PolySwarm Threat Bulletin
THIS THREAT BULLETIN IS PROVIDED FOR SITUATIONAL AWARENESS
PolySwarm recently released several publications and blog posts discussing Russia-Ukraine tensions and the potential for both kinetic and cyber conflict:
- In Russia-Ukraine Conflict and Cyberwar Implications, we discussed political tensions between Russia and Ukraine, past cyber altercations between the two nations, and potential cyber and kinetic implications if the current conflict escalates.
- In Armageddon Activity Targeting Ukraine, we provided commentary and IOCs for ongoing cyber activity targeting Ukraine, which industry analysts attributed to the Russian state-sponsored threat actor group Armageddon.
- In US and European Banks Fear Russian Cyber Attack, we discussed US and European banks preparing for a potential cyberattack against their financial institutions. Western nations feared Russian threat actors may launch these attacks in retaliation to sanctions.
From mid-February to the present, Ukrainian entities have suffered multiple DDoS attacks. Earlier attacks targeted both Ukrainian financial institutions and government sites with a combination of DDoS attacks and BGP hijacking. The sites affected included those of Ukraine's Ministry of Defense, PrivatBank, and Oschadbank. Additionally, some online transactions and ATMs were temporarily unavailable. The US and UK blamed Russia for those attacks, with the UK claiming to have evidence pointing to Russia’s Main Intelligence Directorate (GRU) as responsible. In a blog post, Cado Security noted the attacks were traced to the Katana botnet, an updated version of the Mirai botnet. PolySwarm has malware samples associated with these attacks.
On February 21, Russia sent troops into Luhansk People’s Republic and the Donetsk People’s Republic, two territories located in eastern Ukraine, for what Russian President Putin called “peacekeeping” operations to recognize the independence of the two territories. Western countries currently expect the situation to escalate, with the US and European Union announcing financial sanctions against Russia.
On February 23rd DDoS attacks targeted Ukrainian government websites. Sites targeted included those belonging to Ukraine’s Ministry of Defense, Ministry of Foreign Affairs, and Parliament. Later in the day, Symantec Threat Intelligence and ESET Research tweeted about a new wiper malware being used to attack targets in Ukraine. PolySwarm has samples of this wiper malware as well. At present, it is unclear whether Russian threat actors are involved in the attacks.
Hashes for samples associated with the Katana botnet DDoS attack on Ukrainian websites:
Hashes for samples of the newly reported wiper malware targeting Ukrainian assets: