A new report shows that Ukraine is fighting a battle with Russia in cyber space, as well as a physical war.
Russia has been using ‘cyber warfare’ on Ukraine since the physical invasion started in late February, says Chicago-based security firm Trustwave.
Malware has been used against organisations in Ukraine either to destroy or gain control over their online systems and ‘damage targets far behind the frontlines’.
Malware – a catch-all term for any type of malicious software – has been used to steal data, spy on citizens and attack national infrastructure.
Trustwave listed the array of malware types used as part of its cyber warfare efforts, many of which go by colourful names such as ‘AcidRain’ and ‘Industroyer2’
Russia has been using ‘cyber warfare’ on Ukraine since the physical invasion started in late February, says SpiderLabs, Trustwave’s investigative branch. Pictured, Ukrainian servicemen sit on infantry fighting vehicles on a road in Ukraine’s Donetsk region on August 18, 2022
‘Observing the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks leveraging malware are an important part of modern hybrid war strategy,’ said Pawel Knapczyk, security research manager at SpiderLabs, Trustwave’s investigative branch.
‘While conventional warfare is conducted on the battlefield and limited by several factors, cyber warfare continues in cyber space, offering the chance to infiltrate and damage targets far behind the frontlines.’
Perpetrators of the attacks include the Russian Foreign Intelligence Service, the Russian Federal Security Service and the General Staff of the Armed Forces of the Russian Federation, according to SpiderLabs.
The team has listed the array of malware types used as part of its cyber warfare efforts, many of which go by colourful names such as ‘AcidRain’ and ‘Industroyer2’.
HermeticWiper
This particular malware is referred to as a ‘wiper’ because it’s intended to erase or ‘wipe’ the hard drive of the computer it infects.
It was discovered on hundreds of Ukrainian computers, as well as computers in Lithuania and Latvia, on the evening of February 23, just hours before Russian troops rolled into Ukraine.
It was given the name ‘HermeticWiper’ based on a digital certificate from a company based in Cyprus called Hermetica Digital Ltd.
Perpetrators of the attacks include the Russian Foreign Intelligence Service, the Russian Federal Security Service and the General Staff of the Armed Forces of the Russian Federation
The company is run by Polis Trachonitis, a 24-year-old video game designer who operates the business from his home in a suburb of capital city Nicosia.
The malware had been signed using a digital certificate with Hermetica Digital’s name on it, but Trachonitis said he had nothing to do with the attack.
‘I don’t even write the code – I write stories,’ he told Reuters at the time. ‘I’m just a Cypriot guy … I have no link to Russia.’
Trustwave SpiderLabs said the digital certificate – a type of electronic password needed to perform the attack – had been stolen.
AcidRain
Another wiper malware called AcidRain was used to wipe US company Viasat’s modems in Ukraine on February 24.
It impacted several thousand customers located in Ukraine and tens of thousands of others across Europe.
AcidRain’s functionality is ‘relatively straightforward’, as it performs a wipe of a computer’s file system and all storage device files.
‘After the wiping is done a device reboot is triggered,’ SpiderLabs explains.
February’s attack also led to an outage of 5,800 Enercon wind turbines in Germany. Remote monitoring and control of the turbines became unavailable, although the turbines themselves kept working.
Viasat had to ship nearly 30,000 modems to distributors to bring customers back online.
Another cybersecurity group, SentinelLabs, claims to have named this malware ‘AcidRain’. It says the malware is designed to wipe routers as well as modems.
AcidRain’s functionality is ‘relatively straightforward’, as it performs a recursive wipe of a computer’s file system and all storage device files.
Industroyer2
Industroyer2 is a ‘sophisticated piece of malware’ that was able to manipulate equipment in electrical utilities to control the flow of power.
According to SpiderLabs, it specifically abuses a set of standards that are used in electric power control systems, with the aim of causing a power blackout.
In April, at one targeted high-voltage Ukrainian power station, Industroyer2 was used to penetrate and disrupt part of its industrial control system.
Fortunately, people defending the station were able to prevent electrical outages, Ukraine said.
CredoMap
CredoMap is described as a ‘credential stealer’ or ‘information stealer’ because it takes user credentials stored on browsers.
It was used by the threat actor APT28, which has ties to the Russian Foreign Intelligence Service (SVR).
CredoMap steals cookies and stored passwords from Chrome, Edge and Firefox browsers.
Depending on the version, stolen data is then exfiltrated or extracted via email or POST – a request method supported by HTTP used by the World Wide Web.
To conclude, SpiderLabs points out that sophisticated cyber weapons are ‘key tools in the arsenal of a modern military’.
‘We can clearly see that government assets, critical infrastructure, media and private sector organisations are highly lucrative targets for attackers, and even legitimate penetration tools can be hijacked and used as weapons,’ it says.
SpiderLabs has provided a full list of perpetrators and attack types in its report, available to download on the Trustwave website.