The cyber activities related to the ongoing war in Ukraine have run the gamut from wiper malware hitting organizations and the border control in Ukraine, DDoS attacks aimed at government and media websites, and cyber disruption of satellite-based internet service, to preparations for watering hole attacks, next-level disinformation campaigns, and phishing campaigns.
Support organizations are also active targets. “We have seen several situations where malware has been specifically targeted at charities, NGOs, and other aid organizations in order to spread confusion and cause disruption. In these particularly egregious cases, malware has been targeted at disrupting medical supplies, food, and clothing relief,” Amazon noted last week.
Many analysts expected more disruption and retaliatory attacks orchestrated by Russian-backed hackers, both aimed at Ukranian targets and targets in countries sympathetic to and supporting Ukraine.
Part of the reason that they didn’t materialize so far may be the preparatory work done by Ukrainian cyber defenders and US experts in the last seven years. But there’s also the possibility that Russia has yet to employ all of its cyber attack capabilities and trigger more attacks.
Aside from cyber espionage, the current most pressing worry is that ransomware gangs that have sided or might side with Russia could, in short order, deploy their malicious payloads to cripple organizations in the critical infrastructure sector, inflicting damage and chaos on “enemy” countries.
The risks for end users
Individuals looking to help the defensive or aid efforts are also walking through a minefield, courtesy of scammers and cyber crooks looking to capitalize on the terrible state of affairs.
Infoblox researchers have documented (with IoCs) a number of Ukranian support/relief fraud campaigns, mounted by crooks to steal money, as well as malicious email campaigns using messages related to Russia’s invasion of Ukraine to trick recipients into downloading the Agent Tesla keylogger/RAT.
Individuals that are looking to do more than just support relief efforts are also in the crosshairs of criminals: Cisco Talos researchers have warned that cybercriminals are attempting to exploit unwitting users “seeking tools to carry out their own cyber attacks against Russian entities.”
The criminals are using Telegram channels to target these people – they purportedly offer a DDoS tool for download, but their real goal is to infect the targets with information-stealing malware that goes after credentials, cryptocurrency-related information (including wallets and metamask information), etc.