01.07.2022

Main Cyber Highlights of June

EXECUTIVE SUMMARY

Since the beginning of the war in Ukraine, 114 hacker groups have emerged in the public arena.

Currently, 72 active hacker groups are known, 45 of them are pro-Ukrainian, 25 are pro-russian and two are unknown. Most of them are involved in organizing of DDoS attacks and point hacks. [1]

Main Cyber Highlights of June

In the first four months of the war, 796 cyber attacks have been recorded in the State Service of Special Communication of Ukraine. The Government and local authorities, defense, financial, and energy sectors are the most attacked, in comparison with the previous time. The transport infrastructure and the telecom industry also remain in the field of view of cybercriminals. [2]

Main Cyber Highlights of JuneMain Cyber Highlights of June

Mostly russian hackers oppose Ukraine. According to the report «Defending Ukraine: Early Lessons from Cyberwarfare», the activities of russian cybercriminals are overseen by three government organizations: the Federal Security Service, the Central Intelligence Agency, and the russian Foreign Intelligence Service. [3]

Main Cyber Highlights of June

The most famous groups opposing russia are Anonymous and the IT ARMY of Ukraine.

As of June 5, the Anonymous team had hacked and released more than 12 million of russian files and emails (not including databases) following the declaration of cyber warfare by the Kremlin’s criminal regime. [4]  This volume is constantly increasing. Over the past month, several more TV data have hit the network.

The IT army began its work on the third day of a full-scale russian invasion. More than 250,000 volunteer hackers from around the world have come together to launch massive attacks on russia’s online resources on a daily basis. From February 26 to June 26, the IT army attacked more than 4,200 russian online resources:

  • Websites of government agencies, regional courts, higher education institutions, banks. Due to DDoS-attacks, the websites of state institutions of the russian Federation were shut down, russians could not receive public services, conduct financial transactions in online banking, entrants could not apply online to the Free Economic Zone, and lawsuits in the regions were suspended.
  • Economic Forum, national and regional media sites and online television, rutube. The cyberattacks damaged Putin’s speeches and also disrupted the media from spreading propaganda.
  • Business services, tendering sites, online accounting services, Internet providers. The IT army has hampered russian entrepreneurs, disrupted bidding, blocked accountants’ work and Internet access.
  • Labeling systems, alcohol factories and veterinary inspections. The attacks disrupted food companies, which could not apply a special QR code to the product, prevented information systems from tracking alcohol turnover and obtaining permits for meat and dairy products.
  • Ticket purchase services, insurance services, online courier delivery services, food orders, online shopping. This prevented russians from purchasing the required service and product online in a few clicks. [5]

During the St. Petersburg International Forum, Stanislav Kuznetsov, Deputy Chairman of the Board of Sberbank, said that since the beginning of the war, hackers have been attacking russian resources more actively: the number of hacker attacks has increased about 15 times. As a result of their activities, the data of 65 million russians were stolen, 13 million cards were compromised, the reissue of which will amount to at least 4.5 billion rubles. [6]

Only in March in russia recorded an eightfold increase in DDoS attacks. Most attacks were carried out on banks – 35%, on government agencies – a third of attacks, on educational institutions – almost every tenth (9%), on the media – 3%. [7]

Ukraine in Cyberspace 

Ukraine is constantly growing in the digital field. During the world’s first cyber war, hackers have never managed to find a weak point of defense and access Ukrainian registries or critical infrastructure. We stand because the state has been increasing its cyber resilience for a long time: through international cooperation, changes in legislation, strengthening staff and equipment. [8] This month, measures have been taken to ensure the stability of the cyber front and minimize the risks of cyber threats, new partnership agreements have been signed and other steps have been initiated to strengthen international cooperation in the field of modern technologies, including cybersecurity and cyber defense.

Level of Cyber Resilience and Cybersecurity

The State Service for Maritime and Inland Water Transport and Shipping of Ukraine in cooperation with the Ministry of Infrastructure has developed a service for downloading electronic copies of qualification documents of seafarers, which will be used to create backup databases on a local server, which significantly enhances cybersecurity. [9]

Ukraine received a score of 75.32 in the National Cyber Security Index and ranked the 24th in this ranking. This figure is much higher than the average. [10]

Main Cyber Highlights of June

Partnership

Minister of Digital Transformation Mykhailo Fedorov and the new US Ambassador to Ukraine Bridget Brink agreed on further cooperation: the United States will continue to support and develop Ukraine’s digitalization and cyber defense, as well as important work to protect Ukraine, its people and democratic future.

The United States was one of the first countries to offer assistance during the cyber attack on January 14, which is considered by the State Special Communications Service to be the beginning of the active phase of russia’s war against Ukraine in cyberspace. Currently, leading American IT companies are helping Ukraine to resist the aggressor. [11]

Palantir is ready to become a partner of Ukraine in the sector of defense, security and digital technologies. Palantir is a world leader in data analysis software development. The company’s products are used by the US Department of Defense, large investment banks and hedge funds. The company is ready to open an office in Ukraine and start joint development with Ukrainian specialists. [12]

International cooperation

For the first time, the Ukrainian delegation took part in a meeting of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). Ukraine’s accession to CCDCOE is an important step for our country to strengthen international cooperation in the field of cybersecurity and cyber defense, as well as on the path of Ukraine’s accession to NATO. [13]

This year, for the first time, the Ukrainian IT community will join one of the largest conferences in the world of technology, Collision, where it will present the possibilities of Ukrainian IT in the international arena. [14]

Ukraine has approved a delegation for negotiations between Ukraine and the EU on participation in the program of development of modern technologies «Digital Europe». It is a large-scale project worth 7.5 billion euros, which funds research and programs in the field of artificial intelligence, cybersecurity, digital skills, etc. [15]

russia in Cyberspace

It is no longer a secret for anyone that russia’s capabilities on the digital front have been largely overestimated: problems are observed both in conducting attacks and in defense. Due to the lack of qualified IT specialists, many attempts have been made to involve ordinary citizens in hacker attacks, but the inexperience of such personnel is quite noticeable. Also, russia cannot focus on attacks because it spends more and more resources on protecting its networks. Despite numerous attempts to hide their vulnerabilities, successful attacks on russia Internet resources are observed day after day. Hacker groups from all over the world, official bodies of Ukraine and its foreign partners are involved in this. The creation of various coalitions in the field of cyber security had been repeatedly initiated, but such alliances did not bring any practical benefit.

Weakening of the Cyber Sphere

The US Department of Justice, together with partners from the law enforcement agencies of Germany, the Netherlands and Great Britain, eliminated the infrastructure of the russian botnet RSOCKS, which had hacked millions of computers around the world. [16]

Main Cyber Highlights of June

Stabilization Attempts

Against the background of increased attacks by hackers at the end of February on the russian IT infrastructure after the start of the war in Ukraine, russia showed its inability to counter these attacks and its weakness in the field of cyber security. Therefore, the largest russian companies in the field of information security (Kaspersky Laboratory, R-Vision, specialized units of OJSC russian Railways, rosatom, etc.) want to try to join forces in the development of joint solutions within the framework of a new consortium. [17]

russian cyber special forces are forming new divisions for attacks on NATO. The group has created a new division, Sparta, whose responsibilities include cyber sabotage, disruption of internet resources, data theft and financial intelligence targeting NATO, its members and allies. The created unit is an official part of the Killnet Collective group. [18]

The Level of «Experts» on Hacking

A popular IT blogger with the nickname eTorus assures that he managed to access the Facebook and VKontakte pages using some Killnet addresses and passwords. He came to the conclusion that most of the members of the Killnet cyber group are practically teenagers. It is noted that these are mostly Internet fraudsters and cybercriminals of a fairly average level. This coincides with the opinion of specialized experts . [19]

DETECTED ATTACKS 

Cyber Attacks on Ukraine 

Deface та DeepFake

  • Hackers attacked the oll.tv media service and launched russian propaganda instead of football. [20]

Hackers used the appearance of the mayor of Kyiv, Vitaliy Klitschko, for negotiations with the mayors of Berlin and Madrid. [21]

Malware

  • Cyberattack on Ukrainian government organizations using the malicious program Cobalt Strike Beacon and exploits to vulnerabilities CVE-2021-40444 and CVE-2022-30190. [22]
  • Massive cyberattack on media organizations of Ukraine using the malicious program CrescentImp and compromised e-mail addresses of government agencies. [23]
  • Cyber ​​attack of the UAC-0098 group on the objects of critical infrastructure of Ukraine using the malicious program Cobalt Strike Beacon. [24]
  • Cyberattack of the APT28 group using the malicious program CredoMap. [25]
  • Cyberattack against telecommunications operators of Ukraine using the malicious program DarkCrystal RAT. [26]

Cyber Attacks on russia 

DDoS

  • GhostSec hacked 104 Industrial Control System devices. [27]
  • IT ARMY of Ukraine attacked:

– web resources of russian Internet providers; [28]

– russian information systems of the Ministry of Labor and Social Protection of the russian Federation, housing construction, land and real estate resources, seed production; [29, 30]

– roszmi; [31, 32, 33, 34]

– resources of state institutions of the russian Federation; [35, 36]

– the online part of the My Documents service; [37]

– construction shops of the occupiers in Crimea; [38]

– judicial information systems; [39, 40]

– economic forum with a speech by putin; [41]

– websites of terrorist organizations in the temporarily occupied territories of Ukraine; [42]

– online resources of russian universities; [43]

– State services of the russian federation. [44]

Deface and Replace of the Information

  • Three St. Petersburg radio stations (Road Radio, Retro FM, and New Radio) broadcast Ukrainian and anti-war songs: the national anthem of Ukraine performed by Oleksandr Ponomaryov, the joint composition of Pink Floyd and vocalist Boombox Andrii Khlyvniuk «Oh, the red viburnum in the meadow» and the song «We do not need the war!» of the russian band «Nogu Svelo». [45]
  • Nybbas hacked Moodle virtual learning environment. [46]
  • Anonymous posted the call «STOP PUTIN, STOP WAR» on the website of Sberbank. [47]
  • The message «The blood of thousands of Ukrainians and hundreds of their murdered children is on your hands» appeared on russian TV channels, linking it to the activities of Anonymous. [48]
  • Hackers have hacked the website of the Ministry of Construction and Housing and Communal Services of russia. [49]
  • The russian radio station «Kommersant FM» has been hacked: the national anthem of Ukraine and the composition «Red viburnum» were played on the air. [50]
  • The truth about the war in Ukraine was shown on hacked russian TV channels (Channel «Russia», «Pervyi Kanal», NTV). [51]
  • A fake appeal on behalf of the first deputy head of the administration of the President of the russian federation Serhiy Kiriyenko was published in the russian publication «Izvestia». [52]
  • Hackers have hacked the website of the «supreme court of the DNR», sending «hello» to the judges who handed down the death sentence to foreigners who fought on the side of Ukraine. [53]
  • On the Internet page of the «ru» service of the russian VDTRK, a screen saver was broadcast with the inscription «Putin destroys Ukrainians! Stop the war!». [54]

Data leak from

  • Metallurgical engineering and investment group «MetProm», a subsidiary of the russian energy giant Gazprom, associated with the Arab Republic of Egypt and the Islamic Republic of Iran (184 GB) – B00da, Porteur, Wh1t3, Sh4d0w; [55]
  • Vybery Radio group of companies, which serves about 100 radio stations in 18 cities across russia with more than 8 million listeners (823 GB) – Anonymous; [56]
  • russian online English language school SkyEng (7,442,890 lines, including logins, full names, dates of birth, phones, e-mail addresses, Skype, information about time zones and regions of residence of customers); [57]
  • FSUP in Moscow dealing with waste (files related to the new toxic waste management system, including levels 1 and 2) – Team Onefist; [58]
  • Lipetsk Technical University (hackers reported a data leak, but did not specify the details) – LulzSecMafia; [59]
  • RKP Law, a russian law firm working with major banking, media, oil and industrial firms, as well as government interests, including US companies (1 TB) – B00da, Porteur; [60]
  • Central Bank of russia (software leak) – RootkitHuN7er; [61]
  • Moscow Aviation Institute (database, Telegram bot and API) – Anonymous; [62]
  • Federal Unitary Enterprise «russian Broadcasting and Notification Networks» (full network, employee emails and LinkedIn) – LulzSecMafia; [63]
  • the department for operational and investigative activities of the Ministry of Internal Affairs of Belarus (wiretapping records of employees of the russian embassy for 2020-2021) – belarusian opposition hackers «Cyber-partisans»; [64]
  • Companies and enterprises producing unmanned aerial vehicles in russia (characteristics and details of the production of three new UAVs: «Helios», «Grim» and «Orion-E» – Anonymous; [65]
  • Public Chamber of Krasnoyarsk, the largest city of the Krasnoyarsk Territory, an important node of the Trans-Siberian Highway, one of the largest producers of aluminum in the country (41.1 GB) – Porteur, B00d. [66]

Malware

  • Cyber attacks by groups associated with China against russian scientific and technical enterprises and state bodies using the Bisonal malware. [67]

Cyber Attacks in the World 

THE NEW POLICY

The U.S. Department of Justice announces New Policy for Charging Cases under the Computer Fraud and Abuse Act.  The policy for the first time directs that good-faith security research should not be charged.  The new guidelines state that prosecutors should avoid charging security researchers who operate in «good faith» when finding and reporting vulnerabilities. However, it acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. [68]

FBI SEIZES DOMAINS

The FBI and the U.S. Department of Justice said on May 31, 2022, they had seized the domain of a search engine service that claimed to offer users the ability to scour billions of records of personal data from more than 10,000 data breaches, effectively shutting down the criminal operation. The site, weleakinfo.to, offered a subscription service where customers could access personal information leaked in data breaches, including names, email addresses, usernames, phone numbers and passwords for online accounts. Such information is valuable for cybercriminals looking to commit identity fraud and financial crimes. Agents also seized two domains, ipstress.in and ovh-booter.com, that offered to conduct «Distributed Denial of Service» attacks, for hire. [69]

FLUBOT

An international law enforcement operation involving 11 countries has resulted in the takedown of one of the fastest-spreading mobile malware to date. Known as FluBot, this Android malware has been spreading aggressively through SMS, stolen passwords, online banking details and other sensitive information from infected smartphones across the world. This technical achievement follows a complex investigation involving law enforcement authorities of 10 countries with the coordination of international activity carried out by Europol European Cybercrime Centre (EC3). [70]

DARKNET

New dump shops have appeared on the Darknet:

  1. The BidenCash offers over 2.500.000 compromised payment cards.
  2. The Validstatus Shop offers over 220.000 compromised payment cards.

Both marketplaces promote themselves as platforms for selling cards from hackers, for hackers. However, they are new on the market and did not gain any positive reputation so far.

GC3 monitors over 50 services specializing in the distribution of compromised payment card details.

SHIELDS HEALTH CARE GROUP

Two million patients from nearly 60 healthcare providers were recently informed that their data was stolen after the hack of a third-party vendor, Shields Health Care Group. This is the largest healthcare breach so far of 2022. A hacker gained access to certain Shields systems for three weeks between March 7 and March 21. During the dwell time, the attacker have stolen «certain data» from the network. [71]

RANSOMWARE

Due to the latest report of the Cybereason team, ransomware continues to dominate the threat landscape in 2022. Organizations are under siege from a wide variety of threats, but ransomware offers threat actors a unique combination of very low risk with very high reward – which is why the volume of ransomware attacks nearly doubled from the previous year, and the total cost of ransomware was estimated to the exceed of $20 billion. The finance sector made it to the top five targeted sectors, with LockBit carrying out the largest number of attacks against financial companies. It’s extremely important that organizations focus on detecting the first three steps of a ransomware attack: discovery, gaining a foothold, and escalating privileges. [72]

 

Global Сyber Сooperative Сenter (GC) continues working with companies, law enforcement and research organizations to neutralize cyber crime.