Russia vs Ukraine: War that Teaches New Cyber Warfare & Cyber – Suraj Shrivastava

Reflectionist Suraj Kumar Shrivastava (ITBM 2020-2022)

“One Russian missile distorts Ukraine’s geography, and the whole economy of the world gets crack in a nutshell.”

– an observer

Russia’s invasion of Ukraine has brought lots of agitation across the globe, economic market to raw materials market get hit with spearheaded nuke bomb-cell. Now, let us gallop to the cyber world of this war; we all know that “The age of nuclear testing may be over, but the age of cyber warfare is just getting started – 100%!” In addition, Russia’s war with Ukraine has likely served as a natural testbed for its next generation of cyber weapons, which are difficult to detect during real battles on land, sea, and air.

The cyberattack during war falls under these two categories viz. “State-sponsored attack- here the user is seen to be being targeted by an enemy state, or very often the victim’s nation-state since they are seen as a threat.” Another is “Espionage- Spying or the use of spies to gain information about the plans and operations of a foreign government or a rival company.”

Cyberattacks, unlike traditional attacks, can be challenging to pinpoint. When a whole nation is warring against another, it is conceivable that canon balls will be fired over the internet, disrupting the lives of civilians and the government. Ukraine was targeted by never-before-seen malware designed to delete data only hours before Russian forces entered, an attack the Ukrainian government described as “on a fundamentally different level” than prior attacks.

Firefighters extinguish fire in an apartment building damaged by recent shelling in Kyiv, Ukraine February 26. (Reuters photo)

Growing tensions have “increased the risk,” according to Goldman economists led by Jan Hatzius in a Monday research note, and nearly 60% of state-sponsored cyberattacks in Ukraine were ascribed to Russia last year. When we look into the dangerous picture, we see that the energy, financial services, and transportation sectors are highly vulnerable to Russian strikes due to their economic importance. According to Goldman, government-led cyberattacks have always aimed to steal sensitive intellectual property information such as financial plans and strategic communication. Still, there have also been attacks on critical infrastructure. Russia hacked Ukraine’s largest financial institutions last month in the country’s biggest-ever cyberattack.

So, how would a true global cyberwar play out?

When it comes to the interdependence of key infrastructure sectors like energy and communications, an aggressive attack would undoubtedly bring down many sectors at once, amplifying the impact.

Here we need to understand the kinds of attacks/cyberattacks:

I do not imply that you or your machine are specifically targeted when I say indirect attacks. It can be the services provided to civilians like the electricity grid, supply chains, banking institutions, water treatment, communications, and transportation. It isn’t much you can do to defend these systems independently.

When I say direct attacks, I refer to attacks aimed directly at you. In a battle, civilians can be targeted intentionally or unintentionally to diminish the desire to continue fighting. The technical methods used in cyberwarfare are similar, but the repercussions might be more personal.

What if your entire computer’s data is stolen or wiped, especially if those are the only copies of images or papers you have? So what can you do to protect yourself?

Now let’s understand another terminology related to it, CYBERATTACK!

You might not be able to secure the nation’s critical infrastructure on your own. However, by working together to influence the government, the private sector can be encouraged to strengthen its security, preparedness, and, perhaps most importantly, resilience in the face of such breaches. We frequently don’t recognize how ill-prepared we are until it’s too late when it comes to infrastructure resilience. A significant cyberattack can have the same effect as a natural disaster, knocking off critical infrastructure and causing a chain reaction.

Most of the essential things you can take to prevent, or at least reduce, direct cyberattacks on you and your computer are listed below. Simple precautions, such as using a strong password, using multi-factor authentication, and not clicking on questionable links, are all things that many of us, sadly, ignore. However, we now know that there are techniques to get onto your computer without you doing anything and without requiring your passwords, such as Solarwinds, Log4j, and Pegasus. “Zero-click vulnerabilities” are what they’re termed.

The Conti ransomware operators are the most well-known cybercriminal outfit to support Russia overtly. They have a history of actively targeting US healthcare organizations. They have been linked to MSP compromise, big game hunting (targeting major enterprises), multi-stage attacks (using other malware strains as part of the attack), and double and treble extortion (data theft combined with the ransomware attack).

Belarus’ government, a Russian ally, possesses cyber capabilities. UNC1151 is suspected of being affiliated with the Belarusian military. Using a phishing campaign, UNC1151 is allegedly attempting to breach the email accounts of the Ukrainian army.

Let’s check out different malware during this conflict:

Wipers: In the previous two months, two malware variants — both wipers – have been seen in widespread use against Ukraine: HermeticWiper and WhisperGate.

  • HermeticWiper: This is a new type of disk-wiping malware [at least one version has the title Trojan.Killdisk] that was used to attack Ukrainian institutions just before a Russian invasion on February 24, 2022. HermeticWiper is a program that runs from a file that is signed by a certificate issued by Hermetica Digital Ltd. It has 32-bit and 64-bit driver files in its resource area that have been compressed using the Lempel-Ziv method. A certificate given to EaseUS Partition Master is used to sign the driver files. According to the operating system (OS) version of the infected system, the malware will drop the appropriate file. The wiper’s Process ID is used to construct driver file names. Once run, the wiper will damage the Master Boot Record (MBR), rendering it inoperable. Aside from its destructive qualities, the wiper does not appear to have any other features. It modifies the first 512 bytes of each physical drive’s Master Boot Record (MBR), and then enumerates all available drives’ partitions. FAT (File Allocation Table) and NTFS (New Technology File System) divisions are distinguished by HermeticWiper. The financial, defense, aviation, and IT services sectors have all been targeted by HermeticWiper.
  • WhisperGate: A bootloader that corrupts recognized local discs, a Discord-based downloader, and a file wiper are thought to be the three stages/parts of this new type of disk-wiping malware. The WhisperGate bootloader is a companion to the WhisperGate file-wiper. Both permanently destroy the victim’s data and try to pass themselves off as ransomware. Whispergate was seen assaulting Ukrainian groups just before the Russian invasion on February 24, 2022. The bootloader’s first step overwrites the master boot record to display the phony ransom letter. The bootloader can access the target disc through BIOS interrupt 13h, which uses cylinder-head-sector addressing to provide sector-based disc read/write capabilities. This is done in logical block addressing mode, with every 199th sector being overwritten until the disc is full. After that, it advances to the next disc on its list. The downloader is Stage2.exe. When stage2.exe is run, it downloads the file wiper malware from a Discord channel, using a hardcoded download link in the downloader. The corrupter locates files in specific folders on the system using a set of hardcoded file extensions once it has been executed in memory.

Mitigations

CISA, the FBI, and the NSA encourage all enterprises to follow the suggestions below to improve their cyber resilience in the face of this danger.

Confirm reporting procedures and close any gaps in coverage:

  • Make a list of internal contacts. Assign significant points of communication, as well as SODs, for a suspected event, and make sure everyone knows how and when to report it.
  • Identify surge assistance for reacting to an incident to minimize gaps in IT/OT security personnel availability. Critical infrastructure firms should proactively protect themselves by limiting coverage gaps.
  • Ascertain that IT/OT security employees are monitoring critical internal security capabilities and can detect unusual behavior. Any detected IOCs and TTP should be flagged for prompt action. Create, maintain, and test a cyber incident response plan, as well as a resilience and continuity of operations plan.

Create, update, and test a cyber event response and business continuity strategy:

  • Ensure that workers are aware of the critical measures they must follow during an incident and are prepared to behave calmly and cooperatively.
  • For OT assets/networks:
    • Determine a plan for continuing to operate if you lose access to—or control of—your IT and OT environments.
    • Test manual controls on a regular basis to ensure that essential functions can continue to operate if ICS or OT networks are taken offline.
  • On both the IT and OT networks, implement data backup mechanisms. Test backup methods regularly and ensure that backups are separated from network connections that could allow malware to proliferate.

Sources: Various legit articles, blogs, and whitepaper referred to produce this article.