Russian Cyber Attacks on Ukraine: All smoke no fire
Although two months have passed since Russia invaded Ukraine, there has been a distinct lack of publicly successful Russian cyber attacks on Ukrainian entities. This has surprised many members of the security community; the common assumption prior to the invasion was that any physical incursion would be accompanied by significant offensive cyber activity. Analysts anticipated Russian attacks aimed at disrupting or destroying core Ukrainian infrastructure, in turn hindering Ukrainian retaliation.
There have been some notable Russian cyber-threat operations, mostly involved data wiping malware intended to destroy and delete files in targeted systems: “CaddyWiper”, “Industroyer”, “IsaacWiper”, and the “Hermetic Wizard” wormable malware, which spread the “HermeticWiper” malware, have all been observed targeting systems in Ukraine. Additionally, researchers reported that US intelligence attributed a cyber-attack on Ukrainian satellite systems to Russian military operators. However, these operations do not seem to have been the force multiplier Russia likely would have desired.
Three key hypotheses can be drawn from Russia’s apparent lack of significant cyber-victories in Ukraine:
1. Russia did not sufficiently prepare or organise its cyber resources
2. Ukraine adequately prepared itself for the attacks
3. The cyber-security community misjudged the utility and value of offensive cyber operations
However, it is likely that a combination of all three hypotheses explains the lack of Russian success: Russian cyber capabilities have been underused, Ukrainian defences were well prepared, and the security community overvalued cyber warfare in a modern battlespace.
Alongside the absence of successful government-led cyber-attacks, there has also been a distinct lack of cybercrime targeting Ukraine. Although some Russian-language cybercrime groups―such as “Conti” and “CoomingProject” ― have declared support for Russia, no significant increase in high-level cybercrime has been detected affecting Ukrainian entities.
Security updates released to fix critical Spring4Shell flaw
On 04 Apr 2022, VMware released security updates for several products susceptible to the Spring4Shell RCE vulnerability affecting its cloud computing and virtualization products. Since then, the flaw has reportedly been actively exploited. For product versions that lack an official patch, VMware has offered workarounds as temporary solutions. Spring4Shell has a severity rating of 9.8 and can be exploited without authentication, meaning that threat actors with access to vulnerable applications can execute arbitrary commands and gain control of a system.
Sandworm attempts to disrupt Ukrainian energy provider
On 12 Apr 2022, security researchers identified an attempt by the Russian “Sandworm” advanced persistent threat (APT) group to disrupt a Ukrainian energy provider with the “Industroyer” (aka CrashOverride) malware. The recently used version of Industroyer was customized to target high-voltage electrical substations. Destructive malware was used thereafter, such as “CaddyWiper”, “Orcshred”, “Soloshred”, and “Awfulshred”, to erase traces of the attack. Additional tools included the PowerGap PowerShell script and the Impacket Python tool for downloading payloads and remotely execute code.
Conti chat-log analysis reveals group structure and TTPs
At the end of February 2022, a Ukrainian security researcher leaked more than 60,000 internal messages sent by members of the prolific, Russian-speaking ransomware group “Conti”. The messages provided invaluable insight into the group’s structure and TTPs, although making sense of such a large data set presented challenges.
