Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures

Russian government-affiliated actors launched coordinated cyber-attacks against Ukrainian government and military targets before and during the attack and seizure of Ukrainian ships and sailors on November 25, a private intelligence firm announced recently. 

The attacks appeared to be aimed at stealing information that would have been relevant to planning the operation, according to Stealthcare, a cyber threat intelligence group. If so, the revelation challenges Russia’s already widely-disputed claim that Ukraine initiated the crisis.

Russia has a long history of timing cyber-attacks to offensive operations, going back to Georgia in 2008. Russian cyber-attacks have featured heavily in the Ukraine conflict, most significantly knocking out power on Christmas Eve 2015 for thousands of Ukrainians.

This autumn, Stealthcare first observed a Russian state-baked entity known as the Carbanak group develop a new phishing campaign, using deceptive emails to convince targets to click links and download malware around Oct. 25. 

The targets were government agencies in Ukraine and across Eastern Europe, according to CEO Jeremy Samide. Attached to the emails were PDFs with links and other pieces of code that, when executed, would allow the attacker to steal or exfiltrate data and gain control over important computer functions. 

While Samide said he couldn’t say which government entities were targeted, because of sensitivities surrounding the target, he said they would have had information related to Ukrainian foreign and naval affairs, information that would have been very useful if you wanted to engineer a maritime crisis. 

Samide says there is “no doubt” that this was a Kremlin-led reconnaissance effort to prepare for the Kerch Strait crisis.

A separate Russian actor tied to the Russian FSB, called the Gamaredon Group, targeted Ukrainian government agencies with a backdoor attack called Pterodo, tailored to Windows, a few days before Nov. 20, when Stealthcare first reported seeing it.

On Nov. 26, just Russia seized Ukrainian vessels and imprisoned Ukrainian sailors, Stealthcare observed a second, coordinated attack by the Carbanak group aimed at key Ukrainian government and military targets. The malware linked to the phishing attack would have allowed for the theft of data or emails.

The spyware war has since heated up on both sides. Earlier this December, Stealthcare observed a new phishing scam aimed at Russian entities involving fake PDF documents loaded with malware. 

“It’s not clear as to what targets it actually hit,” said Samide, who couldn’t yet name the source, but some of the documents “appear to be masquerading as health documents from Moscow based hospitals,” he said.

“We now know that the latest attack retaliating against Russia is a highly targeted attack against their FSBI ‘Polyclinic No.2,’ which is affiliated to the Presidential Administration of Russia.  Most notably, the lure document used in the attack exploits the latest Flash zero-day vulnerability,” he told Defense One in an email. 

“The threat actor exhibits the tactics, techniques and procedures (TTPs) of an Advanced Persistent Threat (APT) actor. The document that is being delivered shows a questionnaire for staff of the Moscow-based hospital, but it secretly executes malicious code in the background.”

Russian cyber offensive operations are a growing concern for US policymakers, particularly Democratic Sen. Mark Warner from Virginia, ranking member of the Senate intelligence committee. 

“Countries like Russia are increasingly merging cyber-attacks with traditional information operations,” he said at the Center for New American Security, in Washington on Friday 7th December. 

“This emerging brand of hybrid, cyber warfare exploits our greatest strengths our openness and the free flow of ideas. Unfortunately, we just aren’t waking up to that fact.” 

Defense One:

You Might Also Read:

Russia And Ukraine’s Crisis Could Escalate Beyond Cyberwar

« Hackers Are Targeting Young Video Gamers
Social Media Outpaces Print Newspapers In The US »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

VTT Technical Research Centre of Finland

VTT Technical Research Centre of Finland

VTT is the leading research and technology company in the Nordic countries. Areas of activity include cyber security.

Huntsman Security

Huntsman Security

Huntsman Security provides technology to enable real-time security monitoring and immediate visibility of advanced threats and compliance issues.

IoT Now

IoT Now

IoT Now explores the evolving opportunities and challenges facing CSPs, and we pass on some lessons learned from those who have taken the first steps in next gen IoT services.

Secarma

Secarma

Secarma provides penetration testing, security assessments, consultancy, and training services to ensure your digital infrastructure is secure from cybersecurity threats.

Coalition

Coalition

Coalition combines comprehensive insurance and proprietary security tools to help businesses manage and mitigate cyber risk.

LUCY Security

LUCY Security

LUCY is the answer when you want to increase your IT security, maintain your cyber security awareness, or test your IT defenses.

National Cybersecurity Student Association (NCSA) - USA

National Cybersecurity Student Association (NCSA) - USA

The National Cybersecurity Student Association is a one-stop-shop to enhance the educational and professional development of cybersecurity students through activities, networking and collaboration.

Blockchain R&D Hub

Blockchain R&D Hub

Blockchain R&D Hub's mission is to serve the needs of blockchain ecosystem as the center of excellence for technology research and development.

Trusted CI

Trusted CI

Trusted CI, the NSF Cybersecurity Center of Excellence is comprised of cybersecurity experts who have spent decades working with science and engineering communities.

IT Acceleration

IT Acceleration

IT Acceleration is a full-service IT management and support, IT compliance and Digital Forensics company.

OX Security

OX Security

OX is a DevOps software supply chain security solution. Teams can verify the integrity and security of every artifact using a pipeline bill of materials (PBOM).

RSK Cyber Security

RSK Cyber Security

RSK Cyber Security are a leading cyber security services company that uses services, consulting, and product knowledge to lower security risk across the board.

Delta Partners

Delta Partners

Delta Partners is a venture capital firm investing in Ireland and the United Kingdom with a strong focus on early stage technology companies.

Cyborg Security

Cyborg Security

Cyborg Security is a team of threat hunters, threat intelligence analysts, and security researchers from across North America.

Faddom

Faddom

Faddom is an agentless tool that visualizes your on-premises and cloud infrastructure, as well as their inter-dependencies.