Lead Machine Pink 160x1200

Lead Machine Pink 160x1200

iTWire TV 705x108

Wednesday, 23 March 2022 11:48

Aqua Security reveals native technologies used in Russia-Ukraine cyber attacks

By Aqua Security

GUEST OPINION: The conflict between Russia and Ukraine is raging not only in the physical realm but also on the cyber front, where governments, hacktivist groups, and individuals are trying to play their part. Here we analyse some examples of the cyberattacks that have taken place as part of the current conflict and review their methods and impact.

Russian cyber warfare: Wiper malware

The military campaign was preceded by a sophisticated cyberattack launched by Russia against multiple Ukrainian organisations. It included highly destructive malware called IsaacWiper and HermeticWizard, which are new variants of the wiper malware. The malware attack, alongside the military campaign, aimed to make an impact on the conflict.

The malware was installed on hundreds of machines in Ukraine and was followed by a wave of distributed denial-of-service (DDoS) attacks. The new wipers can corrupt the data on a machine and make it inaccessible. In addition to the worm ability of spreading across a local network to infect more machines, they can also launch a ransomware attack and encrypt files on the compromised machine.

To our knowledge, this new wiper attack is targeting only Windows systems. According to internal Team Nautilus research, most cloud native environments (96%) are based on Linux. Thus, we assess that the risk to cloud native environments from this type of wiper malware is low. However, Russia's cyber arsenal might include similar tools that are designed to attack Linux environments.

Hacktivists step in

As the Russia-Ukraine conflict unfolded, it attracted the attention of global threat actors such as the hacktivist group Anonymous. Anonymous regularly launches cyberattacks in support of its social and political ideals as well as against governments and their resources. In this case, Anonymous has declared cyberwar on Russia and called for hackers around the world to target Russian organizations and government.

Cloud native technologies used in cyber campaigns

The attacks got our attention, and we at Team Nautilus tracked recent events to get an overview of the cyberattacks that have taken place. We gathered data from public repositories that contain code and tools aimed to target either side.

Among the repositories, we analysed container images in Docker Hub as well as popular code libraries and software packages, including PyPI, NPM, and Ruby. We searched for specific names and text labels that called for an active action against either side.

We investigated types of activities on these public sources. About 40% of the packages we observed were related to denial-of-service (DoS) activity aimed at disrupting the network traffic of online services. Other public repositories provided information to Ukrainian and Russian citizens or tools to block user networks from the conflict area.

We also saw activity with a banner that can be added to a website in support of Ukraine. Moreover, there were sources that suggested doxing, which is publicly revealing personal information of high-ranking individuals. Finally, one resource collected donations to Ukrainian citizens.

Analysis of container images in Docker Hub

Next, we analysed the container images "abagayev/stop-russia:latest" and "erikmnkl/stoppropaganda:latest", which were uploaded to Docker Hub. The main reason for studying them was that together they gained more than 150K pulls.

These container images have published instructions and source code on GitHub, including a list of targets with Russian website addresses. Among other things, the guidelines explained how to initiate an attack and what tools to download, allowing non-professionals to launch an attack on their own.

As we see, the repositories have played a major role in the ongoing virtual conflict, making cloud native tools widely available to a less technical audience. This once again shows that today you don't have to be a skilled hacker to take part in cyber war.

To analyse the container images above, we scanned them with Aqua's Dynamic Threat Analysis (DTA) scanner. It executed the container images in a secure sandbox, which allowed us to gain more insights into these tools and their impact.

The container image "abagayev/stop-russia:latest" contains a DoS attack tool that targets financial data and service providers in Russia.

The container image "erikmnkl/stoppropaganda:latest" contains a DDoS attack tool over TCP protocol through multiple connection requests. It's used to initiate the attack and targets multiple service providers in Russia.

Both container images also included attack tools that initiate DNS flood carried out over the UDP protocol, sending a large number of DNS requests to UDP in port 53, and aimed against Russian banks.

Attacks in the wild

As part of our research efforts, we regularly deploy honeypots, ie misconfigured cloud native applications, based on Docker and Kubernetes or other widely used applications such as databases. We analysed the data recorded by our honeypots with a focus on attacks that launched DDoS attacks in the wild and collected only IP addresses that belonged to Russia and Ukraine.

Based on the data accumulated in our honeypots, we found that 84% of the targets were affiliated with IP addresses in Russia and only 16% in Ukraine. Further sector segmentation of the organisation metadata linked to the IP addresses shows that network and media organisations were the prime targets and were attacked most often.

Conclusion

Our findings highlight the significant role that the cyber domain can play in a modern geopolitical conflict. As technology advances, experienced threat actors can create and distribute simple automated tools that allow less skilled individuals to participate in cyber war.

These advances also allow individuals and organised hacking groups to influence the conflict, using their knowledge and resources. We can see how emerging technologies are relevant in these efforts and can have an impact.

To learn how to protect against these cyberattacks, check out the blog The Russia-Ukraine Cyber Attacks: A CISO's Advice.

Read 1423 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




GET READY FOR XCONF AUSTRALIA 2022

Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.


Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event

GET YOUR TICKET!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments