A brief update on Russia's war against Ukraine.
Russian forces continue to encounter strong resistance and self-inflicted logistical problems. Talks between the two sides continued, but expectations are modest. Situation reports by the UK's Ministry of Defence tell a familiar story of Russian combat failure and indiscriminate attacks against civilians. The brutal reduction of Ukrainian cities, particularly Kharkiv and Mariupol, continues, as does the high rate of casualties among Russian forces.
Cyber operations against Ukraine.
ESET researchers found a new wiper they're calling "CaddyWiper," the third one Russian operators have used to hit Ukrainian targets during Russia's war against Ukraine. "This new malware erases user data and partition information from attached drives," ESET tweeted. "ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations." First observed Monday morning at 0938 UTC (that's 1138 Kyiv time, or 0538 US Eastern Time), the malware seems to have been compiled the same day it was deployed. CaddyWiper has little in common with its two predecessors. As ESET put it, "CaddyWiper does not share any significant code similarity with #HermeticWiper, #IsaacWiper or any other malware known to us." It did share one tactic with HermeticWiper: deployment via Group Policy Object (GPO), which suggests to ESET that "the attackers had prior control of the target's network beforehand." The wiper's operators are apparently interested in maintaining persistence in the targets' networks. "Interestingly, CaddyWiper avoids destroying data on domain controllers. This is probably a way for the attackers to keep their access inside the organization while still disturbing operations." The Verge reports that the effect of the attack seems so far to have been small. One unnamed organization appears to have been affected, but the consequences of that attack remain publicly unknown.
Triolan, a major Ukrainian Internet service provider, has faced periodic disruption since the Russian invasion began. CPO Magazine reports that attackers, presumably Russian, had set Triolan internal devices back to factory defaults, which effectively knocked them offline. Other ISPs, including Ukrtelecom have experienced similar service disruptions as recently as last week.
Satellite Internet service delivered by Viasat was interrupted on February 24th, around H-hour of Russia's invasion. The US National Security Agency, France's ANSSI, and Ukrainian intelligence services are jointly investigating whether the incident was a Russian cyberattack. The target and the timing, at least, suggest that it was. "The hackers disabled modems that communicate with Viasat Inc's KA-SAT satellite, which supplies internet access to some customers in Europe, including Ukraine. More than two weeks later some remain offline," Reuters reports.
Reuters says the Viasat incident is presumed to have been a Russian operation, and, while technical details on the incident have been sparsely shared, senior Ukrainian cybersecurity official Victor Zhora said, “I believe that one of their goals is to destroy providers’ infrastructure and to prevent the Ukrainian armed force to actually communicate with each other."
Zhora also shared his assessment of why Russian cyber operations have been less devastating than was confidently predicted during the run-up to the war. The Washington Post gives Zhora's top three reasons for Russian cyber's failure to show up in overwhelming force:
- "Russian hackers aren’t nimble enough to identify and compromise the most important Ukrainian government and industry targets during fast-moving military operations.
- "Stealthy cyberattacks aren’t that useful in comparison to the damage Russian troops are causing with bombs and missiles.
- "Russian cyber operators are too busy protecting their own digital infrastructure."