It has been a month
since I made a particular reference to the conflict in Ukraine
on this blog.
A conflict
that erupted back in 2014,
and that at this time is increasingly worrisome.
Although we had seen reports of new cyberattacks on Ukrainians
attributed to the Russians
this year,
the invasion of troops was merely a contingency.
However,
it was on February 24 that,
to the surprise of many,
such an invasion,
from different fronts and on a large scale,
became a reality.

As I write these words,
it is said that about 2 million people
have already fled Ukraine
and that at least 549 civilians
have been killed.
Nonetheless,
it appears that this figure may be considerably higher.
Such events might constitute war crimes
and human rights violations.
Unfortunately,
the bombardments continue,
and the militaries of both sides are engaged in firefights.
The Russian forces are indeed advancing at a slow pace.
But it seems that they will do everything in their power
to push into the capital,
Kyiv,
and take control of it.

As you may know,
it is not within our purposes here
to delve into this type of issue
but instead in those that have to do with cybersecurity.
In fact,
in that previously mentioned post,
I had pointed out cyberattacks that the Ukrainians had received
a few years ago,
apparently from the Russians.
Then I emphasized one of the most recent attacks
that occurred in mid-January.
A destructive malware called WhisperGate,
present in systems of Ukrainian organizations and governmental entities,
came to light.
Now,
the question is,
what has happened in terms of cybersecurity
since late last month
when the horror of the invasion began to materialize?

February 23

Shortly before the invasion of Russian troops began,
there was a series of DDoS (distributed denial-of-service) attacks
against websites of some Ukrainian government and banking institutions.
Hours later,
ESET’s research team
reported the discovery of a new data wiper malware.
This one,
dubbed HermeticWiper,
hit hundreds of computers of organizations in that country.
(It seems that
this malware behaves just like WhisperGate does.
It damages both local data and the master boot record of the hard drive.)
Then,
Reuters said that
the infections had already reached nations
such as Latvia and Lithuania
and that Russia denied the allegations of such attacks.
As if that weren’t enough,
Microsoft’s Threat Intelligence Center
ended up detecting another malware package
in operation against Ukraine
called FoxBlade.

February 24

Russia officially declared war on Ukraine.
Mysteriously,
hours after the invasion commenced,
some of the Russian government websites became inaccessible to the public.
This was associated
with both possible attacks and preventive measures.
As for the Ukrainian government,
it reportedly began
calling for volunteer hackers
and cybersecurity experts on forums.
These would have the missions
to help defend critical infrastructure
(e.g., water systems and power plants)
and conduct cyber espionage operations against Russian forces.
All at once,
the doubt arose
that people supporting the Russian purpose would start to apply,
seeing a new chance for an onslaught.
Additionally,
hacking groups began
to make it known
whether they were on the side of Ukraine or Russia.

February 25

Members of the hacktivist group Anonymous
(pro-Ukrainian in this war)
defaced government websites
in Russia,
posting messages from the Ukrainian president.
Apparently,
they claimed to be responsible for disabling other sites,
including that of the Russian news outlet RT.
On the other hand,
the fact that the Conti gang,
responsible for quite hostile ransomware operations,
offered its support to the Russian government
stood out.
In addition,
a warning that phishing attacks have already occurred
appeared on the Twitter account
of the State Service of Special Communications and Information of Ukraine.
Another attack of this type,
especially against military personnel of this country,
was reported in another media.

February 27-8

Internal chats
of the Conti gang from January 29,
2021,
to this day were leaked,
apparently by
a member of the group.
Allegedly,
the stance and messages of the gang’s leader on the present war
upset its Ukrainian members.
Hence,
one of them hacked Conti’s internal Jabber/XMPP server.
(See a detailed analysis of these chats here).
Curiously,
these days
also in favor of Ukraine,
a website appeared
with the sliding tile puzzle 2048.
According to its developers,
simply by playing,
users can contribute to overload
and knock websites serving the Russian army offline.
Meanwhile,
warnings about phishing campaigns continued.
In this case,
these were fake messages about evacuations for Ukrainians.
Besides,
another Russian news outlet,
TASS,
suffered a cyberattack
that temporarily interrupted the activity of its website.

March 1

By this time,
there were already about 200,000 users
in the newly created space of the IT ARMY of Ukraine.
In a continuous search for volunteers,
this site was intended for the coordination
of defense and attack operations.
On this day,
phishing attacks associated with a previous campaign
(see February 25 on this post)
were mentioned.
These attacks targeted European government personnel
assisting refugees from this war.
It seems that
these attacks were carried out
using a compromised Ukrainian military email account
and may have been sponsored by the Belarusian government.
For its part,
the New York Post reported that
Russia appeared to have officially declared cyberwar on the U.S.
after the latter began to see a significant increase in cyberattacks
against its banking sector.

March 4-6

Microsoft,
the giant corporation that in late February decided to enter the war
to help protect Ukraine’s cybersecurity,
announced the suspension of sales
of its products and services in Russia.
(Apple previously suspended sales too.)
Meanwhile,
the Russian communications agency Roskomnadzor
informed blocking access to Facebook.
This would partly isolate Russian citizens and limit their opinion.
The same agency then banned
the U.S. walkie-talkie communication app Zello.
This decision was due to the alleged dissemination of false information
about the invasion of Ukraine.
On the other hand,
the cryptocurrency firm Coinbase
announced the blocking
of more than 25,000 accounts linked to Russia.
Coinbase considered that these were carrying out illicit actions.

March 7

Google’s Threat Analysis Group
published “An update on the threat landscape,”
in which they highlighted the criminal activities of several gangs.
For example,
they attributed phishing campaigns against a Ukrainian media firm
to the apparently Russian group FancyBear.
They said the Ghostwriter group attacked the government
and armed forces of Poland and Ukraine.
They also reported
the Chinese group Mustang Panda partially shifted its focus
to European targets.
Finally,
Google noted that
Ukrainian government websites were still receiving DDoS attacks.
They will continue providing their free protection service,
with their Project Shield,
against this type of threat.

At Fluid Attacks,
we recognize that
this cyberwar can lead to adverse outcomes
in multiple corners of the globe.
That’s why we recommend you pay close attention
to your organization’s cybersecurity
so that you are adequately prepared for any blow.
Do not hesitate to contact us
to discover our preventive solutions.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/timeline-new-cyberwar/