- Russia’s aggressive invasion of Ukraine has inspired hacking groups worldwide to increase their activities — in some cases to display support for a cause or maybe to profit from the upheaval.
- Since the invasion of Ukraine earlier this week, the Anonymous hacker collective, the Conti ransomware gang, and a threat actor in Belarus all appear to have boosted their activities – or at least expressed a desire to do so.
- The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning Thursday about an escalating threat presented by an Iranian advanced persistent threat (APT) actor.
Russia’s aggressive invasion of Ukraine has prompted hacking organizations worldwide to ramp up their activity – in some cases to demonstrate support for a cause or maybe to profit from the upheaval.
Since earlier this week’s invasion of Ukraine, the Anonymous hacker group, the Conti ransomware gang, and a threat actor in Belarus all appear to have increased their activity — or at least declared an intention to do so. Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) warned Thursday of a rising threat posed by an Iranian advanced persistent threat (APT) actor.
According to Sam Curry, Cybereason’s chief security officer, the superpowers conducted several proxy battles throughout the Cold War. He stated that they can anticipate the emergence of a cyber proxy war today.
Anonymous Group’s warning:
Anonymous has pledged its allegiance to “Western friends” and stated that it would solely attack Russian operations. On Twitter, the organization has made several accusations. The Anonymous collective has declared cyber war against the Russian government, announced in a tweet.
Anonymous claimed on Twitter on Thursday that it has taken down several websites affiliated with the Russian government. Among them was a state-run news website, RT News, which confirmed that it had been the victim of a distributed denial-of-service (DDoS) assault. Anonymous claimed responsibility for the DDoS hit on the news site, claiming it was carried out “in protest to the Kremlin’s savage invasion of #Ukraine.”
Then, on Friday, Anonymous claimed to have successfully infiltrated and released the Russian Ministry of Defense’s website database, claiming to have uploaded all of the Russian MOD’s sensitive data. (The tweet was later removed from the site due to a “violation of the Twitter Rules,” according to the site.)
Earlier this week, the organization posted a video with its iconic Guy Fawkes-masked figure, stating that if tensions in Ukraine continue to rise, we will hijack industrial control systems.
Anonymous’ involvement is unsurprising, given the group’s reputation for taking a moral stand on issues and then acting or retaliating via the Internet, according to Casey Ellis, founder, and CTO of Bugcrowd. Ghost Security, commonly known as GhostSec, is another cyber organization that has supposedly stated its aim to defend Ukraine. Ghost Security is thought to be a spinoff of Anonymous.
Unsurprisingly, Conti — considered a Russian-based state-sponsored gang responsible for hundreds of ransomware attacks in recent years – backed the Russian side.
According to sources, Conti released a statement on its dark website proclaiming the Conti Team’s formal endorsement of the Russian government. The warning stated that if someone decides to plan a cyberattack or other war actions against Russia, they will use all available means to strike back at the adversary’s critical infrastructures.
Chris Morgan, a senior cyber threat intelligence analyst at Digital Shadows, stated that this is the first time a significant cybercriminal outfit has publicly backed the Russian war effort.
Additionally, it follows many warnings from US authorities, which have stressed that “the risk from ransomware activities may rise as sanctions affect Russia,” Morgan added.
Conti was recognized by Digital Shadows as the second most active ransomware organization in 2021, based on victim count, and the gang has been blamed for multiple assaults against crucial national infrastructure, including the severe ransomware attack against Ireland’s health system in May 2021.
Conti’s comment is significant given Russia’s recent crackdown on cybercrime and ransomware, Ellis noted. This indicates that they are functioning independently, as the other organizations do or with the Kremlin’s consent.
Meanwhile, in Ukraine, the country’s Computer Emergency Response Team (CERT) attributed a wave of phishing assaults on “UNC1151,” a hacker outfit whose “members are officers of the Republic of Belarus’s Ministry of Defense.”
CERT claimed in a Facebook post that the assaults targeted Ukrainian military officers and connected persons. At least two other hacker organizations have declared their support for Russia: The Red Bandits (a self-proclaimed “Russian cybercrime gang” that claimed responsibility for cyberattacks against Ukraine last week) and CoomingProject (a ransomware group characterized as “sporadically active”).
CISA warns against MuddyWater
CISA issued a warning about MuddyWater, an Iranian state-sponsored APT, during Thursday’s Russian strikes on Ukraine. CISA stated in a post that the group has been observed “conducting cyber espionage and other malicious cyber operations against a variety of government and private-sector organizations across sectors — including telecommunications, defense, local government, and oil and natural gas — in Asia, Africa, Europe, and North America.”
The timing of the publication is noteworthy, given the simultaneous development of Ukraine’s cyberattacks and war, according to Drew Schmitt, the chief threat intelligence analyst at GuidePoint Security. The information raises the idea that Iran is speeding up operations in response to a distracted worldview, while Schmitt cautioned that this is not conclusive.
According to John Bambenek, chief threat hunter at Netenrich, the development demonstrates that more will enter the fray as more governments gain cyber capabilities. And, as Bambenek pointed out, there is no more excellent training ground for nation-state players than acting in an active warzone.
Seizing the chance
Without a doubt, some groups — and nation-state actors — will exploit the Ukraine incursion to expand their existing assaults “amidst the global instability,” according to Richard Fleeman, Coalfire’s vice president for penetration testing operations.
Fleeman stated that he believes they will continue to witness an uptick in the coming years. These organizations live on feeling and will very certainly continue to grow in strength as they pursue their aims. Curry concurred, stating that additional players will undertake activities with plausible deniability if more groups join.
He stated, “Let us all pray for sanity, but let us set our policies and preparations in the knowledge that peace is probably further away than anyone wishes.”
Ellis expressed worry about the more incredible difficulty of attribution in cyberattacks — as well as the danger of wrong attribution or “even a deliberate false flag operation escalating the war worldwide.”
While all sectors of the industry should be mindful of the potential consequences of increasing hacker group activity, Morgan said that specific sectors in the western world might be more likely to be attacked. He warned that the financial services and energy sectors would be particularly vulnerable if Russia-aligned threat groups targeted firms deemed equal to those targeted by western sanctions.
This is, in many respects, new ground, given that the world has never seen a conflict of this magnitude occur during a period with advanced and pervasive cyber capabilities. The scenario is “unusual,” according to Danny Lopez, CEO of Glasswall — but “not unexpected.”
Lopez stated that cyberspace had surpassed land, sea, and air to become the fourth theatre of battle. And, whether it’s state-sponsored organizations or their proxies, he believes cyberspace is the new battleground.