Get up to speed with some of the main attacks by Russian and pro-Russian threat groups.
As the war between Russia and Ukraine war continues to unfold, a cyberattack on the latter country’s power grid had almost succeeded, according to researchers.
In the past six months, three major cyber threats against Ukraine had been executed in tandem with Russian supporters to destabilize the Ukrainian government and infrastructure.
As detailed by Trellix researchers, the three threats include:
- Phishing attempts: Threat actors impersonating the Ministry of Defense of Ukraine had attempted to steal login details and critical information from numerous government figures.
- Widespread attacks with Wiper malware: Aggressive deployments of over 18 wipers to disrupt Ukrainian communication systems had been observed, in some cases specifically targeting networks with multiple attacks when one wiper failed to execute.
- Ransomware attacks: Perpetrated by the RaaS group Conti, whose announced allegiance to Russia had created an internal schism, leading some members to leak data revealing the threat group’s structure and operational methods.
Just as physical warfare uses a multitude of military tactics and equipment, Trellix researchers have observed similar activity on the cyberwar front, including but not limited to wipers, spear-phishing, backdoors, vulnerabilities, and many other techniques.
Also of note in the six months of research are:
- Gamaredon (a pro-Russian threat group operating in Ukraine that used weaponized Word documents between Feb/Mar 2022 for attacks)
- APT28 (also known as Fancy Bear) which used a .NET infostealer to steal credentials
- DoubleDrop, an evasive attack that deleted its tracks after stealing cookies, form histories, passwords and cached data
- UAC-0056, a Russian threat group that targets government and energy sectors using Google’s Remote Procedure Call framework, Discord servers and Cobalt Strike beacons
- Phishing emails impersonating the Ukraine Ministry of Defense, cybersecurity center and CSOC, via fake login pages
The firm is surmising that a much-speculated ‘full blown’ global cyberwar has yet to surface.