Ukraine at D+342: Lessons for cyberwar.
N2K logoFeb 1, 2023

Attentive observers will notice a suggestive similarity between the Wagner Group's recruiting of convicts and Russia's intelligence services' mobilization of cybercriminals as hacktivist auxiliaries.

Ukraine at D+342: Lessons for cyberwar.

According to the AP, Russia's six-month-long battle for Bakhmut has turned the city into a ghost town. Before the war, the town had a population of 80,000, living in nineteenth-century dwellings. Few of the people or buildings remain, but heavy fighting continues.

Shelling in Kherson, but no change in the lines.

This morning's situation report from the UK's Ministry of Defence describes recent action around Kherson. "In recent days, some of the most intense shelling in the conflict has likely taken place along the Dnipro River in southern Ukraine. This has included continued Russian shelling of Kherson city with artillery firing from the east of the river. On 29 January 2023, local authorities reported another three civilians killed in Kherson, while two foreign-owned ships moored on the river were damaged, causing an oil spill." The goal of the shelling is unclear. Perhaps it's intended as a spoiling attack. "Kherson remains the most consistently shelled large Ukrainian city outside of the Donbas. Russia’s precise rationale for expending its strained ammunition stocks here is unclear. However, commanders are likely partially aiming to degrade civilian morale and to deter any Ukrainian counter-attacks across the Dnipro River."

Sandworm's NikoWiper and Ukraine's energy sector.

ESET's APT Activity Report for T3 2022, released yesterday, describes a hitherto unknown wiper, "NikoWiper," which was "used against a company in the energy sector in Ukraine in October 2022." The report goes on to give particulars of the malware. "TheNikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files." It's been difficult to see coordination between Russian kinetic and cyber operations, but the NikoWiper deployment at least coincided with Russian missile strikes against Ukraine's energy sector. "This attack happened around the same period that the Russian armed forces targeted Ukrainian energy infrastructure with missile strikes. Even if we were unable to demonstrate any coordination between those events, it suggests that both Sandworm and the Russian armed forces have the same objectives." Coincidence isn't necessarily coordination, but of course it might be. Sandworm represents threat activity directed by Russia's GRU military intelligence service.

Dmitry Bestuzhev, Most Distinguished Threat Researcher at BlackBerry, wrote to offer perspective on NikoWiper. 

"The NikoWiper relies on a clean and legitimate binary belonging to Microsoft. That technique might be compared to 'flying under the radar.' In other words, it relies on a trusted application to perform data destruction operations. That technique can be effective when the defensive strategy focuses on clean or malicious files. Such executions might be considered a part of the LOLBAS techniques. In the case of the SwiftSlicer wiper, it's different. The whole implant is written in the GoLang programming language, and the data destruction is performed on an internal function by rewriting a few bytes in the file, leading to file corruption. Meaning the attacked system stops booting up because of bad files.  

"In terms of how concerned organizations should be about these attacks, it depends on geolocation. Wipers have been very popular in Ukraine and the Middle East. If your company is not located in those regions and does not have business there, then it's highly unlikely you would be a target. Remember, the objective behind a wiper is to destroy data to make many systems unusable. These operations usually take place inside a war to disable the adversary and garner time for further operations.  

"However, there are other targeted attack implants with different capabilities that the threat actor uses on a daily basis. For example, spy modules, backdoors, and RATs -- where the objective is to collect and steal sensitive or secret information from the victims.  

"Protection against APTs is critical. There’s a number of exercises to perform, technologies to use, and practices to adopt. A good start would be to identify your threat actors and threat model. Then emulate it in your network to test your current detection capabilities. Cyber Threat Intelligence is your friend." 

Life in wartime: cyber criminal edition.

Killnet's hacktivists continued their distributed denial-of-service attacks against US medical centers, with some of the targets reporting brief interruptions of important IT services. Delaware's Christiana Care, the University of Iowa Hospitals and Clinics, and a third-party vendor used by University of Michigan Health are among those who reported disruptions yesterday.

Killnet, as we've often observed, is effectively an auxiliary of Russian security and intelligence services, conducting harassment of unfriendly nations during Russia's war. Nominally hacktivist and staffed by hackers who cut their teeth on pre-war cybercrime, Killnet represents one large and noisy instance of Russia's mobilization of gangs in support of the cyber phases of its hybrid war.

Russian cyber gangs have for years operated at the sufferance of the government, which gave them broad immunity from interference as long as they restricted their attacks to foreign targets whose disruption served Moscow's interests. The Record, citing research by its sister organization in Recorded Future, the Insikt Group, notes that a brief, sharp, and unexpected crackdown on (some) cyber gangs by Russian law enforcement in January of 2022 served as both misdirection--signaling Russia's intention of becoming a good international citizen of cyberspace--and as a means of clarifying relationships and bringing the gangs to heel before the February invasion of Ukraine.

The Insikt Group summarizes the Kremlin's mobilization of cyber criminals: "Throughout these changes, one thing remained largely constant: cybercriminal threat groups continue to occupy important roles — in direct, indirect, and tacit capacities — with the Russian government. For cybercrime groups who have pledged their allegiance to the Kremlin, the unspoken connections have deepened. Russian cybercriminals and self-described hacktivists are actively involved in operations targeting Ukrainian entities and infrastructure, as well as entities located in states that have declared their support for Ukraine. Recorded Future has observed Russian and Russian-speaking threat actors targeting the United States, United Kingdom, the North Atlantic Treaty Organization (NATO), Japan, and others for financial gain and ego-driven publicity in support of Russia."

The relationship between the state and the gangs is longstanding. The gangs provide ready talent and a measure of deniability.

Ukraine shares lessons learned from the business end of Russian cyber warfare.

In an article published by the Atlantic Council, Yurii Shchyhol, head of Ukraine’s State Service of Special Communications and Information Protection, summarized some of the lessons his country has learned from its experience of Russian cyber warfare:

  1. The effects of cyberattacks can be difficult to contain. They often extend well beyond the intended target. Targeteers might think of them as an area weapon as opposed to a precision weapon.
  2. Cyberattacks continue to occupy a "grey zone." They can be used with fewer inhibitions than kinetic strikes. They're more deniable, and they're more difficult to deter.
  3. Cyber operations are economical of manpower.
  4. Auxiliaries make an important contribution to offensive cyber operations.
  5. Finally, cyber operations are difficult to mount--they require both time and skill to prepare and pull off.