Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures

Russian government-affiliated actors launched coordinated cyber-attacks against Ukrainian government and military targets before and during the attack and seizure of Ukrainian ships and sailors on November 25, a private intelligence firm announced recently. 

The attacks appeared to be aimed at stealing information that would have been relevant to planning the operation, according to Stealthcare, a cyber threat intelligence group. If so, the revelation challenges Russia’s already widely-disputed claim that Ukraine initiated the crisis.

Russia has a long history of timing cyber-attacks to offensive operations, going back to Georgia in 2008. Russian cyber-attacks have featured heavily in the Ukraine conflict, most significantly knocking out power on Christmas Eve 2015 for thousands of Ukrainians.

This autumn, Stealthcare first observed a Russian state-baked entity known as the Carbanak group develop a new phishing campaign, using deceptive emails to convince targets to click links and download malware around Oct. 25. 

The targets were government agencies in Ukraine and across Eastern Europe, according to CEO Jeremy Samide. Attached to the emails were PDFs with links and other pieces of code that, when executed, would allow the attacker to steal or exfiltrate data and gain control over important computer functions. 

While Samide said he couldn’t say which government entities were targeted, because of sensitivities surrounding the target, he said they would have had information related to Ukrainian foreign and naval affairs, information that would have been very useful if you wanted to engineer a maritime crisis. 

Samide says there is “no doubt” that this was a Kremlin-led reconnaissance effort to prepare for the Kerch Strait crisis.

A separate Russian actor tied to the Russian FSB, called the Gamaredon Group, targeted Ukrainian government agencies with a backdoor attack called Pterodo, tailored to Windows, a few days before Nov. 20, when Stealthcare first reported seeing it.

On Nov. 26, just Russia seized Ukrainian vessels and imprisoned Ukrainian sailors, Stealthcare observed a second, coordinated attack by the Carbanak group aimed at key Ukrainian government and military targets. The malware linked to the phishing attack would have allowed for the theft of data or emails.

The spyware war has since heated up on both sides. Earlier this December, Stealthcare observed a new phishing scam aimed at Russian entities involving fake PDF documents loaded with malware. 

“It’s not clear as to what targets it actually hit,” said Samide, who couldn’t yet name the source, but some of the documents “appear to be masquerading as health documents from Moscow based hospitals,” he said.

“We now know that the latest attack retaliating against Russia is a highly targeted attack against their FSBI ‘Polyclinic No.2,’ which is affiliated to the Presidential Administration of Russia.  Most notably, the lure document used in the attack exploits the latest Flash zero-day vulnerability,” he told Defense One in an email. 

“The threat actor exhibits the tactics, techniques and procedures (TTPs) of an Advanced Persistent Threat (APT) actor. The document that is being delivered shows a questionnaire for staff of the Moscow-based hospital, but it secretly executes malicious code in the background.”

Russian cyber offensive operations are a growing concern for US policymakers, particularly Democratic Sen. Mark Warner from Virginia, ranking member of the Senate intelligence committee. 

“Countries like Russia are increasingly merging cyber-attacks with traditional information operations,” he said at the Center for New American Security, in Washington on Friday 7th December. 

“This emerging brand of hybrid, cyber warfare exploits our greatest strengths our openness and the free flow of ideas. Unfortunately, we just aren’t waking up to that fact.” 

Defense One:

You Might Also Read:

Russia And Ukraine’s Crisis Could Escalate Beyond Cyberwar

« Hackers Are Targeting Young Video Gamers
Social Media Outpaces Print Newspapers In The US »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Identity Theft Resource Center (ITRC)

Identity Theft Resource Center (ITRC)

ITRC is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.

Center for a New American Security (CNAS)

Center for a New American Security (CNAS)

CNAS is the nation's leading research institution focused on defense and national security policy. Cyber security issues are an intrinsic element of the national security debate.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

Aporeto

Aporeto

The Aporeto platform protects cloud applications from attack by authenticating and authorizing all communications with a cryptographically signed identity assigned to every workload.

Zymbit

Zymbit

Zymbit provides hardware security modules (HSM) for IoT devices, including Raspberry Pi and other single board computers.

QI ANXIN Technology Group

QI ANXIN Technology Group

QI ANXIN specializes in serving the cybersecurity market by offering next generation enterprise-class cybersecurity products and services to government and businesses.

Corellium

Corellium

Corellium are dedicated to supporting our peers in the ARM community who seek to build more secure, performant, and accessible software and devices.

GTT Communications

GTT Communications

GTT are a global network provider that serves thousands of multinational and national enterprise, government and carrier customers with a portfolio of advanced connectivity and security services.

Lab 1

Lab 1

Lab 1 turns criminal data breaches and attacks into insights. Get alerts of data breaches or ransomware attack incidents as they happen.

VENZA

VENZA

VENZA is a data protection company that can help organisations mitigate their vulnerabilities and ensure compliance, keeping guests and their data safe from breaches.

Superna

Superna

Superna is the global leader in data security and cyberstorage solutions for unstructured data, both on-prem and in the hybrid multi-cloud.

Argenta Talent Acquisition

Argenta Talent Acquisition

Argenta Talent Acquisition is a recruitment partner specializing in Space and Defense, Intelligence Community, all things Technical, Cyber, and Logistics.

CloudBees

CloudBees

CloudBees is building the world’s first end-to-end automated software delivery system, enabling companies to balance governance and developer freedom.

NetDescribe

NetDescribe

NetDescribe, part of Xantaro Group, advises and supports companies in building secure and stable IT environments.

Nova Microsystems

Nova Microsystems

Nova's mission is to revolutionize cybersecurity through continuous data analysis and dynamic AI-driven encryption.

NetSentries Technologies

NetSentries Technologies

NetSentries provide smart cybersecurity solutions and services to protect Governments, Enterprise and Individuals from threats through a comprehensive range of protocols, products and services.