Most cyberattacks in Ukraine continue to be planned and highly targeted, but there are some signs that this soon may change.
One indication is a new Trojan dubbed FoxBlade, which Microsoft researchers recently discovered on Ukrainian government systems; it would allow attackers to use infected PCs in distributed denial-of-service (DDoS) attacks. There is some concern that the operators of the malware will try and infect as many systems as possible with it — both inside and outside Ukraine — to make their DDoS attacks more powerful.
Another indication is a sharp increase in phishing attacks out of Russia over the past 24 hours that already have affected some organizations in the US and Europe.
Microsoft president and vice chair Brad Smith mentioned FoxBlade briefly in a broader blog post on the use and abuse of digital technology in Ukraine on Monday. He described the malware as being used as part of a broader set of “precisely targeted” attacks, unlike in 2017 when NotPetya attacks spread from Ukraine to other countries. Smith offered no description of FoxBlade or potential infection vectors but noted that Microsoft had developed a signature for the threat in three hours and added it to the company’s Defender anti-malware service.
A Microsoft threat intelligence description of the brief, however, described FoxBlade as malware that allows infected systems to be co-opted into DDoS attacks without the system user’s knowledge.
Nathan Einwechter, director of security research at Vectra, says he expects systems outside Ukraine will be the predominant targets of FoxBlade infections. “Being able to infect many systems outside of Ukraine allows the attackers to have a greater impact on important targets,” he says. “Infected systems within Ukraine are much more likely to be the victim of a ransomware or wiper attack following infection as opposed to the FoxBlade DDoS Trojan.”
Also important to consider is who exactly the threat actor might target with its DDoS capabilities. These organizations are likely going to be much more carefully selected entities that the attackers are interested in actively disrupting. Potential targets could include organizations in Ukraine as well as those in countries that have thrown their support behind Ukraine.
“Both of these target types, even outside Ukraine, represent important opportunities to impact the conflict in various ways,” Einwechter says. FoxBlade is self-contained, along with a dropper, and is loaded onto systems after some other existing exploit is leveraged, so it is not specifically tied to any given exploit or vulnerability, he adds.
Big Surge in Email Attacks Out of Russia
Meanwhile, Avanan reported observing an eightfold increase in email-borne attacks out of Russia in just the past 24 hours, at least some of them targeting manufacturing firms and international shipping and transportation companies in the US and Europe.
Most of the attacks appear designed to gain access to the recipient’s email accounts and to induce them to hand over account credentials, Avanan said Tuesday.
“There does appear to be a larger volume of attacks going after sea shipping companies and auto manufacturers,” says Gil Friedrich, CEO of Avanan, a Check Point Security Company. “Some have operations in Ukraine; some don’t,” he adds.
As one example, he points to an international shipping company that was targeted and whose executives have Ukrainian ties. The actors behind the latest round of attacks appear to be a combination of Russia-based groups engaged in opportunistic attacks and those targeting specific victims, according to Friedrich.
In another development, ESET on Tuesday said its researchers had observed a second destructive disk-wiper — this one dubbed IsaacWiper — being used in targeted fashion on systems belonging to a Ukrainian government organization. The security vendor last week had reported finding another disk-wiper called HermeticWiper on systems belonging to several Ukrainian organizations. Both malware tools are designed to overwrite the Master Boot Record (MBR) on Windows systems, making them inoperable after infection and compromise.
In an update
Tuesday, ESET described attacks involving HermeticWiper as starting on Feb. 23, shortly before Russia’s invasion of Ukraine. ESET said it had observed HermeticWiper on hundreds of systems belonging to at least five organizations in Ukraine. The attackers appear to have used a malware tool dubbed HermeticWizard to spread the disk-wiping malware across local networks via SMB shares and Windows Management Instrumentation (WMI), ESET said. The company said its researchers had not been able to attribute the malware to any specific actor or country.
“The two wipers differ quite a bit in their implementation,” says Jean-Ian Boutin, head of ESET threat research. “HermeticWiper is more sophisticated than IsaacWiper, but both have the same purpose: They try to corrupt the disk’s content and make the system inoperable.”
Boutin shared Smith’s assessment of the attacks on Ukraine so far being targeted. “This is [a] fair assessment,” Boutin says. “Based on the capability, appearance, and the selection of targets, the wiper attacks reported by ESET Research were very targeted.”