Main Highlights of the Week: August 8-15
Executive summary
During a briefing at the Ukraine Media Center, Deputy Head of the National Police, Chief of the Criminal Police Mykhailo Kuznetsov said that since the beginning of the full-scale invasion of the russian federation, Ukrainian cyber police together with other law enforcement agencies repelled and eliminated the consequences of 83 hostile cyber attacks, and also prevented more than 300 cyber attacks that were on stage of preparation
In addition, according to the official, since the beginning of martial law, the cyber police have conducted more than 950 searches.
Cyber police officers also identified more than 1,700 servicemen of the russian federation, who are involved in the commission of war crimes on the territory of Ukraine, and identified more than 850 propagandists of the “russian world”. During the full-scale invasion of the russian federation, the cyber police identified 50 collaborators, 44 of whom have already been notified of suspicion, Kuznetsov added.1
Specialists of the Government Computer Emergency Response Team of Ukraine CERT-UA, which operates under the State Service of Special Communication, registered 203 cyber attacks in July. Comparing with the previous period, it can be seen that the number of attacks on representatives of state administration and financial institutions, on which the lives of Ukrainian citizens depend, has increased. 2
CERT-UA also monitors the activity of the UAC-0010 (Armageddon) group.
During the first half of 2022, the main way of implementing the malicious plan is the distribution of HTM-droppers (including UTF-16 encoding) via e-mail (from compromised accounts and to private e-mail addresses) that initiate the chain of delivery of GammaLoad.PS1 to computers victim’s womb
The purpose of attackers, among other things, is to steal files with a specified list of extensions, as well as authentication data of Internet browsers, for which GammaSteel.PS1 and GammaSteel.NET are used, respectively. GammaSteel.PS1 is probably a PowerShell implementation of the previously used HarvesterX.
In addition, one of the attackers’ tactics is to damage the template file C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Templates\Normal.dotm using a macro, the code of which ensures the generation of a URL and its addition to the created document in the form link (so-called “Remote template injection”). This will lead to the infection of all documents created on the computer and their further unintentional distribution by the user.
Typically, scheduled tasks, the Run registry branch, and environment variables are used to ensure persistence and launch payloads. Actively uses PowerShell (powershell.exe), as well as wscript.exe, mshta.exe.3
Cyber attacks on russia
Deface
- Ukrainian hackers have hacked the russian service for watching TV channels Pager TV and replaced broadcasts of user-selected channels with videos about the fact that war will soon come to russia. 4
- Anonymous has hacked streaming services and TV news propaganda channels in russia to broadcast footage of the destruction of russian military assets. 5
DDoS
- The IT army of Ukraine conducted successful attacks on the platform for video communication and remote work – TrueConf, which is used by both private companies and state institutions of the russian federation. 6, 7
- The IT army of Ukraine attacked the central bank of mysterious DNR. They follow excuses of russian banks and call it technical works too. 8
- Russion-language platform DUMPS offers DDos attacks for $80 an hour – but only against russia and belarus.9
- Anonymous reported the hacking of two large russian video conferencing services – Videomost and Webinar. 10
- Over the weekend, the IT army of Ukraine attacked russian video conferencing products 11 and propaganda resources 12
Data Leakage
- Unknown people posted 70 000 files (749 GB) of Elvees, a russian producer of integrated circuits and security solutions, including anti-drone technology. 13