Cyberwarfare enters unchartered territory
Vigilante hackers insert themselves in the ongoing Russia-Ukraine conflict
We are now well into the second week of the war in Ukraine, after Russian forces launched an unprovoked, long-anticipated attack on the democratic sovereign nation on February 24. It’s also the first major war to break out in today’s information age, and as the events continue to unfold, the conflict on the physical battlefield has also provoked a combat on the cyber realm.
Ukraine has been hit by a blitzkrieg of data wiper and distributed denial-of-service (DDoS) attacks, prompting hacktivists fighting on its side to stage retaliatory assaults on Russian government, media, and financial entities.
Involved in these incursions are “swarms” of civilian volunteer hacker groups, who have been enlisted to fight Russia in cyberspace to take down or deface the official websites with antiwar messaging, leak data belonging to rivals, and report Russian troop locations.
The legal ramifications notwithstanding, the hostile hacking efforts mark a drastic and unpredictable expansion of cyberwarfare and are like to have a longstanding impact on the threat landscape, not to mention make attribution difficult and have escalatory consequences on the ground.
“The online battles have blurred the lines between state-backed hackers and patriotic amateurs, making it difficult for governments to understand who is attacking them and how to retaliate,” The New York Times reported. “But both Ukraine and Russia appear to have embraced tech-savvy volunteers, creating channels on the chat app Telegram to direct them to target specific websites.”
While Ukraine has been successful at mobilizing a 290,000 members strong IT Army, a pro-Russian Telegram channel called Russian Cyber Front has been busy waging counter attacks aimed at Ukrainian government websites, potentially raising the risk of ‘tit for tat’ offensives directed toward the U.S. and other countries.
Hacktivism may seem like the harbinger of future wars, but ultimately, it all depends on how the cyber operations supporting the Ukrainian cause are perceived and whether they end up being considered a criminal offense or not.
“Anyone not working on behalf of a government having serious conversations about ‘hacking back’ or launching cyber attacks against Russia please understand — respectfully — you’re an idiot and only going to make matters worse,” Robert M. Lee, co-founder and CEO of Dragos, tweeted.
What’s trending in security?
🔻 As the cyber attacks against Ukrainian government entities continue, a second, unrelated wiper called IsaacWiper has been detected on systems hours after Russia’s kinetic invasion of the country on February 24. ESET, which found the new strain, said it was discovered on a network not affected by HermeticWiper. It’s unclear if there is any link between the two malware, but what is known is that IsaacWiper is much less sophisticated than HermeticWiper and exhibits no code similarities, raising the possibility that the attacks could have been the work of a different threat actor.
What’s more, threat actors are distributing malware using phishing themes related to Russia’s ongoing invasion of Ukraine, aiming to infect their targets with remote access trojans (RATs) such as Agent Tesla and Remcos. “We have seen several situations where malware has been specifically targeted at charities, NGOs, and other aid organizations in order to spread confusion and cause disruption,” Amazon said. “In these particularly egregious cases, malware has been targeted at disrupting medical supplies, food, and clothing relief.”
Meanwhile, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of new phishing attempts directed at Ukrainian individuals, which use hijacked email accounts belonging to three separate Indian businesses to infiltrate their inboxes and steal sensitive data. The emails ostensibly alert recipients of an illegal attempt to log in to their accounts from an IP address situated in Donetsk, and urge them to change their passwords by clicking on a link, only to siphon the credentials and take control of the email inboxes.
The fact that the messages are sent from email addresses belonging to three different Indian entities suggests that the phishing emails were distributed through already hacked email accounts. Email addresses from an Indian academic institution based in the city of Bengaluru is also featured in the list.
In a related development, Ukraine said that hackers have broken into local government websites to spread false reports that Kyiv had capitulated and signed a peace treaty with Moscow. [Bitdefender / Amazon]
⚠️ A stealthy backdoor program discovered in tools used by China-linked threat actors has targeted government computers at multiple foreign agencies, allowing attackers to retain a presence on sensitive networks and exfiltrate data — while remaining undetected as part of long-term strategic attack campaigns. Daxin is a backdoor, which means that it allows the attacker to control systems infected with the program.
The tool allows the attackers to read and write files and start and interact with processes, a small menu of features, but ones that allow full control of the system. What’s more, similarities between the code bases of Daxin and previously known malware called Zala suggest the group has been active since 2009, with Daxin improving on Zala’s pre-existing networking features. [The Hacker News]
🔥 The Russia-based Conti extortionist gang suffered a breach of its own after it chose to side with Russia in the ongoing conflict, prompting an anonymous Ukrainian researcher (or a Conti affiliate?) to leak the gang’s internal conversations as well as the source code for their ransomware, and administrative panels, fueling concerns that the move could incite other cyber criminals to replicate the code to spawn new variants. [The Hacker News]
🏦 The insidious TeaBot (aka Anatsa or Toddler) banking malware has been once again observed infiltrating the official Android play store through malicious dropper apps that masquerade as QR code readers.
It’s not just TeaBot. New SharkBot droppers have been detected on the Play Store too. The malicious apps come with a three-layer attack chain, with one layer masquerading as the antivirus, followed by a second layer that acts as a scaled-down version of SharkBot, which then updates by downloading the fully-fanged version of the malware. [The Hacker News]
⚡ Threat actors are leveraging a new technique called TCP Middlebox Reflection to carry out DDoS attacks for the first time in the wild. The attack leverages middleboxes, which are packet inspection systems used for content filtering (such as pornography) and enforcing censorship, by taking advantage of the fact that these devices don’t take into account the Transmission Control Protocol (TCP) stream states into account when attempting to block access to a resource.
For attackers, this TCP non-compliance in network middleboxes sets the stage for creating “highly effective” TCP-based reflective amplification attacks, where they spoof source IP addresses of the intended victim, resulting in the middleboxes directing voluminous response traffic at the victim. [The Hacker News / Ars Technica]
🗄️ The past week in data breaches, leaks, and ransomware: Aon, Axis Communications, Bridgestone, Monongalia Health System, The State Bar of California, and Toyota.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!