Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures

Russian government-affiliated actors launched coordinated cyber-attacks against Ukrainian government and military targets before and during the attack and seizure of Ukrainian ships and sailors on November 25, a private intelligence firm announced recently. 

The attacks appeared to be aimed at stealing information that would have been relevant to planning the operation, according to Stealthcare, a cyber threat intelligence group. If so, the revelation challenges Russia’s already widely-disputed claim that Ukraine initiated the crisis.

Russia has a long history of timing cyber-attacks to offensive operations, going back to Georgia in 2008. Russian cyber-attacks have featured heavily in the Ukraine conflict, most significantly knocking out power on Christmas Eve 2015 for thousands of Ukrainians.

This autumn, Stealthcare first observed a Russian state-baked entity known as the Carbanak group develop a new phishing campaign, using deceptive emails to convince targets to click links and download malware around Oct. 25. 

The targets were government agencies in Ukraine and across Eastern Europe, according to CEO Jeremy Samide. Attached to the emails were PDFs with links and other pieces of code that, when executed, would allow the attacker to steal or exfiltrate data and gain control over important computer functions. 

While Samide said he couldn’t say which government entities were targeted, because of sensitivities surrounding the target, he said they would have had information related to Ukrainian foreign and naval affairs, information that would have been very useful if you wanted to engineer a maritime crisis. 

Samide says there is “no doubt” that this was a Kremlin-led reconnaissance effort to prepare for the Kerch Strait crisis.

A separate Russian actor tied to the Russian FSB, called the Gamaredon Group, targeted Ukrainian government agencies with a backdoor attack called Pterodo, tailored to Windows, a few days before Nov. 20, when Stealthcare first reported seeing it.

On Nov. 26, just Russia seized Ukrainian vessels and imprisoned Ukrainian sailors, Stealthcare observed a second, coordinated attack by the Carbanak group aimed at key Ukrainian government and military targets. The malware linked to the phishing attack would have allowed for the theft of data or emails.

The spyware war has since heated up on both sides. Earlier this December, Stealthcare observed a new phishing scam aimed at Russian entities involving fake PDF documents loaded with malware. 

“It’s not clear as to what targets it actually hit,” said Samide, who couldn’t yet name the source, but some of the documents “appear to be masquerading as health documents from Moscow based hospitals,” he said.

“We now know that the latest attack retaliating against Russia is a highly targeted attack against their FSBI ‘Polyclinic No.2,’ which is affiliated to the Presidential Administration of Russia.  Most notably, the lure document used in the attack exploits the latest Flash zero-day vulnerability,” he told Defense One in an email. 

“The threat actor exhibits the tactics, techniques and procedures (TTPs) of an Advanced Persistent Threat (APT) actor. The document that is being delivered shows a questionnaire for staff of the Moscow-based hospital, but it secretly executes malicious code in the background.”

Russian cyber offensive operations are a growing concern for US policymakers, particularly Democratic Sen. Mark Warner from Virginia, ranking member of the Senate intelligence committee. 

“Countries like Russia are increasingly merging cyber-attacks with traditional information operations,” he said at the Center for New American Security, in Washington on Friday 7th December. 

“This emerging brand of hybrid, cyber warfare exploits our greatest strengths our openness and the free flow of ideas. Unfortunately, we just aren’t waking up to that fact.” 

Defense One:

You Might Also Read:

Russia And Ukraine’s Crisis Could Escalate Beyond Cyberwar

« Hackers Are Targeting Young Video Gamers
Social Media Outpaces Print Newspapers In The US »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Help Net Security

Help Net Security

Help Net Security has been a prime resource for information security news and insight since 1998.

Hotlava Systems

Hotlava Systems

HotLava network adapters enable today's powerful servers and workstations to deliver more productivity by reducing congestion at the network interface.

Softtek

Softtek

Softtek provides comprehensive software Quality Assurance and Testing that identifies the correctness, completeness, and quality level of software products.

Lloyd's

Lloyd's

As an insurance market, Lloyd’s can provide access to more than 65 expert cyber risk insurers in one place.

Planit Testing

Planit Testing

Planit is a leader in Quality Assurance and a specialist in software testing and training services.

CERT-AM

CERT-AM

CERT-AM is the national Computer Emergency Response Team for Armenia.

KZ-CERT

KZ-CERT

KZ-CERT is the national Computer Emergency Response Team for Kazakhstan.

AVORD

AVORD

AVORD is a cloud-based security testing platform that allows clients to manage security testing requirements in a far more productive and efficient way.

National Initiative for Cybersecurity Education (NICE)

National Initiative for Cybersecurity Education (NICE)

NICE is a partnership between government, academia, and the private sector focused on cybersecurity education, training, and workforce development.

Trusona

Trusona

Trusona is a pioneer and leader in passwordless two-factor authentication (2FA).

StartupXseed Ventures

StartupXseed Ventures

StartupXseed Ventures is a smart capital provider for Deep Tech, B2B, Early Stage Startups. We support, NextGen Tech Entrepreneurs, who have potential to deliver the outsized growth.

ZARIOT

ZARIOT

ZARIOT's mission is to restore order to what is becoming connected chaos in IoT by bringing unrivalled security, control and quality of service.

Cyber Readiness Institute (CRI)

Cyber Readiness Institute (CRI)

At the Cyber Readiness Institute, our mission is simple: empower small and medium-sized enterprises with free tools and resources to help them become more secure and resilient.

Tarlogic

Tarlogic

Tarlogic works to protect and defend your security with the highest quality technical team with next generation solutions to achieve the best protection.

DataStealth

DataStealth

DataStealth is a data protection platform that allows organizations to discover, classify, and protect their most sensitive data and documents.

True North Solutions

True North Solutions

True North Solutions provides a wide range of fully customized, vendor-neutral industrial engineering and OT automation solutions to companies across North America and around the world.