Ukraine's Critical Sectors Targeted in Phishing Attack SurgeSpike in Late 2022 Occurred as Experts Were Tracking 'Reduced Tempo' in Conflict
Attempts to disrupt Ukrainian cyberspace appear to have spiked in late 2022, say independent observers of the country's networks as Russia continues to press its invasion.
Phishing attacks and malware campaigns targeting Ukraine increased sharply in November before falling at year's end, says security firm Trellix. So too did endpoint security alerts in the region tied to "potentially unwanted programs."
The surge in attacks parallels findings from other cyberattack watchers. Geneva-based nonprofit group CyberPeace Institute says there have been 918 cyberattacks and operations tied to the conflict since January 2022 (see: Ukraine: Russian Hackers' Focus Is Civilian Infrastructure).
The institute in November recorded a sudden increase in online attacks connected Russia's war when compared to the prior month's volume. The only exception was the Russian Federation, which saw the volume of attacks against it decrease.
Throughout the war, experts say, Ukraine's government, energy, transportation, financial services and other critical-infrastructure sectors remain among the top targets of online attacks. "From malicious email and URLs to nation-state-backed use of malware, cyberactivity continues to accompany kinetic military activity and social discontent," the Trellix researchers say.
What might account for either the increase or decrease in the last months of 2022 isn't clear, especially at a time when the head of U.S. intelligence said the cadence of attacks had slowed.
"We're seeing a kind of a reduced tempo already of the conflict," Director of National Intelligence Avril Haines told attendees of the Reagan National Defense Forum on Dec. 3, "and we expect that's likely to be what we see in the coming months."
Trellix reports that last November and December, the observed volume of phishing attacks hitting Ukraine surged twentyfold, and the majority of attacks targeted email addresses registered in the top-level
.ua domain, which is used by government and military agencies. While the sender was often spoofed, "the large majority" of these attacks appear to trace to Russia's state-sponsored Gamaredon group, so named because the group's early attacks included messages misspelled the word "armageddon."
The rise in potentially unwanted programs is connected to attempts to infect systems with malware designed to look like software for pirating Adobe products. Trellix says all of these attacks trace "to a single software activation program aimed at activating Adobe" and says that while the use of "pirated license activators" remains widespread, a vast number of them are fakes, designed solely to infect a system with malware.
Tactically speaking, the phishing attempts also didn't look advanced. Many of them relied on widely seen tactics such as using macro-enabled Microsoft Excel spreadsheets, Microsoft Word documents and LNK Windows shortcut files.
Phishing email examples recovered by Trellix include ones that purport to come from the Ministry of Foreign Affairs of Estonia, sharing contact details, but that redirect to a malicious file hosted on Google Drive; an HTML "shipment notification" that redirects to a phishing page; and a request from the Ukrainian military to verify a mailbox that contains a link to a malicious website.
Beyond the Gamaredon group phishing campaigns, Trellix reports that in recent months it has also seen a number of attacks using the H-Worm - aka Houdini RAT - remote access Trojan, including in "targeted attacks against the international energy industry"; Formbook information-stealing malware; Remcos remote-control software; and Andromeda malware.
The Andromeda attacks have been unusual. First seen in 2011, Andromeda is commercially available, off-the-shelf malware that continues to be updated. But Google's incident response group Mandiant reported Jan. 5 that it has seen a 2013-era version of Andromeda being used by what it suspects is Russian nation-state hacking group Turla, also tracked as Venomous Bear and Krypton.
In September, Mandiant discovered a suspected Turla Team operation distributing the KopiLuwak reconnaissance utility and QuietCanary backdoor to Andromeda malware victims in Ukraine, it reported. Malware operators re-registered at least three expired Andromeda command-and-control domains and began profiling victims to selectively deploy KopiLuwak and QuietCanary.
Mandiant says the infection appeared to begin in December 2021, when the victim plugged an infected USB device into a Windows system and then clicked on a malicious file link disguised as a folder.
It's not clear why attackers in 2022 wanted to wield 2013-era malware tied to domains that they were forced to re-register first. Then again, "older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts," the Mandiant researchers say.
This belatedly observed attack did succeed, resulting in attackers exfiltrating data.