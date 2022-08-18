A new report shows Ukraine is waging a battle with Russia in cyberspace, as well as a physical war.

Russia has been using “cyber warfare” against Ukraine since the physical invasion began in late February, Chicago-based security firm Trustwave says.

Malware has been used against organizations in Ukraine to either destroy their online systems or take control of their online systems and ‘damage targets far behind the front lines’.

Malware – a collective term for any type of malicious software – has been used to steal data, spy on citizens and attack national infrastructure.

Trustwave listed the range of malware types used as part of its cyber warfare efforts, many of which go by colorful names such as “AcidRain” and “Industroyer2”

Russia has been using “cyber warfare” against Ukraine since the physical invasion began in late February, says SpiderLabs, Trustwave’s research arm. Pictured, Ukrainian soldiers sit on infantry fighting vehicles on a road in Ukraine’s Donetsk region on August 18, 2022

MALWARE AND SPYWARE Malware is a collective term for any type of malicious software, regardless of how it works, its purpose or how it is distributed. The term includes adware, spyware, viruses, trojans and more. Spyware is a specific type of malware that steals information from a computer and sends it to a third party without the person’s knowledge. Spyware collects your personal information and passes it on to advertisers, data firms, or third-party users. Source: Norton Security

“Looking at the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks using malware are an important part of the modern hybrid war strategy,” said Pawel Knapczyk, security research manager at SpiderLabs, Trustwave’s research division.

“While conventional warfare is waged on the battlefield and constrained by several factors, cyber warfare continues in cyberspace, providing the opportunity to infiltrate targets far behind the front lines and inflict damage.”

The perpetrators of the attacks include the Russian Foreign Intelligence Service, the Russian Federal Security Service and the General Staff of the Armed Forces of the Russian Federation, SpiderLabs said.

The team has listed the types of malware being used as part of its cyber warfare efforts, many under colorful names such as “AcidRain” and “Industroyer2.”

Hermetic Wiper

This particular malware is called a “eraser” because it aims to erase or “wipe” the hard drive of the infected computer.

It was discovered on hundreds of Ukrainian computers, as well as computers in Lithuania and Latvia, on the evening of February 23, just hours before Russian forces invaded Ukraine.

It was named ‘HermeticWiper’ based on a digital certificate from a company based in Cyprus called Hermetica Digital Ltd.

The perpetrators of the attacks include the Russian Foreign Intelligence Service, the Russian Federal Security Service and the General Staff of the Armed Forces of the Russian Federation.

RUSSIAN THREATENING ACTORS Trustwave SpiderLabs Says Notorious Threat Groups and Russian Special Forces Are Involved in Cyberattacks on Ukraine: – APT28, also known as Cozy Bear or The Dukes, has ties to the Russian Foreign Intelligence Service (SVR). – APT29, also known as Fancy Bear or Sofacy, was traced to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (former GRU) Unit 26165. – SANDWORM, also known as Black Energy, was attached to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (former GRU) unit 74455. – DRAGONFLY, also known as Energetic Bear or Crouching Yeti, was identified as the Russian Federal Security Service (FSB) Unit 71330. – GAMAREDON, also known as Primitive Bear or Armageddon, traced to the Russian Federal Security Service (FSB) in November 2021.

The company is led by Polis Trachonitis, a 24-year-old video game designer who runs the company from his home in a suburb of the capital Nicosia.

The malware was signed with a digital certificate with Hermetica Digital’s name on it, but Trachonitis said it had nothing to do with the attack.

“I don’t even write the code — I write stories,” he told Reuters at the time. “I’m just a Cypriot man…I have no affiliation with Russia.”

Trustwave SpiderLabs said the digital certificate – a type of electronic password needed to carry out the attack – had been stolen.

Acid rain

Another wiper malware called AcidRain was used on February 24 to wipe the modems of the US company Viasat in Ukraine.

It affected several thousand customers in Ukraine and tens of thousands of others across Europe.

The functionality of AcidRain is “relatively straightforward” as it erases a computer’s file system and all files on the storage device.

“After the wipe is complete, the device will reboot,” explains SpiderLabs.

The February attack also led to the failure of 5,800 Enercon wind turbines in Germany. Remote monitoring and control of the turbines was no longer possible, although the turbines themselves continued to operate.

Viasat had to send nearly 30,000 modems to distributors to get customers back online.

Another cybersecurity group, SentinelLabs, claims to have named this malware ‘AcidRain’. It states that the malware is designed to wipe out both routers and modems.

The functionality of AcidRain is “relatively straight forward” as it performs a recursive wipe of a computer’s file system and all files on the storage device.

Industrial2

Industroyer2 is an “advanced piece of malware” that was able to manipulate equipment in electric utilities to regulate the power supply.

According to SpiderLabs, it specifically abuses a set of standards used in electrical power control systems, with the aim of causing a power outage.

In April, Industroyer2 was used at a targeted Ukrainian high-voltage power plant to penetrate and disrupt part of its industrial control system.

Fortunately, people defending the station were able to avoid power outages, Ukraine said.

CredoMap

CredoMap is described as a ‘credential stealer’ or ‘information stealer’ because it requires user credentials stored in browsers.

It was used by the threat actor APT28, which has ties to the Russian Foreign Intelligence Service (SVR).

CredoMap steals cookies and saved passwords from Chrome, Edge and Firefox browsers.

Depending on the version, stolen data is then exfiltrated or extracted via email or POST – a request method supported by HTTP and used by the World Wide Web.

Finally, SpiderLabs points out that advanced cyberweapons are “key tools in the arsenal of a modern military.”

“We can clearly see that government assets, critical infrastructure, media and private sector organizations are very lucrative targets for attackers, and even legitimate penetration tools can be hijacked and used as weapons,” it says.

SpiderLabs has provided a full list of perpetrators and attack types in its report, available for download on the Trustwave website.