Russian invasion: ongoing updates of cyber actions to track

Updated  April 18, 2022

Editor's Note: This blog will be updated as new information comes out from IronNet threat research team. 

As the Russia-Ukraine war shifts toward eastern Ukraine, we are also tracking several developments on the European and NATO fronts — all of which may have a significant impact on the long-term characterization and outcome of this protracted war.

The latest on the Russian-Ukraine war:

Political
  • Last week, the Biden Administration authorized the transfer of long-range artillery to Ukraine, intended for the looming battle in eastern Ukraine given their suitability for the Donbas region’s more open areas. This authorization prompted Russia to warn the U.S. of “unpredictable consequences.”

  • While Russians fared poorly in forested northern Ukraine and in the urban warfare center of Kyiv, they now face different terrain in eastern Ukraine, which is the country’s steppe region of wide-open spaces. This change in terrain could work in Russia’s favor — part of the reason the U.S. is providing more equipment.

  • There are reports that the U.S. is also willing to share more intelligence with Ukraine to help them take advantage of Russian vulnerabilities in this ongoing battle.

  • Despite a long history of neutrality, Finland and Sweden have expressed possible intent to join NATO.

    • If Finland joins NATO, the NATO-country border with Russia would more than double. Finland would add 832 miles to create a 1,586 mile NATO-country border that includes Poland, Norway, Estonia, Latvia, and Lithuania.

    • Dmitry Medvedev, deputy chairman of Russia’s Security Council, threatened on Thursday that if Finland and Sweden joined NATO, Russia would reassess deployment of nuclear weapons to the Baltic region.

    • Sweden’s lengthy status of neutrality also is changing, as it, too, has expressed interest in joining NATO.

    • It’s worth noting that, at the beginning of the conflict on March 2, Russia flew two fighters and two attack aircraft equipped with nuclear weapons into Swedish airspace in a presumed attempt to send an intimidating message to Sweden.

Cyber actions the IronNet threat analyst team is currently tracking

Cyber Warfare
  • On April 12, the Ukrainian CERT (CERT-UA) reported that the Russian Sandworm Team targeted high-voltage electrical substations in Ukraine using a new variant of a malware known as Industroyer (aka Crash Override). Sandworm previously used the original Industroyer variant to compromise Ukrainian power grids in 2015 and 2016, causing hundreds of thousands to lose power across Ukraine.

  • This new variant, dubbed Industroyer2, was planted on systems within a regional Ukrainian energy firm; however, the attack was detected and mitigated before a blackout occurred, which would have impacted roughly two million people. In addition to deploying Industroyer2, Sandworm also dropped several wipers, including the CaddyWiper malware. Researchers believe the use of wipers was likely an effort to slow down the recovery process and cover up their tracks.

  • Destructive data wiper malware:
    • ESET observes a new destructive wiper, which it has dubbed CaddyWiper, deployed in Ukraine. This is the third reported wiper to hit Ukraine since Russia invaded Ukraine late February.
    • This wiper was first detected March 14th, and it was spotted on several dozen systems in a limited number of organizations. It shares no code overlaps with HermeticWiper or IsaacWiper.
    • CaddyWiper destroys user data and partition information from attached drives, but avoids destroying data on domain controllers so it can maintain access to the systems and continue to spread malware across the network.
    • Talos has uncovered a malware campaign targeting Ukraine's IT Army, in which threat actors are spreading an infostealer malware that is disguised as a DDoS tool called the “Liberator,” which used widely among pro-Ukrainian sympathizers to target Russian propaganda websites.
    • Though appearing to be Liberator, the malware is actually an infostealer that infects victims with malware that steals credentials and cryptocurrency-related information.
  • On Monday March 7, 2022, Google released a report where it observed activity from a range of well-known APTs from Russia, Belarus, and China targeting Ukrainian entities.

    • APTs include:

      • APT28: This group is linked to the Russian GRU and has carried out a number of large credential phishing campaigns against ukr[.]net users.

      • GhostWriter/UNC1151: Ghostwriter is linked to the Belarusian government and has conducted several credential phishing campaigns over the past week targeting Polish and Ukrainian government and military entities.

      • Mustang Panda: This group is linked to the Chinese government and has targeted European entities using lures pertaining to the Ukrainian invasion.

        • Additional details about Mustang Panda (aka TA416) campaigns were released by Proofpoint on March 7, 2022, in which the group has been targeting European diplomatic entities since November 2021. During the attacks, Mustang Panda used web bugs for reconnaissance to profile users, and then selected victims who open the web bugs to further infect with an updated variant of PlugX malware.

  • Additionally on Monday March 7, 2022, Bloomberg released an exclusive report on a cyber campaign in February that targeted over 100 computers belonging to 21 major energy companies, including Chevron and Kinder Morgan. In mid-February, for two weeks, unknown hackers used current and former employees corporate and personal computers to move laterally into protected corporate networks.

  • CERT-UA released an alert on GhostWriter (UNC1151) targeting Ukrainian state organizations with phishing to deliver MicroBackdoor malware. 

  • Viasat KA-SAT outage is ongoing. The outage started on the morning of February 24, 2022 and roughly coincided with the start of the invasion. Although details are scarce, it is believed that the source of the outage is a malicious firmware update that bricks the modem (i.e., a supply chain attack). 

  • The Russian Ministry of Culture has ordered that all state-owned websites and services must be switched to the Russian DNS by March 11, 2022. Analysts believe that Russia may be preparing to disconnect the country from the global internet.

  • Proofpoint identified a phishing campaign leveraging a potentially compromised Ukrainian armed service member’s email to target European government personnel involved in managing the logistics of refugees fleeing Ukraine. 

    • Acknowledging possible links to GhostWriter (TA445 / UNC1151), Proofpoint determined the phishing emails, which used a lure related to the Emergency Meeting of the NATO Security Council, aimed to infect target systems with Lua malware named SunSeed. 

    • Proofpoint observed the campaign on February 24th, and the possible objective behind the campaign is to acquire intelligence about the movement of supplies, people, and funds within NATO countries.

  • ESET research discovered that the destructive attacks leveraged three malware components, including a worm component of HermeticWiper called HermeticWizard. 

    • HermeticWiper is a data-wiping malware that renders a system inoperable by corrupting its data and was observed on the networks of at least five Ukrainian organizations.

    • HermeticWizard is the worm mentioned above, that uses WMI and SMB to spread HermeticWiper across a local network. 

    • HermeticRansom is a ransomware component written in Go deployed at the same time as a HermeticWiper, likely to obscure the wiper’s activity. 

  • Additionally, ESET observed a second wiper malware, which they call IsaacWiper, on a different Ukrainian governmental network on February 24th. It is not yet determined if IsaacWiper is connected to HermeticWiper, but IsaacWiper is less sophisticated and the two were deployed against separate victims.

Collective Defense for Cyber

At the core of the National Atlantic Treaty Organization (NATO) is the notion of collective defense

“The principle of collective defense is at the very heart of NATO’s founding treaty. It remains a unique and enduring principle that binds its members together, committing them to protect each other and setting a spirit of solidarity within the Alliance.”

In warfare that knows no boundaries—cyber warfare—we feel strongly at IronNet that this concept must extend to cyber defense. For all its promise and prosperity, digital transformation has opened an attack surface akin to a digital infinity pool. Today there is no Atlantic theater or Pacific theater, however. In cyberspace, we are one theater. We must secure it together.

Our hearts go out to the citizens of Ukraine as the once-imminent Russian attack became a reality last night. As Putin demonstrated in the 2015 cyber attack on the Ukrainian power grid, there is a potential concomitant war brewing in cyberspace. While critical infrastructure is comparatively well protected, Russia is a nation-state with unlimited resources, a pool of moonlighting cyber criminals, and highly-organized threat groups that have been engaging in cyber target practice for years.

Long gone are the martial elements of fortresses, foxholes, and field battles. Just as aerial combat changed the very fabric of war during WWII, cyber has forever transformed war as we know (knew) it. In the face of announced and imminently expected sanctions, Putin could turn his eye toward U.S. and European power grids, pipelines, and the financial infrastructure as retribution.

It is in this context that the IronNet threat analyst team is currently tracking the cyber actions noted above.

Updates on Russian attack implications on cyber

In the spirit of IronNet’s mission, Collective Defense for cybersecurity, we will update this blog with any real-time information we learn about and related threat intelligence. Our goal is to bring together companies and organizations across the private and public sectors to defend as a unified force. 

About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet, Inc. (NYSE: IRNT) is a global cybersecurity leader that is transforming how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing a number of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today.