Timeline of the New Cyberwar

It has been a month since I made a particular reference to the conflict in Ukraine on this blog. A conflict that erupted back in 2014, and that at this time is increasingly worrisome. Although we had seen reports of new cyberattacks on Ukrainians attributed to the Russians this year, the invasion of troops was merely a contingency. However, it was on February 24 that, to the surprise of many, such an invasion, from different fronts and on a large scale, became a reality.

As I write these words, it is said that about 2 million people have already fled Ukraine and that at least 549 civilians have been killed. Nonetheless, it appears that this figure may be considerably higher. Such events might constitute war crimes and human rights violations. Unfortunately, the bombardments continue, and the militaries of both sides are engaged in firefights. The Russian forces are indeed advancing at a slow pace. But it seems that they will do everything in their power to push into the capital, Kyiv, and take control of it.

Shortly before the invasion of Russian troops began, there was a series of DDoS (distributed denial-of-service) attacks against websites of some Ukrainian government and banking institutions. Hours later, ESET's research team reported the discovery of a new data wiper malware. This one, dubbed HermeticWiper, hit hundreds of computers of organizations in that country. (It seems that this malware behaves just like WhisperGate does. It damages both local data and the master boot record of the hard drive.) Then, Reuters said that the infections had already reached nations such as Latvia and Lithuania and that Russia denied the allegations of such attacks. As if that weren't enough, Microsoft's Threat Intelligence Center ended up detecting another malware package in operation against Ukraine called FoxBlade.

Russia officially declared war on Ukraine. Mysteriously, hours after the invasion commenced, some of the Russian government websites became inaccessible to the public. This was associated with both possible attacks and preventive measures. As for the Ukrainian government, it reportedly began calling for volunteer hackers and cybersecurity experts on forums. These would have the missions to help defend critical infrastructure (e.g., water systems and power plants) and conduct cyber espionage operations against Russian forces. All at once, the doubt arose that people supporting the Russian purpose would start to apply, seeing a new chance for an onslaught. Additionally, hacking groups began to make it known whether they were on the side of Ukraine or Russia.

Members of the hacktivist group Anonymous (pro-Ukrainian in this war) defaced government websites in Russia, posting messages from the Ukrainian president. Apparently, they claimed to be responsible for disabling other sites, including that of the Russian news outlet RT. On the other hand, the fact that the Conti gang, responsible for quite hostile ransomware operations, offered its support to the Russian government stood out. In addition, a warning that phishing attacks have already occurred appeared on the Twitter account of the State Service of Special Communications and Information of Ukraine. Another attack of this type, especially against military personnel of this country, was reported in another media.

Internal chats of the Conti gang from January 29, 2021, to this day were leaked, apparently by a member of the group. Allegedly, the stance and messages of the gang's leader on the present war upset its Ukrainian members. Hence, one of them hacked Conti's internal Jabber/XMPP server. (See a detailed analysis of these chats here). Curiously, these days also in favor of Ukraine, a website appeared with the sliding tile puzzle 2048. According to its developers, simply by playing, users can contribute to overload and knock websites serving the Russian army offline. Meanwhile, warnings about phishing campaigns continued. In this case, these were fake messages about evacuations for Ukrainians. Besides, another Russian news outlet, TASS, suffered a cyberattack that temporarily interrupted the activity of its website.

By this time, there were already about 200,000 users in the newly created space of the IT ARMY of Ukraine. In a continuous search for volunteers, this site was intended for the coordination of defense and attack operations. On this day, phishing attacks associated with a previous campaign (see February 25 on this post) were mentioned. These attacks targeted European government personnel assisting refugees from this war. It seems that these attacks were carried out using a compromised Ukrainian military email account and may have been sponsored by the Belarusian government. For its part, the New York Post reported that Russia appeared to have officially declared cyberwar on the U.S. after the latter began to see a significant increase in cyberattacks against its banking sector.

Microsoft, the giant corporation that in late February decided to enter the war to help protect Ukraine's cybersecurity, announced the suspension of sales of its products and services in Russia. (Apple previously suspended sales too.) Meanwhile, the Russian communications agency Roskomnadzor informed blocking access to Facebook. This would partly isolate Russian citizens and limit their opinion. The same agency then banned the U.S. walkie-talkie communication app Zello. This decision was due to the alleged dissemination of false information about the invasion of Ukraine. On the other hand, the cryptocurrency firm Coinbase announced the blocking of more than 25,000 accounts linked to Russia. Coinbase considered that these were carrying out illicit actions.

Google's Threat Analysis Group published "An update on the threat landscape," in which they highlighted the criminal activities of several gangs. For example, they attributed phishing campaigns against a Ukrainian media firm to the apparently Russian group FancyBear. They said the Ghostwriter group attacked the government and armed forces of Poland and Ukraine. They also reported the Chinese group Mustang Panda partially shifted its focus to European targets. Finally, Google noted that Ukrainian government websites were still receiving DDoS attacks. They will continue providing their free protection service, with their Project Shield, against this type of threat.

At Fluid Attacks, we recognize that this cyberwar can lead to adverse outcomes in multiple corners of the globe. That's why we recommend you pay close attention to your organization's cybersecurity so that you are adequately prepared for any blow. Do not hesitate to contact us to discover our preventive solutions.