The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

2023 Recap - Cyberwar and Hacktivism in the Russia-Ukraine Conflict

Dec 8, 2023 1:17:32 PM / by The Hivemind

CYBERWAR 2023 RECAP

Executive Summary

The Russia-Ukraine conflict has continued throughout 2023, with a plethora of both state-sponsored and hacktivist cyber activity taking place alongside kinetic warfare. In this report, PolySwarm provides the highlights of cyber activity associated with the Russia-Ukraine conflict in 2023.

Key Takeaways

  • The Russia-Ukraine conflict has continued throughout 2023, with a plethora of both state-sponsored and hacktivist cyber activity taking place alongside kinetic warfare. 
  • State-sponsored Russian threat actors engaged in cyberwar have included Cozy Bear, Fancy Bear, VooDoo Bear, Primitive Bear, and Cadet Blizzard.
  • Other notable Russia nexus or pro-Russia threat actor groups have included GhostWriter, RedStinger, KillNet, and Nodaria.
  • Ukraine nexus threat actor groups engaged in the cyber conflict include Cyber Regiment, IT Army of Ukraine, KibOrg, and NLB.
  • Samples of LitterDrifter, a USB worm used by Primitive Bear to target Ukraine, are featured in the IOCs section.  

2023 Highlights

The Russia-Ukraine conflict has continued throughout 2023, with a plethora of both state-sponsored and hacktivist cyber activity taking place alongside kinetic warfare. In this report, PolySwarm provides the highlights of cyber activity associated with the Russia-Ukraine conflict in 2023.

GhostWriter

In January, officials in Poland reported Polish government services, private companies, media organizations, and other entities have been under attack. They stated the attacks appear to be perpetrated by the pro-Russia hacktivist group known as GhostWriter. These politically motivated attacks were likely carried out as a form of retaliation, as Poland has provided support to Ukraine in the ongoing Russia-Ukraine conflict and designated Russia as a state sponsor of terrorism.

Cozy Bear

Cozy Bear, also known as APT29 and Nobelium, is a Russia nexus threat actor group tied to the SVR. In a  campaign earlier this year that targeted NATO and EU entities, Cozy Bear used three droppers: SNOWYAMBER, HALFRIG, a payload used to deploy Cobalt Strike, and QUARTERRIG. The campaign objective was espionage. The threat actors used spearphishing with an embassy-themed lure to target victims.

Fancy Bear

Fancy Bear, also known as APT28, Pawnstorm, SnakeMackerel, Strontium, Sednit, Sofacy, and Tsar Team, is a Russia nexus APT group associated with Unit 26165 of the Russian intelligence entity known as the GRU. The group has been active since at least 2007 and targets government, military, and security entities. They were observed engaging in attacks targeting a critical energy facility in Ukraine in September 2023.

VooDoo Bear

VooDoo Bear, also known as Sandworm, Black Energy, Electrum, Iron Viking, Telebots, and Quedagh, is a Russia nexus APT group active since at least 2009. Industry researchers have linked VooDoo Bear to GRU Unit 74455. Earlier this year, they were observed targeting Ukrainian entities using Infamous Chisel malware.

RedStinger

RedStinger, also known as Bad Magic, is a relatively unknown threat actor group that targets entities in Ukraine. They have been active since at least 2020. The group seems to conduct espionage campaigns. They have been observed engaging in ongoing campaigns that targeted multiple entities in Ukraine, including those in the defense, transportation, and critical infrastructure verticals.

Cadet Blizzard

Cadet Blizzard, previously referred to as DEV-0586, is a Russia nexus state-sponsored threat actor group with potential ties to the Russian General Staff Main Intelligence Directorate (GRU). Cadet Blizzard has been active since at least 2020, with WhisperGate in 2022 being one of its more well-known malware families. The group was very active in January and June 2022, with a lull in activity, and became active again in January 2023. Cadet Blizzard’s activity appears to be, by design, less stealthy than other GRU-directed network operations.

Killnet

Killnet, a hacktivist group thought to align with Russian interests, has been active since at least 2022 and is known for DDoS attacks, data theft, and leaks. They are known to target transportation, defense, government, financial, and telecommunications entities. They have been observed targeting entities exhibiting pro-Ukraine sentiments, including those in the US and Europe, and other NATO entities.

Nodaria

Earlier this year, a Russian threat actor group dubbed Nodaria was observed using the Graphiron infostealer to target entities in Ukraine. Graphiron is written in Go and can steal a variety of information, including system information, credentials, and files. It can also take screenshots on the victim machine. It then exfiltrates this data to the C2. While Nodaria conducts espionage, it is unclear whether they are a state-sponsored group.

Primitive Bear

Check Point Research recently reported on LitterDrifter, a backdoor being used by Primitive Bear, also known as Armageddon, Gamaredon, Actinium, and Shuckworm. The group has been one of the most active APT groups targeting Ukrainian assets. The group’s activity has traditionally involved espionage activity aligned with Russian interests. In November 2021, the Security Service of Ukraine (SSU) publicly linked five Russian Federal Security Service (FSB) officers based in Crimea to the group. A report by the SSU stated the group has been active since at least 2014 and has engaged in multiple cyber-espionage campaigns from 2017-2021. The SSU report notes Primitive Bear does not typically use sophisticated TTPs and does not seem to emphasize OPSEC. Some of the tools and TTPs used by Primitive Bear include spearphishing, Pteranodon RAT, PowerShell, FileStealer, and EvilGnome.

LitterDrifter is a USB worm written in Visual Basic. LitterDrifter spreads from USB drive to USB drive, infecting any devices connecting to the drive. The malware then communicates with the threat actor-controlled C2. While entities in Ukraine were the apparent target of LitterDrifter, industry researchers report that it has spread outside of Ukraine, with possible infections observed in the USA, Vietnam, Chile, Poland, Germany, and Hong Kong.

Cyber Regiment

While most of the threat actor groups featured in this report are Russia nexus, Cyber Regiment is a Ukraine nexus hacktivist group. Cyber Regiment describes themselves as a group of Ukrainian volunteers who collaborate to compensate for Ukraine’s lack of a traditional cyberwar capability. They are known to conduct both DDoS attacks and espionage campaigns.

IT Army of Ukraine

The IT Army of Ukraine is another Ukraine nexus hacktivist group. They are known to conduct high-profile cyber attacks on Russian entities. They also work in a defensive capacity to protect Ukraine’s critical networks. IT Army of Ukraine is officially endorsed by Ukraine's Ministry of Digital Transformation.

KibOrg and NLB

In October, two Ukraine nexus hacktivist groups, KibOrg and NLB, claimed they hacked Alfa-Bank, Russia’s largest private bank. While the two groups are hacktivist groups, reports suggest the SBU also played a role in the attack.

IOCs

LitterDrifter is one of the most recently reported malware families used in the Russia-Ukraine conflict. As such, we have chosen to feature LitterDrifter samples in this report.

 

PolySwarm has multiple samples of LitterDrifter.

 

81f7360302e4dcc3e315ac51b0ab1945004809cad1e622ad7a7452889dad3bd7

3cfb6514e51f40a4c325e04a35c174af4dab95167019e6aa36a2c422e35d7b72

0afc3ea3b44cd706064b8f16111c7cd9ed26a3037c32d5d4a028e8115022ec62

F4a7d9cdff19143a60cf4799d1b606b0d9ce64baacbd67fb1822e407bd1ea4d4

3847eec2194dff08e78cb53f4f82e21279f2404e75141a6c49587174ed778e0c

04d09ab77533339a066c2e5f3edd52a698d917acc6bd9b6e5427763bbeb5fa05

Dcfa6e2ee9d3abad0db0e3091e547e3e6f14392878ab743f1710fa880ea23385

668ef6c539a86d33a2ffbf8f1e0fa5397afe1d2aabbfa366d518c0f118b0f192

50f5e8f673915508d2add406f1c72de5112a01a1b3fdd41b314029c796a7d754

75af5df8c980b8d72aab973933ed70eccdce1615bddd9529b2c15464eb5a453a

770e54488ef69cd5d02ff481cacbede1dff0fad5a1665f7c5e3dbd550a4489ce

1c4a509e0115d4065be82ea37dfe260bc7a7297c4973cc988d4d9a46438edca1

3e446429af9c953c69f13697d3ab6af47eab1331faa9c4abc32d01f9695199ad

8eeea77585849de67402bbaffc5f7a66f9e027c700ec7d258d1cfbff5d7a2a1a

 

You can use the following CLI command to search for all LitterDrifter samples in our portal:

$ polyswarm link list -f LitterDrifter

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Ukraine, Russia, Threat Bulletin, Primitive Bear, Cozy Bear, Killnet, Cadet Blizzard, LitterDrifter, Ghost Writer, Fancy Bear, VooDoo Bear, RedStinger, Nodaria, Cyber Regiment, IT Army of Ukraine, KibOrg, NLB

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More