Cyberwar From Conflict in Ukraine?

Region? Europe and Eurasia. Type of conflict? Territorial dispute. Estimated number of casualties? More than 13,000. Estimated number of internally displaced people? 1.5 million. Conflict status? Worsening. This is the riveting preamble we find in the Global Conflict Tracker of the U.S. organization Council on Foreign Relations when we try to get information about the current conflict in Ukraine.

In 2014, this conflict broke out after protests began over the Ukrainian president's refusal to integrate further into the European Union. Soon after, he had to flee the country. Apparently, Russia has not wanted such integration to occur because it would reduce its influence over Ukraine. Moreover, if this nation joins NATO (the North Atlantic Treaty Organization), the Russians might even see it as a threat.

What's very worrying now is that thousands of Russian troops are occupying the borders with Ukraine. Although they are not in an invasion process at the moment, this situation has caused the U.S. government and its allies in Europe to move their groups of soldiers as well. Nevertheless, it's in cyberspace, which concerns us most here, where things are moving at a different pace.

As Professor of Criminology Robert M. Dover said a few days ago, between Ukraine and Russia, "the first shots have already been fired —in cyberspace." Of course, he's referring to the most recent stage of the conflict. After all, there have already been fights between these two neighbors in Eastern Europe for quite some time. Likewise, cyberattacks have also been taking place in this confrontation for years. For example, in 2015, Russian hackers took control of a Ukrainian power grid, disconnecting more than two thousand people from their heating during six hours in the middle of winter. Additionally, in this blog, I once mentioned that a Russian intelligence agency was credited with attacking several systems and networks in the Ukrainian government, financial and energy sectors in 2017. They used the renowned NotPetya malware. This terrible attack spread to organizations around the world, provoking losses of several billion dollars. Both incidents could be linked to just the same hacking group: Sandworm. However, those "first shots" that Dover mentions correspond to assaults this new year.

Between January 13 and 14, according to the Security Service of Ukraine (SSU), in a joint investigation with other state organizations, more than 70 government websites were attacked. These included, for instance, the Ministry of Education and Science and the Ministry of Foreign Affairs websites. There was interference as well as the publication of provocative messages on some of the websites threatening to upload sensitive data to public networks and inviting people to expect the worst. However, it appears there was no leakage of data. Regardless, it was decided to temporarily suspend other web resources to prevent the spread of the attack. It was referred to as a supply chain attack, which allegedly began by exploiting a security vulnerability in a commercial company's content management system with privileged access to the affected websites. From that moment on, the SSU was already saying that there were "certain signs indicating [the] involvement of hacker groups associated with Russian special services in the incident."

The seemingly low magnitude of the impact of this incident made some people consider it exaggerated to speak of a Russian "attack." But even so, ministers from different European nations, such as Belgium, Denmark, Poland and Romania, condemned what happened and offered their support to the Ukrainians. It was the next day when Microsoft itself brought to light the fact that it was not a petty assault. This renowned multinational corporation informed they had observed a "destructive malware" in some systems of the Ukrainian government and other organizations. As Serhii Demediuk, the Deputy Secretary of Ukraine's National Security and Defense Council, commented later to the Record in an interview, the defacing of those websites "was a red herring to cover up for more destructive actions, which, in my opinion, we will feel in the near future."

According to Microsoft's report, this malware, now called WhisperGate, was designed to look like ransomware, but it didn't have a ransom recovery mechanism. So, if it was activated, its mission would be to render the infected systems non-functional. Since then, Microsoft began sharing information for organizations to guide their investigations and implement defenses. But how does WhisperGate work?

WhisperGate acts as a Master Boot Records (MBR) and content wiper. (The MBR is a sector on the disk that contains the information necessary for the operating system to boot.) In the first stage, WhisperGate overwrites the MBR with a ransom note and eradicates any recovery options. In the second stage, a malicious file corrupter is downloaded, and it locates specific files on the system to overwrite their content "with a fixed number of 0xCC bytes (total file size of 1 MB)" and rename them "with a seemingly random four-byte extension." (For a detailed, four-stage exposition, follow this link.)

Now, there is a worldwide concern that something like what NotPetya perpetrated could happen again with WhisperGate. It is said that NotPetya was also a destructive malware masquerading as ransomware. However, it was more sophisticated than WhisperGate appears to be. Anyway, Russia may again seek to halt the functioning of infrastructure and entities essential to the economy, communication and welfare inside (and outside) Ukraine. They might even do so simultaneously with an invasion. And while some are still discussing whether the spread of the NotPetya issue was just a circumstantial matter or an intentional attack also targeting international businesses connected to Ukraine, countries such as the U.S. have already decided to be prepared.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already warned critical infrastructure operators to be alert to these new cyber threats. From the position of Joe Biden's administration, the possibility of responding to the cyberattacks that the Russians will be launching against Ukraine using U.S. cyber power is being contemplated. Who knows, we could soon be talking about cyberwar even before an invasion and a military confrontation takes place. As O'Neill says in the MIT Technology Review, "Unlike old-fashioned war, cyberwar is not confined by borders and can more easily spiral out of control."

Meanwhile, let's keep in mind Demediuk's words:

And it would help you remember that recommendations such as keeping software up to date with all available patches, enabling multi-factor authentication, reviewing backups and having cybersecurity crisis response plans should remain high on your priority list. Moreover, never forget to be aware of currently active threats.

At Fluid Attacks, we recognize that you don't want your systems to look weak and insecure in cyberspace, where attacks can hit unimaginable spots at unexpected times. Contact us if you intend to manage vulnerabilities and prevent your systems from becoming victims at all costs.