The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

DDoS Attacks and New Wiper Malware Target Ukraine

Feb 25, 2022 2:37:21 PM / by PolySwarm Tech Team

DDoS Attacks and New Wiper Malware Target Ukraine_Blog

PolySwarm Threat Bulletin
THIS THREAT BULLETIN IS PROVIDED FOR SITUATIONAL AWARENESS

Background

PolySwarm recently released several publications and blog posts discussing Russia-Ukraine tensions and the potential for both kinetic and cyber conflict:

  • In Russia-Ukraine Conflict and Cyberwar Implications, we discussed political tensions between Russia and Ukraine, past cyber altercations between the two nations, and potential cyber and kinetic implications if the current conflict escalates. 
  • In Armageddon Activity Targeting Ukraine, we provided commentary and IOCs for ongoing cyber activity targeting Ukraine, which industry analysts attributed to the Russian state-sponsored threat actor group Armageddon. 
  • In US and European Banks Fear Russian Cyber Attack, we discussed US and European banks preparing for a potential cyberattack against their financial institutions. Western nations feared Russian threat actors may launch these attacks in retaliation to sanctions.

Current Status

From mid-February to the present, Ukrainian entities have suffered multiple DDoS attacks. Earlier attacks targeted both Ukrainian financial institutions and government sites with a combination of DDoS attacks and BGP hijacking. The sites affected included those of Ukraine's Ministry of Defense, PrivatBank, and Oschadbank. Additionally, some online transactions and ATMs were temporarily unavailable. The US and UK blamed Russia for those attacks, with the UK claiming to have evidence pointing to Russia’s Main Intelligence Directorate (GRU) as responsible. In a blog post, Cado Security noted the attacks were traced to the Katana botnet, an updated version of the Mirai botnet. PolySwarm has malware samples associated with these attacks.

On February 21, Russia sent troops into Luhansk People’s Republic and the Donetsk People’s Republic, two territories located in eastern Ukraine, for what Russian President Putin called “peacekeeping” operations to recognize the independence of the two territories. Western countries currently expect the situation to escalate, with the US and European Union announcing financial sanctions against Russia.

On February 23rd DDoS attacks targeted Ukrainian government websites. Sites targeted included those belonging to Ukraine’s Ministry of Defense, Ministry of Foreign Affairs, and Parliament. Later in the day, Symantec Threat Intelligence and ESET Research tweeted about a new wiper malware being used to attack targets in Ukraine. PolySwarm has samples of this wiper malware as well. At present, it is unclear whether Russian threat actors are involved in the attacks.

IOCs

Hashes for samples associated with the Katana botnet DDoS attack on Ukrainian websites:

82c426d9b8843f279ab9d5d2613ae874d0c359c483658d01e92cc5ac68f6ebcf

978672b911f0b1e529c9cf0bca824d3d3908606d0545a5ebbeb6c4726489a2ed

 

Hashes for samples of the newly reported wiper malware targeting Ukrainian assets:

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84

2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf



Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Ukraine, Russia, Threat Bulletin, Financial, Wiper, Malware, DDoS, Katana, Government, Defense

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More