nature, extent, and impact of the incident. 56 IHG didn’t disclose whether the attack was the result of ransomware or some other malware, but threat intelligence company Hudson Rock said that at least 15 IHG employees and 4,030 users on the internal network were compromise. Hospitality organizations are among the top industries targeted by cybercriminals because of the large numbers of credit cards they process and a lot of traveler data they hold. 57
Proofpoint, Inc.
Proofpoint, Inc., a leading cybersecurity and compliance company, and Ponemon Institute, a top IT security research organization, released the results of a new study on the effect of cybersecurity in healthcare. It is established that 89% of the surveyed organizations experienced an average of 43 attacks in the past 12 months, almost one attack per week. The four most common types of attacks are cloud compromise, ransomware, supply chain, and business email compromise (BEC)/spoofing phishing. Cyberattacks сause more than 20% of impacted healthcare organizations to experience increased mortality rates. 58
Ransomware
Unit 42 researchers reported that the ransomware-as-a-service (RaaS) group known as Black Basta has compromised more than 75 organizations over the past several months. The RaaS group uses the double extortion technique, meaning that in addition to encrypting files on targeted systems and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threatened to post sensitive information if a company chooses not to pay the ransom. 59
Bleeping Computer
According to Bleeping Computer, one of the most active ransomware group, LockBit, created leak site after June hack of a digital security giant Entrust. Hackers started sharing screenshots of the allegedly stolen data that included legal documents and accounting data, but the leak was short-lived as LockBit’s Tor site was inaccessible soon after the leaks began due to a DDoS attack. 60, 61
Mandiant
Mandiant, who has been tracking the activities of the state-backed russian cyberespionage group Cozy Bear (aka APT29 and Nobelium), published reports in which highlights some of APT29’s advanced tactics and some of their newest TTPs (tactics, techniques, and procedures). The main finding is abuse Azure services by hackers to hack Microsoft 365 users. 62
Global Сyber Сooperative Сenter (GC) continues working with companies, law enforcement and research organizations to neutralize cyber crime.
Senator business center, 32/2, Dukes of Ostrozhsky, Kyiv
+38 (050) 428 44 68 (Ukraine), +1 (786) 755 8398 (USA)© 2023 GLOBAL CYBER COOPERATIVE CENTER (GC3). All rights reserved