This post is also available in:
Cyber threat activity against Ukraine, and around the world, has long been a central focus of our work. We continue to monitor the Ukraine-Russia situation by enacting a comprehensive, Talos-wide effort to provide support to our partners and customers. These actions include issuing new Cisco protections based on research findings and malware analysis, enacting an internal crisis management system to formalize components of our investigation, and sharing information with domestic and international intelligence partners.
Our current guidance continues to echo the recommendations from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that global organizations with ties to Ukraine should carefully consider how to isolate and monitor those connections to protect themselves from potential collateral damage.
CISA released additional steps organizations could take to protect themselves. We recommend organizations, especially those in critical infrastructure and government, review CISA's advisory, enable and carefully examine their logs, patch, develop a crisis plan, and implement multi-factor authentication where possible. We also recommend following CISA guidance for safeguarding against foreign influence operations, which Russia previously used against U.S. entities to disrupt critical infrastructure functions.
The important thing to understand is, regardless of the current situation, our fundamental guidance remains the same. Tech debt, poor cybersecurity hygiene, and out-of-date systems and software will have catastrophic impacts on your organization. On the flip side, network segmentation, visibility, asset inventories, prioritized patching and intelligence programs that actively drive changes in your defenses are key to successfully weathering attacks.
What We're Seeing Now
Talos is observing a variety of threats targeting Ukraine, including disinformation, defacements, DDoS, wiper malware, and potential BGP manipulation. For the previous information on WhisperGate see here.
Additionally, there has been increased participation from cyber vigilantes and other actors launching attacks on both sides of the conflict. This has raised serious concerns about both the risks associated with this behavior, as unsophisticated attackers may unintentionally disable key pieces of Ukrainian infrastructure, unintended targets -- both within Ukraine and elsewhere -- may become collateral damage, and as the possibility arises for these activities to further escalate the threat environment. There have also been serious implications in the crimeware landscape, with the well-known ransomware cartel Conti suffering significant fallout after publicly declaring their support for Russia.
Additional DDoS, BGP Hijacking and Malware
We continue to observe distributed denial-of-service (DDoS) attacks against Ukrainian entities amid heightened tensions. This activity represents a continued effort to disrupt services in Ukraine and sow discord among the population.
On Feb. 15, several high-level Ukrainian targets, including their Ministry of Defense and two large national banks, were targeted with DDoS attacks. The banks' services were disrupted for several hours. Although the attacks did not affect the targets critically, it was still successful in alarming Ukrainian citizens as tensions increased. These attacks were attributed to Russia by Ukraine, the U.K. and the U.S. They appeared to leverage a variant of the Mirai botnet, which has been previously associated with orchestrating disruptive DDoS attacks.
As recently as Feb. 23, DDoS attacks were confirmed causing network disruptions and affecting high-profile government entities in Ukraine, such as Ukraine's Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, and national banks, among others, illustrating that Russia will likely continue to rely on these types of attacks.
Around the same time of the DDoS attacks, Ukrainian CERT (CERT-UA) asserted that there was a BGP hijacking attack against a Ukrainian bank. This potentially allowed traffic that was intended to reach the bank to reroute temporarily to another destination. BGP, or Border Gateway Protocol, is the primary traffic-routing mechanism on the internet.
CISA released a report on Feb. 23 outlining a malware dubbed "Cyclops Blink," which appears to be a replacement framework for the VPNFilter malware Talos discovered several years ago. While we have not seen additional information tying Cyclops Blink to activity in Ukraine, we will be providing our analysis of that as well in the near future.
As the conflict has continued, we've seen actors of varying skill levels deploying a wide range of threats inside Ukraine that hint at potential future implications. For example, we have observed malware samples designed to avoid executing against Ukrainian targets, suggesting that they may be intended for deployment elsewhere in the region or globally. This underscores the unpredictable nature of the current threat environment and the difficulty in predicting what entities or geographic areas may be targeted next. For more details on what we've seen, refer to our blog available here.
The analysis provided below is based on our long-term work in Ukraine and Eastern Europe. This analysis represents our best-effort factual statements at the time of publication with the goal of preparing defenders to protect their networks and users. Keep in mind that organizations being targeted may not be directly tied to critical infrastructure or government but could be a partner/trusted organization used as a foothold or staging ground for malicious content to be used in further attacks.
Based on different objectives in each arena and the way adversaries perceive the capabilities of both targets, it is important to highlight that there will be differences in how Western nations and allies may be targeted and the level of conflict currently occurring in Ukraine.
Cyber operations in the West intended to erode popular support for sanctions against Russia and impose or highlight costs associated with those sanctions, are possible. These operations would likely come in forms that target critical infrastructure that are high-impact, but relatively easy to recover from. For example, looking at the lessons learned in the Colonial Pipeline ransomware incident, if an adversary disables key enterprise systems while leaving the operational technology (OT) systems fully intact, they can still cause an outage, though one that will not be overly destabilizing.
Cyber operations against Ukraine, by contrast, have escalated to include destructive malware attacks, DDoS attacks, BGP manipulation and other operations designed to disrupt public order and everyday life for Ukrainian citizens.
We can expect to see adversaries use techniques consistent with past behavior, but technical indicators will be new and difficult to attribute. We assess that these actors would likely abuse elements of complex systems to achieve their objectives on targeted environments. Past examples of this include the use of Ukrainian tax software to distribute NotPetya malware in 2017 and, more recently, the abuse of SolarWinds to gain access to high-priority targets.
It is also important to understand that any attacks will likely have elements that interfere with attribution and may have parallel disinformation campaigns to amplify the effect. For example, it may be that a bank website experiences an outage from a DDoS attack, while false rumors of ATM outages are amplified on social media to maximize discomfort in the target country.
Organizations should understand that when looking at this particular set of concerns, they are not the target, they are the tool. The adversary in question will make choices to maximize the public impact of any outage — not to embarrass the affected organization — but to apply pressure to the government.
At this time, to protect yourself and your customers, prioritize cybersecurity hygiene and patching. Educate your organization and employees to be aware of phishing attacks and business email compromise. Network segmentation, zero-trust frameworks, and multi-factor authentication can be tools to limit the effects of any attacks.