Main Cyber Highlights of October

EXECUTIVE SUMMARY

For several years now, Ukraine has joined the global initiative to draw attention to cyber security and from October 1 to 31 holds the «Cyber Security Month».

This year, this event is particularly important: russia has unleashed a full-scale bloody war against Ukraine and is trying to destroy us not only with tanks, shells, and missiles, but also by attacking in cyberspace. ¹

«The illegal and brutal aggression committed by the russian federation has radically changed the situation in Ukraine … the reality is that the russian federation has turned even a connection into a weapon that should work in the interests of welfare and development», – with such a statement Yury Shchygol, the Head of the State Service of Special Communications spoke at the Conference of the International Telecommunication Union (ITU). ²

State institutions, critical infrastructure facilities, the military, and the civilian population are under the «sight» of hostile hackers. ¹ Every Ukrainian can become a target, a window through which hackers will get into the information system of a state body or company whose activities are critical for millions of people. Therefore, it is everyone’s duty to follow the rules and recommendations on cyber security developed by the state. ³

Since the beginning of the year, the government computer emergency response team CERT-UA, which belongs to the State Service of Special Communications of Ukraine, has registered more than 1,700 cyberattacks. 3 Despite numerous cyberattacks on critical information infrastructure, russian hackers failed to achieve any strategic goals. ⁴

Immediately after the start of the war, the domestic cyber community went into an active counteroffensive on the cyber front and forces the enemy to spend serious resources on its defense. ⁵

Thanks to close cooperation between the EU and other international partners in the field of cyber security and cyber defense, Ukraine has demonstrated a remarkable ability to resist cyber attacks and protect its critical infrastructure. ⁶

The country’s cyber resilience is the result of the joint work of all sectors of society. Its key component is the involvement of the Government, public organizations, academia, the private sector, and society in general in this process. Oleksandr Potiy, the deputy head of the State Service of Special Communications of Ukraine, said this at the conference «Building the Resilience of Society by Increasing Public Awareness of Cyber Threats and Increasing the Role of Cyber Education» in the Polish representative office of the OSCE in the city of Lodz. ⁷

At the international conference «Formation of Cyber Security», Oleksandr Potii noted that the current decrease in attacks from the russian side can be explained by the “period of preparation” for future ones. ⁸

«We are 100% sure that even after the end of the war, the number of cyber attacks will increase exponentially. After all, we live in a new world, when they may not drop bombs, but they will hack critical infrastructures, so the private sector should help the state,» – cyber security expert, co-founder and CEO of Cyber Unit Technologies Yehor Aushev. ⁹

According to Oleksandr Potiy, several important lessons can be learned from this cyber war:

• Cyber attacks on Ukraine serve to support russian military and political operations. Criminal groups are well coordinated by special services: GRU, FSB, russian general staff.
• Extorting money and ransom are not the real goals of cyber The enemy intends to collect information (on both public and private infrastructure, as well as on ordinary citizens). It works to destroy the information infrastructure, to spread panic and mistrust of the government among people.
• the russian federation deliberately attacks civilian infrastructure and civilian targets. ⁸

UKRAINE IN CYBER SPACE

International Interaction

• At the end of September, the second cyberdialogue «Ukraine-EU» took place, where, in particular, the issue of repelling russian cyberattacks was discussed. It was established that the EU will continue to provide coordinated political, financial and material support to Ukraine to strengthen its cyber resilience.⁶
• Ukraine is developing cooperation with the EU Agency for Network and Information Security (ENISA). Launched in 2019, the project aims to support the Eastern Partnership countries in the development of their cyber potential and legal framework, as well as to promote the compatibility and convergence of legal frameworks, best practices, and cooperation. ¹⁰
• Ukrainian experience of confrontation in cyber war is now of high value in the world. On October 25, as part of Cyber Security Month in the EU, the State Special Communications Service of Ukraine will share details of our cyber resilience with European partners. ⁴
• Switzerland allocates over 500 million hryvnias for digitalization of Ukraine. ¹¹

Development of the Cyber Sphere

• Favbet Tech company specialists joined the initiative of the Ministry of Digital Transformation and joined the ranks of the IT army. ¹² According to the CEO of the company Artem Skrypnyk, cyber resistance has now become part of the work of almost the entire team under his leadership. ¹³
• As part of Cyber Security Month in Ukraine, the State Service of Special Communications has created a special website cip.gov.ua, where you can find useful information on cyber security for all groups of Internet users, including those who plan to make cyber security their profession. ¹⁴

Prevention of Cyber Attacks

• The SSU neutralized a hacker group from Lviv, which hacked almost 30 million accounts of Ukrainian and EU citizens and sold their personal data on the darknet. ¹⁵
• The Main Intelligence Directorate of the Ministry of Defense of Ukraine found out that the russian occupiers are preparing massive cyberattacks on critical infrastructure facilities, on enterprises of the energy sector of Ukraine and its allies. ¹⁶
• The Government Computer Emergency Response Team of Ukraine CERT-UA, which operates under the State Service of Special Communications, has published recommendations for avoiding cyberattacks and ensuring the protection of information systems, having investigated dozens of targeted attacks aimed at disabling information and communication systems and violating privacy information that they process. ¹⁷
• Since the beginning of the war, the SSU has neutralized almost 3,500 cyber attacks on government bodies and infrastructure facilities. ¹⁸
• The Main Directorate of Intelligence of the Ministry of Defense of Ukraine thwarted the provocation of the russians against the CEO of Baykar Defense Halyuk Bayraktar. ¹⁹
• The cyber police exposed a large-scale bot farm that had more than 50,000 bots in social networks and mail services and spread fakes and propaganda about the war in Ukraine. ²⁰
• The Security Service of Ukraine (SSU) liquidated an enemy bot farm in Dnipro, which created almost 10,000 fake accounts to «disperse» Kremlin propaganda in the EU. ²¹

RUSSIA IN CYBER SPACE

Problems of the Cyber Sphere 

• IT specialists are leaving the russian federation because of the mobilization, fearing that it will not be the last. ANO «Information Culture» believes that 100,000 IT specialists, who have potentially left, is the minimum from which to start. ²²
• Hackers of the russian federation began to carry out cyber attacks on targets inside their country. ²³

International Pressure

• EU countries propose to ban the russian cyber security company Kaspersky Lab as part of sanctions against russia.²⁴
• The status of russia as a country-in-exile was confirmed by members of the International Telecommunication Union. ²⁵

Attempts to Increase Cyber Resilience

• Because of the large number of cyberattacks, Putin signed an order to create a special unit to combat cybercrimes in the ministry of internal affairs of russia. ²⁶
• The russian ministry of digital affairs, in order to develop the IT sphere in the public sector, is gathering specialists in the field of information technologies as the personnel reserve. ²⁷
• The russian authorities plan to use «white hackers» to check the portal of «public services» because of the numerous hacks. ²⁸
• The ministry of digital affairs of the russian federation proposes to introduce fines for data leaks for companies and their officials. ²⁹
• The ministry of digital affairs of russia has launched special projects to combat cyber threats for citizens. ³⁰

«Hacker intentions» of the russians

• A crowdsourcing project called DDOSIA launched in mid-August by a russian-speaking group called «NoName057(16)» was discovered online, and it pays volunteers to carry out DDoS attacks on Western organizations. DDOSIA has about 400 members and remains a semi-closed group, accepting new members by invitation only. 60 military and educational Ukrainian organizations are regularly on the list of targets. ³¹

DETECTED ATTACKS 

Cyber Attacks on Ukraine 

Dos/DDos:

• Hackers carried out powerful DDoS attacks on Monobank fundraising links for the purchase of kamikaze drones: up to 6 million packets per minute for input + traffic of 11 Gbps, which is 35 times more than standard indicators. ³²

Phishing/Malware:

• Unknown pople on behalf of the Bihus.Info editors send requests to the state bodies of Ukraine. ³³
• Microsoft noted that starting from October 11, a ransomware cyberattack was launched against transport and logistics companies in Ukraine and Poland. ³⁴
• Phishing sendings of e-mails allegedly on behalf of the SSU with an offer to download programs allegedly to strengthen cyber protection and destroy viruses were recorded. ³⁵
• A cyber-attack on state organizations of Ukraine using the RomCom malware was detected. There is a possible involvement of Cuba Ransomware aka Tropical Scorpius aka UNC2596. ³⁶

Data Theft:

• the russian bookmaker 1XBet created a network for collecting personal data of Ukrainians: MelBet, PointLoto, FanSport, BetWinner. ³⁷

Cyber Attacks on russia 

Deface:

• The IT army of Ukraine hacked the site of the Organization of the Collective Security Treaty to «congratulate» Putin on his birthday. ³⁸

Data breach:

• There was a leak of user data of the largest electronics store dns-shop.ru. The hacker posted a 6.6 GB file containing the data of 16 million customers. ³⁹
• Anonymous stole the passport data of a russian influencer who called for the massacre of Ukrainian women and blocked her bank account. ⁴⁰
• The OneFirst group deleted the database of the russian satellite communication network «Gonets», without which the network cannot function normally. ⁴¹
• Hackers from the Cyber Anarchy Squad hacked the russian Unified Identification and Authentication System (UIAS) and exposed the data of thousands of russian entrepreneurs registered on the portal of the state services for public access. ⁴²
• The group Anonymous reported the release of 1.2 TB of confidential russian data, including information on key russian national security infrastructure, plans for cyber security strategies and other related data. ⁴³
• The IT army of Ukraine gave a cyber response to the terrorist attacks on October 10, attacking the st. petersburg power company: part of the leningrad region was left without electricity. All data, documents, passports, and orders are posted online. ⁴⁴
• The IT Army of Ukraine shared the base of the Tax Service of the russian federation. ⁴⁵

Dos/DDos:

• The following sites have been attacked http://militarist.ru/ and https://alfabank.com/. ^{46, 47}
• The site http://aeroexpress.ru/ has been broken. ⁴⁸

The IT Army of Ukraine attacked:

• russian gas stations, namely online services for payment, fuel cards, systems without operator fuel leave; ^{49, 50, 51, 52}
• moscow stock exchange moex.com; ⁵³
• goznak, which is responsible for the production of government signs, including the production of banknotes; ⁵⁴
• rosinkas, the largest cash carrier in russia; ⁵⁴
• the single state information platform for all participants in the market of precious metals, stones, and jewelry; ⁵⁴
• more than 70 online stores where russians can buy drones (among them citilink, mvideo); ^{55, 56, 57}
• cartographic and geo-information systems, one of the largest such systems of the aggressor country – 2GIS; ⁵⁸
• marketplace wildberries; ^{59, 60}
• com (TV channel «russia today»), Ivi.ru.; ^{61, 62}
• russian banks (including Sovkombank, Sberbank, Tinkoff Bank, Gazprombank and Otkritie bank) and brokers (including finam.ru, solidbroker.ru) and financial marketplace ru; ^{63, 64, 65, 66, 67, 68}
• online services of the federal tax service of russia. ⁶⁹

Malware:

• Kelvinsecurity was attacked by the russian companies «DEKS» LLC, IP Duvanova Svetlana Petrovna and «Bio Les» ⁷⁰

Other:

• The IT Army of Ukraine and Anonymous conducted a successful joint operation «Silence of the Steppe» because of which hundreds of office routers of providers and other companies across russia were disabled. ⁷¹

Cyber Attacks in the World 

Intel 471

Pro-russian hacktivist groups started targeting Ukraine supporters, likely with support from the Kremlin. They have been targeting a wide swath of industries and sectors, including aviation, energy, financial, government and public safety, technology, media and telecommunications sectors. In July and August 2022, numerous hacktivist groups accelerated their nefarious activities. The most impactful Ukrainian-specific incidents detected by Intel 471 were conducted by major pro-Russian hacktivist groups:

• Народная Cyberармия (Eng. People’s CyberArmy) aka CyberArmyRussia, which continues to proclaim their opposition to the «West, European Union and Ukraine» and release pro-Russian propaganda articles and videos in addition to website breach announcements;
• FRwL Team, aka From Russia with Love, Z Team;
• KillNet;
• NBP Hackers;
• NoName057(16).

Due to the very nature of state-sponsored cyber attacks, there is limited conclusive evidence that the Kremlin is directing or supporting the aforementioned hacktivism. The Kremlin distances itself from any malign activity so as not to risk breaching NATOs Collective Defence treaty, Article 5.

Chainalysis

More than $2 billion in digital currency has been stolen in hacks this year according to the crypto tracking firm Chainalysis, putting the overall industry on a pace for its worst year of hacking losses and shaking faith in the experimental field of decentralized finance, known as DeFi.
Many of the thefts have stemmed from flaws in the computer programs — known as “smart contracts” — that power DeFi.

The White House

The White House intends to kickstart the development of the label to inform consumers which IoT devices meet adhere to the «highest cybersecurity» standards and, in turn, are more resilient to hacking attempts. Among the first devices to be labeled are technologies considered to be most at risk by the White House, such as routers and home cameras.

Cyber Police of Ukraine

The cyber police in cooperation with foreign partners (Europol, the «No More Ransom» project and the «BitDefender» company) created a special web platform – www.nomoreransom.org – to help companies affected by hacker attacks with information encryption carried out by a transnational criminal group, which was revealed at the end of last year. Based on the results of the analysis of the seized media, numerous private keys from ransomware attacks were obtained. These keys enable the affected companies and institutions to restore previously encrypted data.

Varonis

The average company with data in the cloud has 157 000 sensitive records exposed to everyone on the internet by SaaS apps sharing features, representing $28 million in data-breach risk, according to a new report «The Great SaaS Data Exposure» by Varonis. The study highlights how hard-to-control collaboration, complex SaaS permissions, and risky misconfigurations — such as admin accounts without multi-factor authentication (MFA) — have left a dangerous amount of cloud data exposed to insider threats and cyberattacks. For the report, researchers at Varonis analyzed nearly 10 billion cloud objects (more than 15 petabytes of data) across a random sample of data risk assessments performed at more than 700 companies worldwide.

Mandiant

Cyber criminals are using a previously undocumented phishing-as-a-service (PhaaS) toolkit called Caffeine to effectively scale up their attacks and distribute nefarious payloads. «This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns,» Mandiant said in a new report.

Global Сyber Сooperative Сenter (GC) continues working with companies, law enforcement and research organizations to neutralize cyber crime.