Ukraine Observed Nearly 14M Cyber Incidents in Q1 2022Majority of Incidents Entailed Malware Distribution, Phishing, Intrusion Attempts
Three months after Russia's ongoing invasion of Ukraine began, the country takes a look back at the turbulence the nation has faced in its cyber sphere during Q1 2022 and considers the way ahead.
The Cyber Rapid Response Team of the State Cyber Defense Center - or SCPC, which operates under the State Service of Special Communications and Information Protection of Ukraine, shared a report with Information Security Media Group that highlights the fact that Ukraine has faced nearly 14 million suspicious cybersecurity or information security events in the first three months of the year alone.
Of these, 78,000 were treated as critical, the SCPC says. It adds that 63% of the suspicious events were detected within ministries and organizations and another 35% affected regional government administrations.
The statistics have been gathered from SCPC's security operations center, which monitors and detects malicious activity as well as system and network anomalies at several cyber defense facilities across Ukraine. It analyzes the data obtained from network devices - such as active sensors, firewalls, and vulnerability scanners; workstations and servers; authorization systems, and internal and external cyberthreat data sources to identify the threats, the SCPC says.
Nearly a quarter of these sources of data have come from internal (9%) and external (15%) cyberthreat data sources, and a striking majority of 35% come from vulnerability scanners and intrusion detections systems, the report says.
The SCPC divided these information security or cybersecurity incidents into various categories and types to better understand the motives of Ukraine's adversaries. The categorization found that malware distribution, phishing or data collection through intrusion and intrusion attempts into critical systems are the primary motivations and methods used by Ukraine's adversaries.
The majority of the attacks are unsurprisingly tracked as coming through Russia, but the SCPC says that it has also traced attacks back to other major countries, including China, South Korea, the U.S., India and Bangladesh, among others. But the SCPC clarifies that this does not necessarily mean that the cyberattacks have been attributed to these countries. "The tracking has been done based on the number of positives targeting Ukrainian regions from other countries' IP addresses and IP location is only a country's delegation name." Anyone can use a virtual private network or other resources to direct via another country's IP address, the SCPC says.
When it comes to the regions in Ukraine that have been targeted during these cybersecurity events, the SCPC says, Kharkiv, Kyiv, Dnipro and Lviv top the list.
These cybersecurity events have primarily been initiated via phishing and unpatched vulnerabilities, followed by DoS/DDoS attacks, the SCPC's report shows. This coincides with a recent report that found state-sponsored threat actors not only from Russia but also from China, Iran and North Korea are using Ukraine war-related themes for phishing (see: State-Sponsored Actors Using Russia-Ukraine War for Phishing).
Malwares Targeting Ukraine
The SCPC says that its adversaries have focused on an entire suite of malware families that include remote access Trojans, worms, adware, spyware, stealers, keyloggers, viruses, wipers and other Trojans. They include:
- Saint Bot
- Cobalt Strike
- Hermetic Wiper
Active Threat Groups
The most active groups that attacked Ukraine in Q1 2022 were representatives of the Russian Federation, which includes some military-backed threat actors too, the SCPC claims. Some of the more notable ones are:
- Armageddon/Gamaredon - UAC-0010;
- IcedID/Trickbot - UAC-0098;
- Sandworm - UAC-0082;
- APT28/Strontium - UAC-0028;
- APT29/Nobelium/Cozy Bear - UAC-0029;
- SunSeed/Asylum Ambuscade - UAC-0064;
- InvisiMole - UAC-0035;
- Killnet - UAC-0108.
Beware of Gamaredon and Killnet's DDoS Attacks
Researchers at China-based cyberthreat intelligence company 360 Qihoo reportedly found a series of DDoS attacks launched by the Russia-affiliated group Gamaredon, which it calls APT-C-53. The company also reported that the group has released the code of a DDoS Trojan called LOIC which is an open-source software found on GitHub.
This malware copy was found between March 4 and March 5, just a few days after the Russian invasion of Ukraine began, the researchers say.
During monitoring of a batch of C2 servers that the researchers at Qihoo believe to belong to the threat group, Qihoo found multiple C2 servers distributing LOIC, which is compiled in [.]net.
"The distribution of the LOIC Trojan may be the prelude to a new round of DDoS attacks," the researchers say.
The attacks are not restricted to within Ukraine, and on Monday, Italy's Computer Security Incident Response Team issued an alert to raise awareness about the potential risk of cyberattacks against its national entities.
The Italian CSIRT also referred to DDoS attacks that the country suffered during the Eurovision music competition held in Turin (see: Italian Police Repel Online Attempt to Disrupt Eurovision).
At the time, the Killnet group had vowed reprisals for blocking Russia from the annual music competition and in past couple of days, Killnet's operators have been actively posting messages on its Telegram channel about attacks against Italy.
"Following the malicious campaigns perpetrated by Russian-linked actors and the DDoS attacks that occurred between May 11 and 21, against national subjects, as part of the monitoring activities carried out by CSIRT Italy, signals and threats continue to be detected of possible imminent attacks to damage in particular public national subjects, private subjects that provide a public utility service or private subjects whose image is identified with the country of Italy," the Italian CSIRT alert says.