EXECUTIVE SUMMARY
Since the beginning of the war in Ukraine, 114 hacker groups have emerged in the public arena.
Currently, 72 active hacker groups are known, 45 of them are pro-Ukrainian, 25 are pro-russian and two are unknown. Most of them are involved in organizing of DDoS attacks and point hacks. [1]
In the first four months of the war, 796 cyber attacks have been recorded in the State Service of Special Communication of Ukraine. The Government and local authorities, defense, financial, and energy sectors are the most attacked, in comparison with the previous time. The transport infrastructure and the telecom industry also remain in the field of view of cybercriminals. [2]
Mostly russian hackers oppose Ukraine. According to the report «Defending Ukraine: Early Lessons from Cyberwarfare», the activities of russian cybercriminals are overseen by three government organizations: the Federal Security Service, the Central Intelligence Agency, and the russian Foreign Intelligence Service. [3]
The most famous groups opposing russia are Anonymous and the IT ARMY of Ukraine.
As of June 5, the Anonymous team had hacked and released more than 12 million of russian files and emails (not including databases) following the declaration of cyber warfare by the Kremlin’s criminal regime. [4] This volume is constantly increasing. Over the past month, several more TV data have hit the network.
The IT army began its work on the third day of a full-scale russian invasion. More than 250,000 volunteer hackers from around the world have come together to launch massive attacks on russia’s online resources on a daily basis. From February 26 to June 26, the IT army attacked more than 4,200 russian online resources:
During the St. Petersburg International Forum, Stanislav Kuznetsov, Deputy Chairman of the Board of Sberbank, said that since the beginning of the war, hackers have been attacking russian resources more actively: the number of hacker attacks has increased about 15 times. As a result of their activities, the data of 65 million russians were stolen, 13 million cards were compromised, the reissue of which will amount to at least 4.5 billion rubles. [6]
Only in March in russia recorded an eightfold increase in DDoS attacks. Most attacks were carried out on banks – 35%, on government agencies – a third of attacks, on educational institutions – almost every tenth (9%), on the media – 3%. [7]
Ukraine in Cyberspace
Ukraine is constantly growing in the digital field. During the world’s first cyber war, hackers have never managed to find a weak point of defense and access Ukrainian registries or critical infrastructure. We stand because the state has been increasing its cyber resilience for a long time: through international cooperation, changes in legislation, strengthening staff and equipment. [8] This month, measures have been taken to ensure the stability of the cyber front and minimize the risks of cyber threats, new partnership agreements have been signed and other steps have been initiated to strengthen international cooperation in the field of modern technologies, including cybersecurity and cyber defense.
Level of Cyber Resilience and Cybersecurity
The State Service for Maritime and Inland Water Transport and Shipping of Ukraine in cooperation with the Ministry of Infrastructure has developed a service for downloading electronic copies of qualification documents of seafarers, which will be used to create backup databases on a local server, which significantly enhances cybersecurity. [9]
Ukraine received a score of 75.32 in the National Cyber Security Index and ranked the 24th in this ranking. This figure is much higher than the average. [10]
Partnership
Minister of Digital Transformation Mykhailo Fedorov and the new US Ambassador to Ukraine Bridget Brink agreed on further cooperation: the United States will continue to support and develop Ukraine’s digitalization and cyber defense, as well as important work to protect Ukraine, its people and democratic future.
The United States was one of the first countries to offer assistance during the cyber attack on January 14, which is considered by the State Special Communications Service to be the beginning of the active phase of russia’s war against Ukraine in cyberspace. Currently, leading American IT companies are helping Ukraine to resist the aggressor. [11]
Palantir is ready to become a partner of Ukraine in the sector of defense, security and digital technologies. Palantir is a world leader in data analysis software development. The company’s products are used by the US Department of Defense, large investment banks and hedge funds. The company is ready to open an office in Ukraine and start joint development with Ukrainian specialists. [12]
International cooperation
For the first time, the Ukrainian delegation took part in a meeting of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). Ukraine’s accession to CCDCOE is an important step for our country to strengthen international cooperation in the field of cybersecurity and cyber defense, as well as on the path of Ukraine’s accession to NATO. [13]
This year, for the first time, the Ukrainian IT community will join one of the largest conferences in the world of technology, Collision, where it will present the possibilities of Ukrainian IT in the international arena. [14]
Ukraine has approved a delegation for negotiations between Ukraine and the EU on participation in the program of development of modern technologies «Digital Europe». It is a large-scale project worth 7.5 billion euros, which funds research and programs in the field of artificial intelligence, cybersecurity, digital skills, etc. [15]
russia in Cyberspace
It is no longer a secret for anyone that russia’s capabilities on the digital front have been largely overestimated: problems are observed both in conducting attacks and in defense. Due to the lack of qualified IT specialists, many attempts have been made to involve ordinary citizens in hacker attacks, but the inexperience of such personnel is quite noticeable. Also, russia cannot focus on attacks because it spends more and more resources on protecting its networks. Despite numerous attempts to hide their vulnerabilities, successful attacks on russia Internet resources are observed day after day. Hacker groups from all over the world, official bodies of Ukraine and its foreign partners are involved in this. The creation of various coalitions in the field of cyber security had been repeatedly initiated, but such alliances did not bring any practical benefit.
Weakening of the Cyber Sphere
The US Department of Justice, together with partners from the law enforcement agencies of Germany, the Netherlands and Great Britain, eliminated the infrastructure of the russian botnet RSOCKS, which had hacked millions of computers around the world. [16]
Stabilization Attempts
Against the background of increased attacks by hackers at the end of February on the russian IT infrastructure after the start of the war in Ukraine, russia showed its inability to counter these attacks and its weakness in the field of cyber security. Therefore, the largest russian companies in the field of information security (Kaspersky Laboratory, R-Vision, specialized units of OJSC russian Railways, rosatom, etc.) want to try to join forces in the development of joint solutions within the framework of a new consortium. [17]
russian cyber special forces are forming new divisions for attacks on NATO. The group has created a new division, Sparta, whose responsibilities include cyber sabotage, disruption of internet resources, data theft and financial intelligence targeting NATO, its members and allies. The created unit is an official part of the Killnet Collective group. [18]
The Level of «Experts» on Hacking
A popular IT blogger with the nickname eTorus assures that he managed to access the Facebook and VKontakte pages using some Killnet addresses and passwords. He came to the conclusion that most of the members of the Killnet cyber group are practically teenagers. It is noted that these are mostly Internet fraudsters and cybercriminals of a fairly average level. This coincides with the opinion of specialized experts . [19]
DETECTED ATTACKS
Cyber Attacks on Ukraine
Deface та DeepFake
Hackers used the appearance of the mayor of Kyiv, Vitaliy Klitschko, for negotiations with the mayors of Berlin and Madrid. [21]
Cyber Attacks on russia
DDoS
– web resources of russian Internet providers; [28]
– russian information systems of the Ministry of Labor and Social Protection of the russian Federation, housing construction, land and real estate resources, seed production; [29, 30]
– resources of state institutions of the russian Federation; [35, 36]
– the online part of the My Documents service; [37]
– construction shops of the occupiers in Crimea; [38]
– judicial information systems; [39, 40]
– economic forum with a speech by putin; [41]
– websites of terrorist organizations in the temporarily occupied territories of Ukraine; [42]
– online resources of russian universities; [43]
– State services of the russian federation. [44]
Deface and Replace of the Information
Data leak from
Malware
Cyber Attacks in the World
THE NEW POLICY
The U.S. Department of Justice announces New Policy for Charging Cases under the Computer Fraud and Abuse Act. The policy for the first time directs that good-faith security research should not be charged. The new guidelines state that prosecutors should avoid charging security researchers who operate in «good faith» when finding and reporting vulnerabilities. However, it acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. [68]
FBI SEIZES DOMAINS
The FBI and the U.S. Department of Justice said on May 31, 2022, they had seized the domain of a search engine service that claimed to offer users the ability to scour billions of records of personal data from more than 10,000 data breaches, effectively shutting down the criminal operation. The site, weleakinfo.to, offered a subscription service where customers could access personal information leaked in data breaches, including names, email addresses, usernames, phone numbers and passwords for online accounts. Such information is valuable for cybercriminals looking to commit identity fraud and financial crimes. Agents also seized two domains, ipstress.in and ovh-booter.com, that offered to conduct «Distributed Denial of Service» attacks, for hire. [69]
FLUBOT
An international law enforcement operation involving 11 countries has resulted in the takedown of one of the fastest-spreading mobile malware to date. Known as FluBot, this Android malware has been spreading aggressively through SMS, stolen passwords, online banking details and other sensitive information from infected smartphones across the world. This technical achievement follows a complex investigation involving law enforcement authorities of 10 countries with the coordination of international activity carried out by Europol European Cybercrime Centre (EC3). [70]
DARKNET
New dump shops have appeared on the Darknet:
Both marketplaces promote themselves as platforms for selling cards from hackers, for hackers. However, they are new on the market and did not gain any positive reputation so far.
GC3 monitors over 50 services specializing in the distribution of compromised payment card details.
SHIELDS HEALTH CARE GROUP
Two million patients from nearly 60 healthcare providers were recently informed that their data was stolen after the hack of a third-party vendor, Shields Health Care Group. This is the largest healthcare breach so far of 2022. A hacker gained access to certain Shields systems for three weeks between March 7 and March 21. During the dwell time, the attacker have stolen «certain data» from the network. [71]
RANSOMWARE
Due to the latest report of the Cybereason team, ransomware continues to dominate the threat landscape in 2022. Organizations are under siege from a wide variety of threats, but ransomware offers threat actors a unique combination of very low risk with very high reward – which is why the volume of ransomware attacks nearly doubled from the previous year, and the total cost of ransomware was estimated to the exceed of $20 billion. The finance sector made it to the top five targeted sectors, with LockBit carrying out the largest number of attacks against financial companies. It’s extremely important that organizations focus on detecting the first three steps of a ransomware attack: discovery, gaining a foothold, and escalating privileges. [72]
Global Сyber Сooperative Сenter (GC) continues working with companies, law enforcement and research organizations to neutralize cyber crime.
Senator business center, 32/2, Dukes of Ostrozhsky, Kyiv
+38 (050) 428 44 68 (Ukraine), +1 (786) 755 8398 (USA)© 2023 GLOBAL CYBER COOPERATIVE CENTER (GC3). All rights reserved