Historic hacktivism, revenge ransomware, and other cyber attack news related to the Ukraine invasion
A week into the invasion of Ukraine, cyber attacks related to the conflict have continued since the first tanks rolled across the border–and likely even before.
Earlier, we published a quick FAQ to ease organizations’ concerns about being targeted in relation to the invasion. However, the past week has seen several notable developments in cyber threats related to invasion. Here are a few of the most significant:
Ukraine recruits hacktivists
Over the weekend, Mykhailo Fedorov, Vice Prime Minister of Ukraine and Minister of Digital Transformation of Ukraine, opened the door for “cyber specialists” to join Ukraine in the fight against Russia by creating what he called the IT Army of Ukraine.
We are creating an IT army. We need digital talents. All operational tasks will be given here: https://t.co/Ie4ESfxoSn. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists.
— Mykhailo Fedorov (@FedorovMykhailo) February 26, 2022
“This is the first time in history where we see a government ask for foreign hackers to help them during an armed conflict,” says F-Secure Chief Researcher Officer Mikko Hypponen.
Since then, media reports (such as this Ars Technica article have pointed out that many of the IT Army of Ukraine’s targets seem to be offline.
And these cyber vigilantes aren’t the only hackers to lend support to Ukraine. Late last week, Hacktivist-collective Anonymous announced they were entering the conflict in support of Ukraine.
The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine
— Anonymous (@YourAnonOne) February 24, 2022
CONTI ransomware group backs Russia
The notorious CONTI ransomware gang, on the other hand, voiced its support for the Russian invasion, according to Reuters and TechCrunch. In a blog post, the group threatened to use its capabilities against anyone that attacks critical infrastructure in Russia.
Apparently, some within the group were unhappy supporting Russia, and decided to leak CONTI’s data in retaliation.
Conti ransomware group previously put out a message siding with the Russian government.
Today a Conti member has begun leaking data with the message "Fuck the Russian government, Glory to Ukraine!"
You can download the leaked Conti data here: https://t.co/BDzHQU5mgw pic.twitter.com/AL7BXnihza
— vx-underground (@vxunderground) February 27, 2022
Wipers, worms, and other malware
Several different types of malware have been deployed in Ukraine, likely in support of Russia’s invasion. Research from ESET has identified the HermeticWiper and IsaacWiper malware families, which destroy data. They’ve also identified HermeticWizard as a network worm used to spread HermeticWiper, and limited use of a ransomware called HermeticRansom.
Guidance for organizations
Based on current information, F-Secure assess the following as the key threats to organizations.
The threat organizations face from ransomware remains ever-present. However, some organizations now face an elevated risk being targeted by groups acting in support of Russia. Affected organizations include businesses, governmental entities and NGOs operating in countries that have enacted sanctions, along with organizations who have offered public support of Ukraine or announced any withdrawal of economic support for Russia.
Denial of service (DDoS) attacks against organizations from both sides of the conflict have been widely reported. Affected organizations include those working with critical national infrastructure (CNI), finance, telecoms, military supply chain, and media organizations. Reports suggest that attackers have gone beyond DDoS attacks intended to delete files or disrupt systems of victims they have gained access to. These attacks are likely to continue. Organizations should consider the attacks observed thus far along with DDoS vectors when planning mitigations.
Data theft hacktivism
Widespread reports have identified attacks conducted against organizations in support of one side of the war or the other. CONTI has declared their support for Russian (see above). Other threat actors may follow suite, escalating nature of these attacks. This would likely lead to the involvement of more threat actors and a wide range of victims suffering the impacts of potentially indiscriminate attacks. These attacks go beyond disruption because data may be stolen and leaked, causing harm to both the targeted organizations and individuals’ whose data may be compromised.
The Russia-Ukraine conflict has provoked strong emotional and political responses. This kind of environment can lead to the circumstances where individuals may act to support their “side” by performing malicious actions against employers. One instance of such activity has already been reported in relation to a Russian superyacht. In addition, foreign agents may be more willing to induce insider actions by individuals against a wider range of organizations due to the increased tensions and backdrop of actively adversarial actions. This risk mainly affects organizations working in CNI or politically linked organizations, though there is a risk to wider organizations as potential collateral targets. Organizations with operations in Russia, Ukraine or service organizations that work in either country should consider their risks from insider threats.
The use of Wiper malware—which F-Secure assesses is likely a state-backed operation—has already played a crucial role this conflict. Similar attacks or other state-backed espionage threats are possible if not likely. Disruption and intelligence gathering of information that may give one side an advantage in the ongoing conflict are likely objectives for state-backed threat actors. F-Secure assesses that these types of operations are most likely against CNI organizations in Ukraine and NATO, but that tertiary targets from organizations in those countries are plausible. However, for the majority of organizations state-backed threats are a less likely risk than the others mentioned in this report and so should not be overly focused on unless an organization clearly fits within relevant targeting criteria for these operations. Beyond traditional CNI, media organizations may be targeted as part of disinformation campaigns conducted by state-backed actors.
While the number of threats associated with the invasion have grown, the overall guidance has changed very little. Most organizations in the world are unlikely to end up targeted by any of these threats. However, organizations need to determine their exposure and risks on a case-by-case basis.
F-Secure Security Consultant Antti Laatikainen has provided some suggestions on LinkedIn how organizations can assess their exposure to these threats. Organizations currently affected, or those that feel the threats are relevant, can find useful mitigation advice (particularly for attacks involving destructive malware) at https://www.cisa.gov/uscert/ncas/alerts/aa22-057a.