Main Cyber Highlights of September

EXECUTIVE SUMMARY

The majority of cyberattacks on Ukraine are carried out from the russian federation and the Republic of Serbia. russia has fostered cyber terrorism for years, effectively starting its cyber aggression against the civilized world with the 2007 attacks on Estonia. Over the past eight years, our country has been one of the main targets of russian hackers.

The third stage of the cyber war is now underway, and russia’s attacks are directed mainly against civilian infrastructure.¹

The enemy does not have a defined strategy – the attack is an opportunistic, chaotic activity aimed at finding vulnerabilities and weaknesses in the defense; attempts to gain access to networks, information systems, and only then – determination of what to do with this access, what damage to cause. ²

Ukraine conducts test attacks against its systems: a team has been created that constantly, 24/7, tests systems and attacks them. Thanks to this, it was possible to find many vulnerabilities in the direction of critical infrastructure by January and prevent further problems. This is how Ukraine managed to survive the cyber war. ³

Over the past six months, the level of coordination between cyber security entities has increased significantly. All subjects work synchronously under the coordination of the National Security Council. An interdepartmental working group under the auspices of the NCCC developed the Procedure for the interaction of cyber security entities during response to cyber incidents/cyber attacks.⁴

The creation of cyber security infrastructure made it possible to protect Ukrainian web resources and databases from russian attacks. No basic registry and no critical state service was stopped, and the state worked stably and responded quickly to the challenges of the war. As a result, the functioning of the state was removed from the physical and virtual impact of the aggressor. ⁵

From April to June 2022, researchers from the Google TAG (Threat Analysis Group) unit, which monitors state-sponsored cyber activities, recorded “an increase in the number of financially motivated threat actors targeting Ukraine, the activities of which appear to be closely related to criminals , which are supported by the russian government.” TAG points to a “blurring of lines between financially motivated and government-sponsored groups in Eastern Europe,” an indicator that attackers often adapt their targets to geopolitical interests in the region. ⁶

Foreign business is actively studying the experience of the russian-Ukrainian cyber war, because it perfectly understands that in the future the problem of resisting the aggressive actions of states and numerous groups of hackers in cyberspace will become one of the key for the further development of both their companies and states in general. And no one can feel safe or think that they will not be of interest to hackers. ⁷

Ukraine’s experience in cyber warfare will have an extraordinary impact on the formation of cyber security architecture in the future.

UKRAINE IN CYBER SPACE

International Interaction

Representatives of the State Service of Special Communications took part in the NATO International Cyber Security Summer School (ICSSS). ⁸

The State Service of Special Communications of Ukraine and the National Cyber Security Directorate of Romania signed a memorandum of understanding in the field of cyber security cooperation. ⁹

Oleksandr Potii, deputy head of the State Service of Special Communications, met with Karol Molenda, commander of the Polish Cyberspace Defense Forces. This is the first meeting of the parties, aimed at implementing the memorandum of understanding in the field of cyber protection, signed on August 22 between the Governments of Ukraine and Poland. ¹⁰

The agreement was signed in Brussels between the Government of Ukraine and the European Commission regarding Ukraine’s accession to the EU program “The Digital Europe Programme”. ¹¹

In the USA, the Blue & Yellow Heritage Fund was launched, which will invest in Ukrainian startups in the following areas: cyber security and defense, technologies and AI, production automation, robotics, energy, etc. ¹²

The government of Estonia is one of the most active providers of assistance and support to the Ukrainian authorities in defense against russian cyberattacks. Estonia supported the continuity of Ukrainian digital services in the cloud and from outside Ukraine, and the Estonian government and local technology companies provided material support to Ukraine, including free equipment for monitoring and countering cyber attacks. ¹³

Elimination of Cyber Threats

Cyber specialists of the Security Service of Ukraine liquidated 2 bot farms: in the Kyiv region and in Odesa. The “army of bots” in almost 7,000 accounts was used to spread destructive content. ¹⁴

The SSU notified the organizer of a powerful bot farm (fake accounts involving almost 11,000 cards of one of the Ukrainian mobile operators) in the Carpathian region of suspicion, and also neutralized another bot farm in Kyiv, which “cooperated” with russian PR companies. ^{15, 16}

The SSU neutralized a hacker group that “hacked” almost 30 million accounts of Ukrainian and EU citizens. ¹⁷

In total, since the beginning of the year, the SSU has neutralized 35 bot farms and is initiating increased responsibility for their creation. ¹⁸

A hacker from the Kherson Region who hacked private accounts of Internet users and sold data will be tried in Lviv. ¹⁹

Protection of the Cyber sSphere

The national telecom operator Kyivstar received certification for the provision of the “protection against DDoS attacks” service. ²⁰

A “Dialogue on Cyber Security” was held in Kyiv, during which issues related to the creation of a National Plan for responding to emergency situations in cyberspace and strengthening the protection of critical infrastructure facilities were discussed. ²¹

RUSSIA IN CYBER SPACE

Hacker Intentions” of the russians

The Sandworm group masquerades as Ukrainian telecommunications providers. This is how criminals try to deceive Ukrainian organizations and infect them with malicious software. ²²

IP addresses used by Sandworm (Recorded Future).

The Weakness of the Cyber Sphere

russia lacks tens of thousands of cybersecurity specialists: about 5,000 specialists work in the field of cybersecurity in the country, and today the need is twentyfold. ²³

Roskomnadzor noted that since the beginning of 2022, there have been about 60 large leaks of personal data in russia, during which 230 million records with personal information of russians became publicly available. Not only personal data such as name, address, and phone number are compromised, but also medical data, data on behavioral characteristics, and consumer preferences of people. ²⁴

DETECTED ATTACKS

Cyber Attacks on Ukraine 

Dos/DDos:

• The most powerful DDoS attack on Monobank. ²⁵
• Attacks on educational sites in Melitopol with the aim of blocking distance learning. ²⁶

Phishing/Malware:

• Online fraud using the subject of “cash payments” in the Facebook social network. ²⁷
• Unknown people tried to gain access to the Telegram account of the editor of the Kherson website BRIDGE Serhiy Nikitenko. ²⁸
• Mass distribution of the AgentTesla malware.²⁹

Other:

• Attack on the Telegram channel of the “Apostrophe” site. ³⁰

Cyber Attacks on russia

Dos/DDos:

• The website parkingkrd.ru and the mobile application “Krasnodar City Parking”, where you can pay for parking, were hacked.³¹
• The electronic voting system in Moscow has undergone about 4,000 hacking attempts. ³²
• The website of the public headquarters for monitoring the elections was subjected to a massive attack. ³³

More than 6,400 russian online resources were attacked by the IT army of Ukraine in the period from August 29 to September 25:^{34, 35}

• The largest banks of the russian federation (Gazprombank, Moscow Credit Bank, Sovkombank);
• Online services of car dealerships (the largest online site for selling cars and spare parts – Drom);
• Electronic document management systems at dairy enterprises;
• Propaganda mass media (Rambler, Gazeta.Ru, MK);
• The website of Wagner’s group, which collects russian prisoners for the war in Ukraine. All data stored on the site was obtained;
• Resources of the Young Guard of United r Received lists of young putinists who were or are in the occupied territories, help to hide war crimes and hold illegal referendums;
• “Gosuslugy” portal;
• Sites for job search;
• War traders of the russian federation;
• Websites for the sale of auto tools;
• Commercial bank Otkritie.

Attack statistics from disBalancer (the Liberator DDoS attack tool) for the first six months of the cyber war ³⁶:

Deface/replace of the Information:

• On September 1, schoolchildren and students received greetings from the President of Ukraine on the central TV channels of the Crimea.³⁷
• The website of the Radio Crimea radio station in the occupied Crimea was hacked and the national anthem of Ukraine was played. ³⁸
• Hackers interfered with the Yandex Taxi service and created a two-hour traffic jam in the russian capital.³⁹
• Ukrainian hackers established the coordinates of the russian military base near the temporarily captured Melitopol based on photographs using fake accounts in social networks.⁴⁰
• The demand on behalf of the XakNet and KillNet groups to “stop the bloody Moscow wheel” on the hacked Sun of Moscow observation wheel site.⁴¹
• The websites of Mosoblenergo and the Crimean information server were hacked. ⁴²
• In the occupied Crimea, hackers broadcast Zelensky’s address on TV and a call to the occupiers to surrender to the Armed Forces.⁴³
• Websites of major russian airports (Pulkovo (St. Petersburg), Yekaterinburg, Khabarovsk, Ufa, Blagovishchensk and Samara airports) were hacked and anti-war banners were posted calling on russians to avoid mobilization. ⁴⁴

Data Dump:

• The russian streaming giant suffered a massive data breach of 44 million users. ⁴⁵
• A dump of 3.744 million users of one of the largest russian network hypermarkets, Online Trade, got into open access. ⁴⁶
• Ukrainian hackers from the Ukrainian Cyber Alliance hacked the Federal Penitentiary Service (FPS) of the russian f ⁴⁷
• CAS, UCA and DF cyber movements hacked the official website of the Organization of the Collective Security Treaty and made the archive with the source code publicly available, promising to continue their activities. ⁴⁸

Anonymous:

• They hacked the website of the Ministry of Defense of russia and placed on the Internet a database with the data of more than 300,000 men who are subject to partial mobilization in the first place. ⁴⁹
• The Anonymous collective, Squad303, is conducting a campaign against russian businessmen:
• Squad303 revealed a list of russians and russian companies operating in Poland. ⁵⁰
• Squad303 published a list of russians who have great economic influence in Great Britain. ⁵¹
• In one of the posts at the request of the Czech Fonetech server, the hackers reported that russian companies operating in the Czech Republic would be next. ⁵²

Cyber Attacks in the World 

FBI

The FBI issued a public service announcement warning investors that cybercriminals are increasingly exploiting vulnerabilities in decentralized finance (DeFi) platforms to steal cryptocurrency.

Between January and March 2022, cybercriminals stole $1.3 billion in cryptocurrencies, almost 97 percent of which was stolen from DeFi platforms. ⁵³

The premier provider of cyber threat intelligence, Intel 471, released The 471 Cyber Threat Report about the most impactful over the past year cyber threats and predictions for the future. Established that the main threats include compromised access and data, ransomware, return of Emotet malware and exploitation of vulnerabilities.

Evolving threats include hacktivism, one-time password (OTP) bypass services, supply chain attacks and information-stealer malware. Expecting increase in ransomware attacks and a demand for network access. ⁵⁴

National Police of Ukraine

National Police of Ukraine successfully busted a crypto cybercrime group operating “call centers” that targeted locals and European Union citizens. Scammers allegedly offered to help foreigners affected by crypto scams and suggested investment packages in crypto, gold, oil, and securities. ⁵⁵

InterContinental

Cyberattack brought down InterContinental Hotels’ booking systems. The statement from the InterContinental Hotels Group (IHG) says the company is working to resolve the issue as soon as possible and to assess the nature, extent, and impact of the incident. ⁵⁶ IHG didn’t disclose whether the attack was the result of ransomware or some other malware, but threat intelligence company Hudson Rock said that at least 15 IHG employees and 4,030 users on the internal network were compromise. Hospitality organizations are among the top industries targeted by cybercriminals because of the large numbers of credit cards they process and a lot of traveler data they hold. ⁵⁷

Proofpoint, Inc.

Proofpoint, Inc., a leading cybersecurity and compliance company, and Ponemon Institute, a top IT security research organization, released the results of a new study on the effect of cybersecurity in healthcare. It is established that 89% of the surveyed organizations experienced an average of 43 attacks in the past 12 months, almost one attack per week. The four most common types of attacks are cloud compromise, ransomware, supply chain, and business email compromise (BEC)/spoofing phishing. Cyberattacks сause more than 20% of impacted healthcare organizations to experience increased mortality rates. ⁵⁸

Ransomware

Unit 42 researchers reported that the ransomware-as-a-service (RaaS) group known as Black Basta has compromised more than 75 organizations over the past several months. The RaaS group uses the double extortion technique, meaning that in addition to encrypting files on targeted systems and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threatened to post sensitive information if a company chooses not to pay the ransom. ⁵⁹

Bleeping Computer

According to Bleeping Computer, one of the most active ransomware group, LockBit, created leak site after June hack of a digital security giant Entrust. Hackers started sharing screenshots of the allegedly stolen data that included legal documents and accounting data, but the leak was short-lived as LockBit’s Tor site was inaccessible soon after the leaks began due to a DDoS attack. ^{60, 61}

Mandiant

Mandiant, who has been tracking the activities of the state-backed russian cyberespionage group Cozy Bear (aka APT29 and Nobelium), published reports in which highlights some of APT29’s advanced tactics and some of their newest TTPs (tactics, techniques, and procedures). The main finding is abuse Azure services by hackers to hack Microsoft 365 users. ⁶²

Global Сyber Сooperative Сenter (GC) continues working with companies, law enforcement and research organizations to neutralize cyber crime.