Full Report
The Curated Intelligence community is working with analysts from around the world to provide useful information to organisations in Ukraine looking for additional free threat intelligence. Slava Ukraini. Glory to Ukraine. Curated Intel has prepared a Repository on GitHub to assist cybersecurity teams still working tirelessly in Ukraine to defend their networks from Russian cyber operations. Curated Intelligence analysts worldwide are continuously monitoring the situation and updating the Repository (see above) with attacks on Ukraine as close to real-time as possible for a group of volunteers.Equinix Threat Analysis Center (ETAC)™️ Vetted IOCs (see here🔗)KPMG-Egyde IOC Threat Hunt Feeds (see here🔗):Added loosely-vetted IOC Threat Hunt Feeds by KPMG-Egyde CTI (h/t @0xDISREL)IOCs shared by these feeds are LOW-TO-MEDIUM CONFIDENCE we strongly recommend NOT adding them to a blocklistThese could potentially be used for THREAT HUNTING and could be added to a WATCHLISTIOCs are generated in MISP COMPATIBLE CSV formatOverview of Russian-aligned campaigns against Ukraine (up to 2 March 2022):The Russian state is currently launching cyberattacks to degrade and disrupt computer networks in Ukraine. The key types of attacks Curated Intelligence has observed so far is as follows:Two types of destructive malware designed to wipe the Master Boot Record (MBR) of Ukrainian government institutions known as WhisperGate and HermeticWiperDistributed Denial of Service (DDoS) attacks to overwhelm and incapacitate the websites of Ukrainian governments institutions and Ukrainian banks, False SMS and emails were also pushed at the same time to create panicWebsite defacements against Ukrainian government institutions to spread disinformationUkrainian troops are receiving threatening SMS messages from Russian psychological operationsPhishing emails with malicious attachments containing malware by the Crimea-based Russian FSB group known as Gamaredon (aka Shuckworm or PrimitiveBear)Phishing emails with malicious attachments or URLs to credential harvesting pages by the Belarusian Ministry of Defense (support by the Russian GRU) known as GhostWriter (aka UNC1151)The Sandworm group (aka VoodooBear) has been attributed by the UK NCSC to a new Internet-of-Things (IoT) malware dubbed CyclopsBlink; the malware is a replacement for its VPNfilter botnet, which targeted Ukrainian ICS/OT devices since 2017Russian cybercriminals, some pledging allegiance to the Russian state, have also targeted Ukraine. The key types of attacks Curated Intelligence has observed so far from cybercriminals is as follows:Data brokers offering stolen databases from Ukrainian government institutions, private businesses, and critical infrastructure organisations"Patriotic" Russian threat actors launching DDoS attacks against Ukrainian government institutions; DDoS botnets involved include Mirai, Gafgyt, IRCbot, Ripprbot, and Moobot according to China's 360 NetLabAccess brokers offering an initial foothold into Ukrainian government institutions and private sector organisationsThe Conti ransomware group (aka WizardSpider) has pledged its allegiance to the Russian state and has claimed it will "strike back at the critical infrastructures” if Russia is targeted by cyberwarfare; Conti did, however, release a secondary statement walking back some of their claimsFollowing Conti, the CoomingProject data hostage group (steals data and does not deploy ransomware) also pledged allegiance to the Russian stateScammers have created numerous websites looking to steal donations from those looking to support Ukraine, one cryptocurrency address used to collect donations via these scamming sites has been tied to a known ransomware variant according to TRMLabs
Analysis Summary
# Incident Report: Russian Cyber Operations Against Ukraine (Early 2022 Focus)
## Executive Summary
This report summarizes observed Russian-aligned cyber campaigns against Ukraine up to early March 2022, characterized by destructive malware, extensive disruption tactics, and disinformation efforts targeting government institutions and critical infrastructure. Attacks utilized vectors including destructive wiper malware, DDoS, phishing, and the deployment of specialized malware like CyclopsBlink against ICS/OT assets. The collective intent appeared to be degradation, disruption, and psychological impact, with response efforts focused on intelligence sharing and threat hunting.
## Incident Details
- **Discovery Date:** Ongoing monitoring, summary current as of March 2, 2022.
- **Incident Date:** Occurring concurrent with the start of the kinetic conflict.
- **Affected Organization:** Ukrainian government institutions, banks, and critical infrastructure organizations.
- **Sector:** Government, Financial Services, Critical Infrastructure (ICS/OT).
- **Geography:** Ukraine (Primary Target)
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly defined for all campaigns, initial activities noted leading up to and during the kinetic conflict commencement.
- **Vector:** Phishing emails (malicious attachments/URLs), potentially exploitation of publicly facing services (e.g., VPNs targeted by Sandworm).
- **Details:**
* **Gamaredon (Shuckworm):** Phishing emails with malware attachments.
* **GhostWriter (UNC1151):** Phishing for credential harvesting.
### Lateral Movement
- **Details:** Specific details on widespread lateral movement are not detailed, but destructive malware deployment (WhisperGate, HermeticWiper) suggests an ability to execute commands across networks. Access brokers were observed offering initial footholds.
### Data Exfiltration/Impact
- **Details:**
* Deployment of **destructive malware** (WhisperGate, HermeticWiper) targeting MBRs of government systems.
* **DDoS attacks** targeting government and bank websites.
* **Website defacements** for disinformation.
* **Data brokering** of allegedly stolen databases from Ukrainian entities.
### Detection & Response
- **How it was discovered:** Continuous monitoring by global security researchers and CTI communities (Curated Intelligence, ETAC).
- **Response actions taken:**
* Creation and continuous updating of a public GitHub repository containing threat intelligence to assist Ukrainian defenders.
* Sharing of vetted IOCs (ETAC, KPMG-Egyde).
* Threat hunting recommendations based on low/medium confidence feeds.
## Attack Methodology
- **Initial Access:** Phishing (Gamaredon, GhostWriter), Exploitation of Internet-facing services (Sandworm targeting VPNs).
- **Persistence:** Not explicitly detailed, but likely included malware implants (CyclopsBlink for IoT/OT).
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Unknown or implied through destructive nature of MBR wipers.
- **Credential Access:** Phishing campaigns specifically aimed at credential harvesting (GhostWriter).
- **Discovery:** Not detailed.
- **Lateral Movement:** Implied through wiper deployment; Access brokers offering initial presence.
- **Collection:** Data brokers indicated the exfiltration/collection of databases from government and private entities.
- **Exfiltration:** Data brokering of stolen databases.
- **Impact:** Destructive malware (MBR wiping), service disruption (DDoS), psychological impact (SMS/email panic).
## Impact Assessment
- **Financial:** Not quantified, but implied costs due to infrastructure disruption and data theft.
- **Data Breach:** Stolen databases from government institutions, private businesses, and critical infrastructure organizations were observed being offered for sale.
- **Operational:** Significant degradation and incapacitation of Ukrainian government and banking websites via DDoS attacks. Targeting of ICS/OT environments via CyclopsBlink.
- **Reputational:** Disinformation spread via website defacements and psychological warfare via SMS messages.
## Indicators of Compromise
*Note: IOCs are curated by third parties and should be used for Hunting/Watchlisting, not automatic blocking (per KPMG-Egyde guidelines).*
- **Network indicators:** Provided via GitHub CSV feeds (ETAC, KPMG-Egyde).
- **File indicators:** Associated with WhisperGate, HermeticWiper, and malware delivered via phishing.
- **Behavioral indicators:** Execution of MBR wiping routines, high-volume traffic surges indicative of DDoS campaigns.
## Response Actions
- **Containment measures:** Not detailed for the targeted entities, but the global response focused on intelligence sharing.
- **Eradication steps:** Not detailed, dependent on the recovery capabilities of affected Ukrainian entities.
- **Recovery actions:** Focus on utilizing shared threat intelligence to proactively hunt for threats and rebuild/harden systems.
## Lessons Learned
- **Key takeaways:** Russian-aligned actors execute a multi-faceted attack approach combining espionage/data theft (Gamaredon, GhostWriter) with destructive cyber operations (Wipers) and kinetic support capabilities (Sandworm targeting OT). Criminal elements are co-opting geopolitical conflict for financial gain (data brokers, scam donations).
- **What could have been done better:** Organizations should assume high-stakes threat environments require extreme scrutiny of inbound communications and reliance on verified CTI sources for defense postures.
## Recommendations
- Implement stringent security controls against phishing (especially attachments and malicious URLs).
- Actively monitor for new IoT/OT malware families targeting industrial control systems (based on Sandworm's observed shift).
- Maintain robust off-network backups to counter MBR-wiping/destructive malware.
- Leverage vetted threat intelligence feeds (like those shared by Curated Intel partners) for proactive threat hunting rather than solely relying on blocking lists.
- Heighten scrutiny around donation portals related to international conflicts to avoid funding malicious operations via scamming.