Russian invasion: ongoing updates of cyber actions to track
Editor’s Note: This blog will be updated regularly by the IronNet threat research team.
Since November 2021, Russian troops have been building up at the Ukrainian border, worrying many of an imminent invasion as the conflict escalated. Last night, our worries became reality.
In a national address, which coincided with a UN Security Council meeting last night, Russian President Putin announced that Russia will carry out “a special military operation” in Ukraine in order to “demilitarize and de-Nazify” the country. Shortly after the announcement, Russian forces began to move into Ukrainian territory in a move not seen in Europe since WWII. Russia is now launching a full-scale invasion of Ukraine by land, air, sea.
What we know about the Russian invasion:
Political
- Russia states that it is ready to negotiate with Ukraine if they surrender.
- EU is considering a third round of sanctions targeting Russia’s energy and financial sectors (link), including freezing Putin’s and PM Lavrov’s assets (link).
- Russian tank in Kherson flies a USSR flag (link).
- During the national address last night where Putin announced the military operation in Ukraine, he called on Ukrainian soldiers to put down their weapons. He also warned against outside interference, saying: “A couple of words for those who would be tempted to intervene. Russia will respond immediately and you will have consequences that you never have had before in your history.”
-
- Access a full English transcript of the speech here.
- NATO Secretary-General Jens Stoltenberg states NATO has no troops inside Ukraine, and there are no plans to send troops into the country.
- Western countries including the U.S. and U.K. are expected to announce additional sanctions against Russia and those involved in the invasion later today (02/24).
Economic
- Russian gas exports through Ukraine rose 38% on Thursday (2/24) and are expected to increase another 24% on Friday (2/25) (link).
- Russia’s billionaires have lost $39 billion in the last 24 hours (2/24) (link).
- Oil prices have surged over $100 a barrel for first time since 2014.
- Russian stocks fall the most on record, losing more than $250 billion (~45%).
- The market cap of Russia’s largest bank cut almost in half.
- The Russian central bank has purchased billions of roubles to prevent Moscow stock exchange collapse and to prop up the currency after it plunged to an all-time low of 89.60 against the dollar.
Kinetic
- Kyiv has entered a defensive phase (link).
- Russian military claims it has taken the Hostomel airport just outside Kyiv and that Kyiv is blocked from the West.
- Unconfirmed reports that Russian forces are massing at the Ukrainian-Polish border (link, link).
- The initial wave of strikes appears to involves cruise missiles, artillery, and airstrikes targeting border guards and military infrastructure, including airbases.
- There are various reports of bombings and explosions in multiple Ukrainian cities, including Mariupol, Kramatorsk, Kharkiv, Kyiv, and more.
- Russia launched an air assault against Antonov International Airport (~15 minutes west of Kyiv). Some reports state that they have seized control.
- Russian troops are moving on three main axes: Crimea toward Kherson, Belarus toward Kyiv, and from the northeast toward Kharkiv.
- Ukrainian President Zelenskyy states Russian forces are trying to seize the Chernobyl nuclear plant.
Cyber actions the IronNet threat analyst team is currently tracking
Cyber Warfare
- Threat actor leaks International Monetary Fund (IMF) emails and hashed passwords (link).
- Ukrainian Military reports Belarusian hackers (UNC1151 / Ghostwriter) are targeting email accounts of military members and using them to send further malicious messages.
- Once UNC1151 hackers gained access to an account, they would use the IMAP protocol to download email messages and then use the account’s address book to send out new phishing messages to other targets. (Link).
- Greynoise has published a list of all IPs that are scanning/attacking Ukrainian IP space (link).
- The hacker group Anonymous announced it is officially “in cyber war against the Russian government,” stating it has already launched a campaign against Russia and that private organizations will be impacted (Link).
- The Conti ransomware group announced “full support of the Russian government” and that if any entity attacks the Russian government, Conti will retaliate and use all possible resources to strike back at critical infrastructure (Link).
- On February 23rd, DDoS attacks began targeting the websites of multiple Ukrainian government agencies, including the Ministry of Foreign Affairs, Ministry of Internal Affairs, and the Secret Service of Ukraine, causing outages and making critical government webpages inaccessible.
- Also on February 23rd and coinciding with the DDoS attacks, new wiper malware was observed targeting Ukrainian organizations.
- ESET first detected the HermeticWiper malware, which is believed to have been pre-positioned for months.
-
- Compilation timestamp is 2021-12-28.
- Attackers gained network access on Dec. 23, 2021.
- There has been spillover into neighboring countries, reportedly impacting organizations in Latvia and Lithuania.
- Delivered in one victim organization using previously compromised AD server
- U.S. and U.K. government cybersecurity agencies released an alert on February 23rd detailing the use of a new malware called Cyclops Blink by Russian state-sponsored APT Sandworm.
- Avast Threat Labs reported on Twitter that a new golang-based ransomware is targeting Ukrainian entities.
- Kharkiv is suffering significant internet disruption (at least 30% drop in network connectivity).
- There are scattered reports that ATMs are not working in Kyiv.
Collective Defense for Cyber
At the core of the National Atlantic Treaty Organization (NATO) is the notion of collective defense.
“The principle of collective defense is at the very heart of NATO’s founding treaty. It remains a unique and enduring principle that binds its members together, committing them to protect each other and setting a spirit of solidarity within the Alliance.”
In warfare that knows no boundaries—cyber warfare—we feel strongly at IronNet that this concept must extend to cyber defense. For all its promise and prosperity, digital transformation has opened an attack surface akin to a digital infinity pool. Today there is no Atlantic theater or Pacific theater, however. In cyberspace, we are one theater. We must secure it together.
Our hearts go out to the citizens of Ukraine as the once-imminent Russian attack became a reality last night. As Putin demonstrated in the 2015 cyber attack on the Ukrainian power grid, there is a potential concomitant war brewing in cyberspace. While critical infrastructure is comparatively well protected, Russia is a nation-state with unlimited resources, a pool of moonlighting cyber criminals, and highly-organized threat groups that have been engaging in cyber target practice for years.
Long gone are the martial elements of fortresses, foxholes, and field battles. Just as aerial combat changed the very fabric of war during WWII, cyber has forever transformed war as we know (knew) it. In the face of announced and imminently expected sanctions, Putin could turn his eye toward U.S. and European power grids, pipelines, and the financial infrastructure as retribution.
It is in this context that the IronNet threat analyst team is currently tracking the cyber actions noted above.
Updates on Russian attack implications on cyber
In the spirit of IronNet’s mission, Collective Defense for cybersecurity, we will update this blog with any real-time information we learn about and related threat intelligence. Our goal is to bring together companies and organizations across the private and public sectors to defend as a unified force.
*** This is a Security Bloggers Network syndicated blog from IronNet Blog authored by IronNet. Read the original post at: https://www.ironnet.com/blog/russian-invasion-current-cyber-actions-to-track
