Ukraine at D+236: Buzzbombs and hacktivists-for-hire.
N2K logoOct 18, 2022

Russia continues its strikes against Ukrainian cities and infrastructure. Hacktivists-for-hire are contributing to Russian DDoS attacks against targets perceived as "anti-Russian." 

Ukraine at D+236: Buzzbombs and hacktivists-for-hire.

Russia continues to strike Ukrainian cities with loitering weapons.

Russia continues to employ drones against Ukrainian infrastructure and civilian targets. "Since 10 October, Russia has maintained a heightened tempo of long-range strikes against targets across Ukraine," the UK's Ministry of Defence writes in this morning's situation report. "These have been conducted by cruise missiles, air defence missiles in a surface-to-surface role, and Iranian-provided Shahed-136 one way attack uncrewed aerial vehicles. It is highly likely that a key objective of this strike campaign is to cause wide-spread damage to Ukraine’s energy distribution network. As Russia has suffered battlefield setbacks since August, it has highly likely gained a greater willingness to strike civilian infrastructure in addition to Ukrainian military targets."

Electrical power plants have been heavily attacked. The Telegraph reports that Ukraine's President Zelenskyy estimates that about a third of the country's plants have been disabled by the strikes. Journalists are referring to the Russian weapons as "kamikaze drones," and the Washington Post has published an explainer for those unfamiliar with such weapons. There's nothing particularly exotic about a weapon like the Iranian Shahed-136 (which the Russians are calling "Geran-2"). It's a loitering munition, essentially a small, slow, inexpensive cruise missile that a pilot remotely flies into a target selected while the weapon is in flight. In addition to employing them against power stations, Russia has been using them to strike residences, public spaces, and other civilian targets.

Russia apparently hopes that the drones will reverse its battlefield fortunes as it runs out of the other weapons the British MoD mentions in its situation report, but direct terror strikes against civilian populations have historically not achieved the results their planners have sought.

Update on Russian cyberattacks against Bulgarian government targets.

Bulgarian authorities say the cyberattack government websites sustained over the weekend has been contained, and they're sticking, according to the Sofia Globe, with their attribution of the attack to Russia. Sally Vincent, Senior Threat Research Engineer at LogRhythm, commented on the implications of the attack within the context of Russia's hybrid war:

"Since February 2022, Russian threat actors have been launching cyberattacks on Ukraine. Since that time, Russian hackers have expanded the scope of their attacks to the Western states aiding Ukraine. Just last week, a pro-Russian hacking group claimed responsibility for cyberattacks hitting more than a dozen U.S. airports. Now, Russian threat actor Killnet is claiming responsibility for a distributed denial of service (DDoS) attack that disabled Bulgarian government websites for the president’s office, the Defense Ministry, the Interior Ministry, the Justice Ministry and the Constitutional Court. Killnet most likely attacked the Bulgarian government for its role in absorbing Ukrainian refugees and providing humanitarian aid to the areas of the state most affected by Russian shelling.

"In wartime, the focus on cyber destruction by threat actors is another aspect of asymmetric warfare. Disruption to your enemy’s allies is another way to gain advantage. The program that KillNet is working on in the US is called USA Offline. They are trying to find any toehold on American assets that will help deflect from the activities that they have going on the ground in-country. Their attempt to shut down our airlines was just one of a multi-pronged attack on US infrastructure.

"DDoS attacks can potentially be a smokescreen for more malicious attacks, making it imperative for organizations to keep their prevention and detection technologies top of mind. This includes developing robust regulations around their security protocols and adhering to them, ensuring the appropriate protective controls are in place and verifying that they have visibility into their IT environment. This is essential for organizations targeted by Killnet in particular, since Killnet publishes a list of targets and asks for others to join in attacking them.”

Mobilizing DDoS-as-a-service.

A Russian hacktivist group with the ungainly nom-de-hack "NoName057(16)" has been organizing distributed denial-of-service (DDoS) attacks and website defacements against Ukraine and its Western supporters. It pays operators between $315 and $1255 for their services. Radware described the operation late last week: "In July, threat group NoName057(16) quietly launched a crowdsourced botnet project named 'DDOSIA.' The project, similar to the pro-Ukrainian Liberator by disBalancer and the fully automated DDoS bot project by the IT ARMY of Ukraine, leverages politically-driven hacktivists willing to download and install a bot on their computers to launch denial-of-service attacks. Project DDOSIA, however, raises the stakes by providing financial incentives for the top contributors to successful denial-of-service attacks."

Researchers at Avast had earlier described the group's use of Bobik malware in its campaigns. They divided a typical NoName057(16) attack into reconnaissance and execution phases:

"The first step is looking for a target that supports Ukraine or a target with anti-Russian views. The attackers analyze the structure of the target’s website and identify pages that can cause server overloading, especially requests requiring higher computing time, such as searching, password resetting, login, etc.

"The second step is filling in the XML template, encrypting it, and deploying it to the C&C servers. The attackers monitor the condition of the target server and modify the XML configuration based on needs (modification of URL parameters, bodies, etc.) to be more effective. The configuration is changed approximately three times per day."

So, find a vulnerable target with anti-Russian views, hit it, and follow up as necessary.