Recent Developments in Russian-Ukrainian Cyber Warfare, March 15, 2022

The war between Russia and Ukraine is taking place on all fronts – geopolitical, physical, social, and digital. As the fighting continues, cyber attacks are growing as well, with threat actors of all sorts - including state-sponsored actors - participating in this cyber war. Here's some of what CyberProof's CTI team reported: 

”Help Ukraine” Crypto Scams Emerge as Ukraine Raises Over $37 Million 

Following the current situation, many fundraising campaigns have been initiated to support Ukrainian citizens, and users across the globe are willing to contribute and donate. Attackers are leveraging this delicate situation, targeting users via phishing websites, forum posts, and email links - asking users to help Ukraine by donating crypto currency.

Attackers are using several methods to achieve this, such as sending phishing emails impersonating the United Nations Office for the Coordination of Humanitarian Affairs (OCHA), and publishing forum posts. 

The forum posts refer to the difficult situation citizens have found themselves in due to the war between Ukraine and Russia, and the severe shortage in basic supplies there - calling users to donate to save lives. 

Researchers have also found several .org domains set up by threat actors looking to trick potential donors. 

The fact that the Ukrainian government is actively seeking crypto donations is what likely makes these campaigns appear credible. After Russia's unprovoked attack on Ukraine, the Ukrainian government made a crowdfunding appeal seeking crypto currency donations, and the campaign has already raised over $37 million in crypto currency. Additional donations worth $13 million are expected to arrive as well. 

Phishing Attacks Target Countries Aiding Ukraine Refugees 

Researchers reported a spear phishing campaign targeting European government personnel providing logistic support to Ukrainian refugees, noting that the attackers behind the campaign are likely state-sponsored. The attackers likely used compromised email accounts of Ukrainian armed service members to send out the phishing messages. 

The email included an attachment with malicious macros, which attempted to download a malware dubbed SunSeed – a downloader that can be used to deliver additional payloads to compromised devices. 

Based on the infection chain, the researchers linked the current campaign to phishing attacks launched in July 2021. This was attributed to a Belarusian threat group known as Ghostwriter, TA445, or UNC1151 - which was also linked to the Belarusian government. This group has already been linked to other attacks against Ukraine since Russian invaded Ukraine. The July 2021 campaign targeted senior cyber security practitioners and decisionmakers at private US-based companies, including those in the defense sector. 

Furthermore, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of the group attempting to compromise private email accounts of Ukrainian military personnel to send out phishing emails to their contacts. 

CISA Adds IOCs to Its Conti Ransomware Alert 

Last week, the CISA updated an alert about the Conti ransomware gang, published in September 2021. The update comes a few days after internal details from the Conti ransomware operation leaked, after the gang announced publicly that they side with Russia over the invasion of Ukraine.

CISA says that the Conti threat actor has hit more than 1,000 organizations across the world, with the most prevalent attack vectors being TrickBot malware and Cobalt Strike beacons. 

The agency released a list of 98 domain names that share registration and naming characteristics similar to those used in Conti ransomware attacks from groups distributing the malware. CISA notes that while the domains have been used in malicious operations, some of them could be abandoned or could coincidentally share similar characteristics. 

Understanding Ransomware Threat

Interested in learning more about protecting your organization from cyber attack? Contact us!