As we reported last week, cyberattacks are being used on both sides of the Russia-Ukraine conflict. Two new reports out today take a deeper look at how the cyber aspect of the conflict is developing.
Accenture’s Cyber Threat Intelligence team has been looking at how threat actors have been dividing along ideological lines. Meanwhile Aqua Security’s Team Nautilus has been analyzing the cloud technologies used in the conflict.
SEE ALSO: Ukraine conflict: Anonymous (and the internet) vs. Russia [Continuously updated]
“The ongoing conflict between Russia and Ukraine is raging not only in the physical realm but also on the cyber front, where different actors — government, hacktivist groups, and individuals — are trying to contribute their part,” writes Nitzan Yaakov, security data analyst at Aqua Security on the company’s blog.
Aqua’s research finds that a wiper malware attack was launched by Russia before the commencement of the military campaign. This was followed by a wave of DDoS attacks. As things have developed, however, hacktivist groups like Anonymous have focused their efforts on attacking government and organizations in Russia.
Aqua has analyzed container images in Docker Hub and popular code libraries looking for indicators of specific action on either side. It has uncovered published instructions and source code on GitHub, including a list of targets with Russian website addresses.
Data collected from honeypots confirms last week’s report that the majority of attacks are currently against Russian targets — with 84 percent of the targets affiliated with IP addresses in Russia and only 16 percent in Ukraine.
You can read more on these findings on the Aqua blog along with advice on how western organizations should prepare for potential attacks.
Accenture’s report looks at how the criminal underground is increasingly dividing itself, sympathizing with either Russia or Ukraine. Threat actors who previously acted opportunistically, with financial motivations and a global outlook are now following a highly targeted attack pattern.
Pro-Ukrainian actors on the dark web are refusing to sell, buy, or collaborate with Russian-aligned actors and are increasingly attempting to target Russian entities in support of Ukraine. However, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting ‘enemies of Russia.’
The pro-Russia camp is also looking to target Western organizations, in particular financial and insurance entities due to the perception that they are the working arms of financial sanctions. Utilities and resources are also a target due to those organizations’ importance as critical national infrastructure.
Accenture identifies evidence of hacker-on-hacker activity too. After the Conti Team, LockBit and CoomingProject ransomware collectives publicly stated their support for the Russian government they were hit by breach by a Ukrainian security researcher resulting in the disclosure of Conti Team’s source code, tactics, techniques and procedures and internal group communications. On the other side the RaidForums domain was taken offline by an attack after that forum’s statement of pro-Ukrainian support.
Ransomware groups have also shifted their focus, choosing targets based on political motives rather than financial gain. This has led to targeting of Western critical national infrastructure after the near complete absence of such targeting by ransomware groups, access sellers and their associated actors following the ban of ransomware groups from some dark web forums 2021 in the wake of the Colonial Pipeline attack.
You can find more detail and protection advice on the Accenture blog.
Image credit: PantherMediaSeller/depositphotos.com