PolySwarm Threat Bulletin
THIS THREAT BULLETIN IS PROVIDED FOR SITUATIONAL AWARENESS
Background
PolySwarm recently released several publications and blog posts discussing Russia-Ukraine tensions and the potential for both kinetic and cyber conflict:
Current Status
From mid-February to the present, Ukrainian entities have suffered multiple DDoS attacks. Earlier attacks targeted both Ukrainian financial institutions and government sites with a combination of DDoS attacks and BGP hijacking. The sites affected included those of Ukraine's Ministry of Defense, PrivatBank, and Oschadbank. Additionally, some online transactions and ATMs were temporarily unavailable. The US and UK blamed Russia for those attacks, with the UK claiming to have evidence pointing to Russia’s Main Intelligence Directorate (GRU) as responsible. In a blog post, Cado Security noted the attacks were traced to the Katana botnet, an updated version of the Mirai botnet. PolySwarm has malware samples associated with these attacks.
On February 21, Russia sent troops into Luhansk People’s Republic and the Donetsk People’s Republic, two territories located in eastern Ukraine, for what Russian President Putin called “peacekeeping” operations to recognize the independence of the two territories. Western countries currently expect the situation to escalate, with the US and European Union announcing financial sanctions against Russia.
On February 23rd DDoS attacks targeted Ukrainian government websites. Sites targeted included those belonging to Ukraine’s Ministry of Defense, Ministry of Foreign Affairs, and Parliament. Later in the day, Symantec Threat Intelligence and ESET Research tweeted about a new wiper malware being used to attack targets in Ukraine. PolySwarm has samples of this wiper malware as well. At present, it is unclear whether Russian threat actors are involved in the attacks.
IOCs
Hashes for samples associated with the Katana botnet DDoS attack on Ukrainian websites:
82c426d9b8843f279ab9d5d2613ae874d0c359c483658d01e92cc5ac68f6ebcf
978672b911f0b1e529c9cf0bca824d3d3908606d0545a5ebbeb6c4726489a2ed
Hashes for samples of the newly reported wiper malware targeting Ukrainian assets:
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84
2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports