A cyber intelligence company has found that a series of large scale cyber attacks were launched against the banks and government websites of Ukraine, as a part of the ongoing geopolitical crisis that has emerged between Ukraine and Russia, which has resulted in a military conflict between the countries. The United States institutions have also witnessed cyber attacks against multiple government bodies after the Biden administration said that it will take corresponding and measurable actions against the Russian military actions.
On the 23rd of February 2022, the State Special Communications Service of Ukraine reported a huge DDoS (Distributed Denial-of-Service) attack on multiple government and banking institutions.
Sources have said that the computer network was attacked across Ukraine, by a new type of malware named ‘HermeticaWiper’ that aims to corrupt the Master Boot Records (MBR) of the drives and wipe out the entire data of the infected systems.
Security researchers are predicting that the data wiper malware has malicious behaviour similar to the ‘WhisperGate’ data wiper malware, which had targeted the Ukrainian establishments in January this year, disguised as ransomware. Although it is very likely that the attack was backed by the Russian Government, any detection or discovery that could potentially identify the involved Threat Actors have not been established till now.
Russian Government Involvement
Right now it remains undetermined so as to suggest that a single group is behind the dispersed attacks targeting Ukraine and the US. At the same time, multiple sources have established that the attacks are backed by the Russian government, for certain.
A report published on the UK government’s website based on the technical examination conducted by their National Cyber Security Centre stated the involvement of Russia’s Main Intelligence Directorate (GRU) behind the cyber security attacks.
Another detailed investigative report produced after the combined research undertaken by “The Insider” and “Bellingcat” also suggests that Russia’s GRU utilized multiple fake government websites to spread malicious malware to target the Ukrainian networks.
As per the published report, the APT28 group (aka Fancy Bear) operated by the GRU puts to use multiple websites, impersonated as websites belonging to the President of Ukraine and operated as their Command-and-Control (C&C) center to infect a significant number of Ukrainian citizens.
The researchers believe that the other similar attacks could have potentially originated from the same C&C center.
Threat Activities Observed In The Underground Forums
Also, a large scale increase in the cyber threat activities in underground forums has been observed, all targeting the Ukrainian and US establishments. At this moment, the various actor’s inclinations towards Russia can’t be established. But all signs so far indicate that NetSec is a potential database broker attempting to monetize their access amidst the ongoing crisis.
Right now, it is believable to presume that the attacks could be linked to the Russian state or non-state actors with the intent to impact Ukraine’s ability to respond to the ongoing Russian military action. However, the Russian government has denied any involvement in the attacks, maintaining plausible deniability.
