Cyber attacks on Ukraine: DDoS, new data wiper, cloned websites, and Cyclops Blink

(…) Russia started its invasion on Ukraine and, as predicted, the attacks in the physical world have been preceded and accompanied by cyber attacks

(…) UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have released details about a new malware targeting network devices, which they attributed to Sandworm (aka BlackEnergy), a threat actor that those agencies have previously attributed to the Russian GRU’s Main Centre for Special Technologies GTsST.


Cloned copies of Ukrainian government websites
Independent threat researcher Snorre Fagerland, Bellingcat and The Insider have unearthed a web service that “has played a role in past cyber-attacks linked to Russian state interests,” and found hosted on it cloned copies of a number of Ukrainian government websites.

“These cloned websites were created no earlier than November 2021, around the time when Russia’s latest round of escalations against Ukraine began,” Bellingcat said.

“Notably the cloned version of the site of the Ukrainian president is modified to contain a clickable ‘Support the President’ campaign that, once clicked, downloads a package of malware to the user’s computer.”

How these cloned websites would have been used is, of course, impossible to know, though the researchers found copied login pages that point toward phishing.

They also speculated about the malware’s ultimate goals, such as compromising the machines of tens or hundreds of thousands of Ukrainians and using them for DDoS attacks, and stealing credentials for social media accounts, for future use in online disinformation campaigns.

“There is no evidence that the infrastructure and malware behind [this web service] was used or linked to today’s cyber attacks experienced by Ukrainian government institutions,” Bellingcat researchers noted.

They also added that during the last two months, “the same threat actors were sending malware in over 35 different zip files via discord links,” aimed at high-value Ukrainian targets in the various ministries and the country’s nuclear agency.


What to expect next?
Chester Wisniewski, Principal Research Scientist at Sophos, has pointed out that information warfare is how the Kremlin can try to control the rest of the world’s response to actions in Ukraine or any other target of attack.

“False flags, misattribution, disrupted communications, and social media manipulation are all key components of Russia’s information warfare playbook. They don’t need to create a permanent cover for activities on the ground and elsewhere, they simply need to cause enough delay, confusion and contradiction to enable other simultaneous operations to accomplish their objectives,” he told Help Net Security.

“Interestingly, the United States and United Kingdom are trying to preempt some of the misinformation campaigns, and this could limit their effectiveness. However, we shouldn’t assume the attackers will stop trying, so we need to remain prepared and vigilant.”

“While defense-in-depth security should be the normal thing to strive for at the best of times, it is especially important if we can expect an increase in the frequency and severity of attacks. The misinformation and propaganda will soon reach a fever pitch, but we must keep our nose to the ground, batten down the hatches and monitor for anything unusual on our networks as the conflict cycles ebb and flow and even when/if they end soon. Because as we all know, it could take months for evidence of digital intrusions due to this Russian-Ukrainian conflict to surface.”

Cyber attacks, Ukraine, DDoS, data wiper, cloned websites, Cyclops Blink

Related Training

Zorz, Zeljka (2022) Cyber attacks on Ukraine: DDoS, new data wiper, cloned websites, and Cyclops Blink. Recovered on 8 March 2022