A hybrid war is being waged in Ukraine involving conventional military operations and non-military methods such as cyberattacks on critical infrastructure and private companies. While Moscow continues to deny conducting cyberattacks as part of the war efforts, governments in the United States and Europe have attributed the escalating number of cyberattacks on the Ukrainian government and private companies in Ukraine to Russian state-backed hackers. Microsoft has recently issued a warning that these cyberattacks may spread beyond Ukraine’s borders and target countries that are helping Ukraine with its war efforts over the winter months and beyond.
Microsoft tracks the threat activity of the Russian government-backed hacking group Iridium (aka sandworm), which was behind the Prestige ransomware attacks on organizations in the logistics and transportation sectors in Poland and Ukraine in October. Poland is a critical logistics hub through which military and humanitarian aid are transported to Ukraine. According to Clint Watts, Microsoft’s General Manager, Digital Threat Analysis Center, Iridium has continued to conduct attacks within Ukraine, the aim of which is likely to disrupt the flow of humanitarian and military aid, as well as for intelligence gathering,
In a recent blog post, Watts warns that these attacks may be escalated and extended outside of Ukraine to disrupt supply chains and said any organization directly involved in the supply of military and humanitarian aid to Ukraine is likely a target for destructive cyberattacks.
“Russian propaganda seeks to amplify the intensity of popular dissent over energy and inflation across Europe by boosting select narratives online through state-affiliated media outlets and social media accounts to undermine elected officials and democratic institutions,” said Watts. “We believe these recent trends suggest that the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter.” Watts suggests all organizations supporting Ukraine should practice strong cyber hygiene and deploy the latest detection and response technology to reduce vulnerabilities to and recover from cyberattacks.
While destructive cyberattacks are occurring in Ukraine, Russian organizations are similarly coming under attack. Russian courts and mayors’ offices have been targeted using a new wiper malware dubbed CryWiper. These “pinpoint attacks” on Russian targets have been conducted since October. CryWiper masquerades as ransomware, with targeted files given the .CRY extension. Like many ransomware variants, CryWiper stops critical processes and deletes shadow copies to prevent the recovery of targeted files; however, rather than encrypt files they are corrupted to ensure recovery is not possible. CryWiper also modifies the Windows Registry to prevent RDP connections, most likely to hamper incident response efforts. A ransom note is generated requesting payment of 0.5 BTC (Approx $8,000) for the decryptor to recover files; however, no decryptor is available, and files corrupted by CryWiper cannot be recovered.
Kaspersky researchers say the new wiper does not appear to be linked to other families of wipers that have emerged in 2022 but it is similar to the IsaacWiper, which has been used in attacks on Ukrainian targets. Both use the same algorithm (Mersenne Vortex PRNG) for corrupting files, and this algorithm is rarely used. The researchers also note that the same email address is used as has been used in attacks using the Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent ransomware families. The attacks have not been attributed to any specific group. Kaspersky says the use of wiper malware isn’t likely to slow in the coming months and will most likely increase due to the war between Russia and Ukraine, and other geopolitical conflicts that are currently being waged.