Over the past eight months, at least five Russian state-sponsored or cybercriminal groups have targeted Ukrainian government agencies and private companies in dozens of operations that aimed to disrupt services or steal sensitive information.
In February, state-sponsored groups such as Gamaredon, Sandworm, and Fancy Bear used wiper programs in an attempt to damage infrastructure and sabotage computer systems, researchers at Trustwave say in a new research note. Those attacks lasted three months, using credential stealers to gain access to systems.
Fancy Bear and Sandworm are under orders from the Main Directorate of the General Staff of the Armed Forces (GRU), with Gamaredon being directed by Russia’s Federal Security Service (FSB), researchers noted.
Other cybercriminal groups with links to Russia are also taking part in the cyberattacks on Ukrainian targets, with regular cyber-espionage operations attempting to steal information and establish footholds in various systems for later use, Trustwave’s report states. This includes two groups in particular, known as Ember Bear (aka UNC2589) and Invisimole, which are known cybercriminal groups that may also collaborate with the Russian government, according to Trustwave’s report.
While citing the maxim that “we don’t know what we don’t know,” Karl Sigler, security research manager at Trustwave SpiderLabs, believes that Russia is being more obvious about its attacks.
“They are not trying to hide their location,” he says. “They want people to know the attribution, and for that reason, I don’t think we are missing as much as we did this time last year. We are really seeing blatant activity.”
Cybersecurity experts have closely analyzed Russia’s cyber strategy during its invasion of Ukraine to gauge the risk posed by cyberattacks and malware, used to augment and support the physical invasion. Attacks preceded the actual invasion on Feb. 24, and have continued as Russia dug into eastern Ukraine and the Crimean peninsula.
“Without a doubt, sophisticated cyber weapons are key tools in the arsenal of a modern military,” Trustwave states in the analysis. “With Ukraine being targeted by a variety of cyberattacks, we can clearly see that government assets, critical infrastructure, media, and private sector organizations are highly lucrative targets for attackers, and even legitimate penetration tools can be hijacked and used as weapons.”
Wipers & More: Shifting Attack Strategies
Russia’s cyber-operations strategy has changed over the initial six months of its invasion into Ukraine.
The destructive attacks mainly happened in the first few months of the war, Trustwave’s Sigler says. Both Gamaredon and Sandworm targeted Ukrainian companies and government agencies with a variety of wiper programs.
Gamaredon, aka Primitive Bear and Armageddon, conducted three attacks in February 2022, including the HemeticWiper data-wiping attack, where the group used a a stolen digital certificate from Hermetica Digital to bypass some security measures and targeted high-profile Ukrainian organizations. Sandworm (aka Black Energy), targeted Ukrainian groups with additional destructive attacks, such as CaddyWiper and Industroyer2.
These destructive attacks appear to have lasted only a few months. Russia likely thought that the war would be quickly won, so used the operations to hamper Ukrainian resistance, Sigler says.
“They focused on a taking lot of things offline, hoping that the disruption would be enough to tilt the scales and really bring about a quick end to the conflict,” he says. “So I think that, as the conflict has stretched out over the months, they are more focused on gathering intel to inform next steps.”
While the three advanced persistent threats (APTs) — Gamaredon, Sandworm, and Fancy Bear — have been linked to the cyberwar attacks, Trustwave’s report notes that two others have also ramped up activity. Cozy Bear is conducting operations for Russia’s Foreign Intelligence Service (SVR), while DragonFly (aka Energetic Bear) is linked to the FSB.
Russia has also used cybercriminal groups as sort of an online militia with a focus on stealing information and gaining access to systems, according to the report. Invisimole and Ember Bear have both cooperated with the Russian government, carrying out out cyber-espionage operations against a variety of targets, including the LoadEdge attack against Ukrainian government agencies and another operation, dubbed GrimPlant, that infiltrated government agencies and installed backdoors.
“Malware used in the attacks usually provide backdoor access with webcam and microphone captures, keylogging, and the possibility to download and install additional components,” the Trustwave report states. “Exfiltrated data includes operating system information, documents, pictures and stored passwords from web browsers and software.”
While the destructive attacks have seemingly paused, according to the report, the espionage attacks are ongoing.