What are the most likely cyber attacks on Ukraine in the future?
CrowdStrike has evaluated Ukrainian agencies for the major catastrophic events that have taken place so far and has released a predictive report on the forms and consequences of future attacks in the region.
Since at least 2014, various Ukrainian agencies have been exposed to the threat of cyberattacks from groups with or likely to be controlled by the Kremlin.
It seems to be aimed at manipulating the country’s political processes and damaging domestic business by causing damage to multiple Ukrainian institutions such as energy, transportation and national finance.
While these operations are performed in a semi-denial manner, they provide sufficient evidence to raise suspicion of potential attackers to ensure that the intended message is delivered to the targeted organization. , The origin of the activity is obscured.
CrowdStrike believes that most of the known attack operations against Ukraine are due to VOODOO BEAR (GRU: an attacker most likely under the control of the General Information Bureau of the Russian Federation Army Chief of Staff).
The impact of attack operations is rarely limited to the first targeted organization. There are direct secondary damages caused by the collapse of computer networks, or indirect secondary damages caused by interruptions in important business services that organizations rely on for their day-to-day operations.
Analysis of activities to date has identified several cases of seemingly local targets having unintended effects on organizations outside Ukraine.
2022: Hybrid operation using multiple campaign stages
A January 2022 report shows that attackers involved in website tampering and WhisperGate wiping operations against the Ukrainian government network, tracked by CrowdStrike as a WhisperedDebate active cluster, continue to confuse state agencies. It is said that it has been done.
CrowdStrike’s intelligence team is not currently associated with WhisperedDebate as an attacker who has already named it (such as VOODOO BEAR).
However, in addition to its high similarity to past operations, it may be targeted to Ukraine, and from the time of its activity, it may be an attack by an attacker who has a connection with Russia or a group with a similar interest. Strongly suggested.
An official statement from the Ukrainian government shows that the scope of this operation is limited compared to VOODOO BEAR’s 2017 campaign, but is this intentional by the attackers or their operation? It is unknown whether it was a difficult result.
However, the malware delivery vector adopted is likely to be manual, targeting government networks, and other devastating attacks on IT service providers, perhaps for the purpose of hiding evidence of the initial intrusion vector. Since it has been implemented, it can be seen that this limited range of influence is intentional.
CrowdStrike has seen several moves by government organizations to attempt to distribute data that appears to have come from them shortly after being targeted by the WhisperedDebate campaign.
This supports the allegations made in the website tampering message. The link between these events remains unclear at the time of writing this blog, but hacktivists and criminal motivated personas have provided evidence of data breaches.
This suggests an attempt to run an IO campaign to continuously publish personally identifiable information (PII), contrary to repeated statements by the Ukrainian government denying data acquisition in the event of a network breach.
These attempts may be aimed at undermining public confidence in the government’s ability to respond effectively to infringement.
This use of IO reflects the previous VOODOO BEAR TTPs, where CyberBerkut and Sprut group personas simultaneously published personal data of Ukrainian organizations.
WhisperedDebate’s work introduces publicly exposed website tampering, forming a new dimension in the operation of being easily picked up and amplified by the media.
The long-term destructive operation of VOODOO BEAR against Ukrainian organizations indicates their willingness to carry out psychological operations against local people.
This represents the ongoing efforts of the Kremlin to influence Ukraine against the backdrop of national security and populist policies.
These operations, and the intended effects of those operations, will ultimately complement the Russian Government’s overall strategy for Ukraine.
It does not appear to be particularly related to overt diplomatic efforts or military action, but instead it is used separately to selectively increase tensions within Ukraine and undermine public confidence in Ukrainian government agencies. May be intended as a tool for.
The exact consequences of these actions are unknown, but forcing the public to refuse intimate ties with Western nations, establishing new leadership that is convenient for Russia, or similar to the 2014 Crimean Crisis. Preparing for military action may be the intended result.
CrowdStrike predicts that future attack operations on Ukraine are likely to take the form of destructive wiping attacks disguised as ransomware.
This assessment states that there is continuous progress in technological TTPs, and that this type of operation can achieve the desired destructive effect, clearly communicate intent, and avoid direct responsibility for the attack. It was done based on recognition, and the reliability is medium.
In the future, as part of hybrid operations, it is possible that there will be simultaneous use of IO campaigns that launder and publish sensitive information such as PII stolen by network breaches and attract media attention through website tampering activities. There is sex.
It is unlikely that future campaigns will see DoS attacks that have not been used in the last few years and are unlikely to have lasting effects on targeted tissues.
DoS is more likely to be used in combination with other attack actions such as wiping attacks, or to strengthen trust within the hacktivist community.
Based on observations of previous events such as the spread of NotPetya, the impact of a devastating attack on Ukraine is likely to be widespread and could affect organizations based outside Ukraine.
In particular, companies that operate subsidiaries in Ukraine and companies that have network assets interconnected with Ukrainian organizations may suffer secondary damage.
Evidence suggests that subsequent operations attempted to limit the scope of unconstrained malware propagation, probably due to NotPetya’s unintended and critical fallout, are moderately reliable.
Other than the direct impact of catastrophic attacks, organizations that rely on Ukraine’s logistics network may also be affected by future catastrophic attacks targeting some of Ukraine’s transportation.
The possibility of a destructive attack deliberately targeting organizations outside Ukraine, such as those based in countries that support Ukraine’s position against Russia, such as the United States and European countries, cannot be ruled out.
This is unlikely to happen because of the risks of significantly encouraging international tensions and the risks of sanctions, including direct retaliation by governments of other countries. However, if an international company operating in Ukraine is accidentally targeted, it will be used by attackers who have ties to Russia, prompting the suspension of business operations and investment, and destabilizing the local economy. There is a risk of connection.