Ransomware, Critical Infrastructure Security

Ukraine’s cyber agency tracks ‘significant increase’ in malware-directed attacks

Soldiers with Ukraine’s Territorial Defense stand guard at a defensive outpost on June 29, 2022, in the Kramatorsk Region, Ukraine. The country’s cyber defense agency said malware-directed attacks against the government, local authorities and mass media has increased significantly in the past three months. (Photo by Scott Olson/Getty Im...
Soldiers with Ukraine's Territorial Defense stand guard at a defensive outpost on June 29, 2022, in the Kramatorsk Region, Ukraine. The country's cyber defense agency said malware-directed attacks against the government, local authorities and mass media has increased significantly in the past three months. (Photo by Scott Olson/Getty Images)

Five months after Russia’s invasion, Ukraine continues to see significant increases in cyberattacks targeting state systems and infrastructure as a result of the war, according to the country’s top cyber defense agency.

A new report released Tuesday by Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) claims that while the months leading up to and immediately following the invasion included a flurry of 40 distinct critical cyberattacks, the frequency and volume has risen substantially over the second quarter of the year. Drawing from its national Vulnerability Detection and Cyber Incidents/Cyber Attacks Response System, the agency has observed another 24 registered incidents and 19 billion “events” targeting state and critical infrastructure, with the main targets being the Ukrainian government, local authorities and mass media institutions.

The number of critical events classified as “malicious code” incidents were also up 38% compared with the first three months of the year, something that “indicates [a] significant increase in the level of malicious network activity associated with malware distribution and malware usage attempts for infecting new/ exploitation of previously infected botnet devices.” Those incidents largely leveraged major browsers like Chrome, Firefox, Internet Explorer, Safari and Opera as malware distribution channels, though other software like Outlook and BitTorrent were also used. Remote code execution and bypassing authentication protocols were the most popular forms of exploits used.

“The main goal of hackers remains cyberespionage, disruption of the availability of state information services and even destruction of information systems with the help of wipers,” the agency wrote. "In the second quarter of 2022, we saw a significant increase in the activity of hacker groups in the distribution of malware, which includes both data stealing and data destruction programs.”

While the agency believes “the absolute majority” of those attacks have been directed by Russia and hacking groups like Sandworm and Gamaredon, the IP addresses for the most recent wave have largely come from outside Russia, something SSSCIP attributes to internet service providers cutting off service to known Russian government IPs in the aftermath of the invasion. Cybersecurity experts often warn against relying on IP addresses to attribute cyberattacks, as many hacking groups have become adept at using VPNs and command-and-control infrastructure purchased or established in other countries to cover their tracks.

Activity from hacktivists, other actors a defining trait of Russian-Ukrainian conflict

One of the defining traits of the war has been an unprecedented amount of activity from “hacktivists” or non-state actors who have jumped into the fray on one side or another. In addition to Sandworm, Gamaredon, Fancy Bear and other advanced persistent threat groups linked to the Russian government, there’s also evidence criminal hacking groups and botnets have upped their level of activity.

Earlier this month, IBM’s X-Force security team released research indicating that between mid-April and mid-June, the TrickBot group and Conti ransomware gang have been “been systematically attacking Ukraine since the Russian invasion,” with at least six distinct hacking campaigns leveraging a variety of malware strains. This is notable because the researchers say TrickBot previously did not have a meaningful footprint in the country prior to the invasion and previous versions of their malware configured to avoid Ukrainian-language systems and devices.

“The observed activities reported in this blog highlight a trend of this group choosing targets that align with Russian state interests against the backdrop of the ongoing conflict,” wrote wrote Ole Villadsen, Charlotte Hammond and Kat Weinberger on July 7.

But the “hacktivism” has also included loosely formed vigilante groups from around the world that have been targeting Russia and its war effort. Ukrainian Vice Prime Minister Mkhalio Federov sanctioning a volunteer "IT Army” made up of international volunteers who could conduct offensive operations against Russian government and infrastructure. Federov coordinated the project via Telegram and translated targeting directives into English for international audiences, as SC Media’s Joe Uchill reported in March. Last month, Bloomberg reported that Belarussian hackers who oppose their government and its support for the war have been launching cyberattacks to disrupt the rail systems Russia used to mobilize troops.

The encouragement of such campaigns by the Ukrainian government has in turn has caused friction with U.S. counterparts, who have spent years publicly calling on the Russian government to crack down on ransomware attacks and other malicious activity coming from inside their borders. At the RSA Conference in San Francisco last month, NSA cybersecurity director Rob Joyce said that as much as U.S. officials want to see Ukraine succeed, the endorsement of international vigilante hacking groups has complicated those efforts.

“I think all of us wanted to root for those folks. It was a little bit of a challenge that they were out there launching attacks on another country in an era where we’re trying to hold the Russians accountable for the attacks emanating out of their space, right?” said Joyce. “So as much as we wanted to root for those folks and confer a job well done, it really did cause problems in the way we’re trying to set international norms.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.