The Cybersecurity Express – Issue #6
You hear the Cybersecurity Express approaching as you near the platform. Everything seems to be in order and on schedule, but you notice one key difference: the colors of the train, blue and yellow. Reality soon settles in as you face an undeniable truth: There is no denying this, we are all impacted and sooner or later we will have to face the music. The train will take you through the cybernetic battlefront as we need to see firsthand the implications and take the necessary approach in order to properly defend your organization. From the comfort of your seat, you will see history being written and how the stance between cyber-criminals and cybersecurity specialists is changing from here onward.
It was inevitable not to talk about the grotesque Russian invasion of Ukraine, the implications of it all and how real-life conflict is bleeding into the digital realm. It’s chaos: Russia is attacking on all fronts, the world is united by circumstance against a common foe, bad actors are now switching to fight for the good cause and other groups are just taking advantage of the mess, playing their cards on both sides to maximize personal gains.
Revelations of the Past
This whole mess started back in 2014 when Pro-Russian Hacktivist Group – CyberBerkut was hired to disrupt/manipulate the 2014 Ukrainian presidential elections, where they employed a combination of malware, file deletion and DDoS tactics, but were ultimately not successful, resulting in a pro-western party being elected. This was followed with the first known successful cyber-attack against a power grid compromising systems of three energy distribution companies. On the eve of Ukraine Constitution Day in 2017, we were presented with one of the “most devastating cyber-attacks in history”: NotPetya wiper malware. Targeting both public and private sector entities, the attack was highly disruptive in nature as it disabled computers by wiping hard drives and spread independently to companies that used a popular tax-filing software (M.E.Doc). The malware was not designed to be decrypted; money was not what the perpetrators were after.
A New Face of War
In the beginning of 2022, we started seeing wiper attacks, that we are all familiar with now, the first of which being “WhisperGate”, discovered by Microsoft, that disrupted government, non-profit, and information technology organizations, followed by the more recent “HermeticWiper” that affected hundreds of computers, this time including Latvia and Lithuania as targets, with “IsaacWiper” being the latest of this kind. In the meantime, defacement of government and public institution websites took place with political imagery, presenting the message “Prepare for the worst” and the biggest DDoS attack Ukraine has ever witnessed, brought down websites of several Ukrainian banks and government departments, including the Ministry of Foreign Affairs, Ministry of Defense and Ministry of Internal Affairs among others. All of these coupled with misinformation/ disinformation being spread to the masses with unprecedented ease due to the online nature of today’s world, where the real war is fought on social media platforms like YouTube, Facebook, Instagram WhatsApp, Telegram and TikTok between the lies and the truth. These media networks have turned out to be a double-edged sword for the oppressors as not only being used by them to spread misinformation to the Russian people and to the world, but also against them, being the only way for the truth to get in.
On the other flank, we see the world uniting and collaborating like never before, fighting back, doubling down on the oppressor, giving them a taste of their own medicine. Even some malicious cyber-groups have joined the just cause, for now, fighting for freedom and righteousness, united against a common foe.
The Future is Being Decided
As we saw in the tactics used so far, wipers masked as ransomware, DDoS disruptions and misinformation seem to be the weapon of choice, and they are being done in sneaky ways, at scales never seen before. This was something that the Cybersecurity and Infrastructure Security Agency (CISA) has foreseen and together with the FBI and the NSA released a joint Cybersecurity Advisory (CSA) providing an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures, and have been posting recommendations regularly.
Cloudflare announced they will keep providing its services to Ukraine, Belarus and Russia, however with certain security measures in place. They side with Ukraine and are willing to comply with all the requirements from the imposed sanctions against Russia, also taking drastic measures as bricking the servers, should they go online. The firm argued that services should be kept operational within Russia as the internet is the only source that the people can get reliable information from.
DDoS attacks are becoming more common and more potent than ever before through new and clever ways. Researchers uncovered new reflection/ amplification DDoS methods that provide a record-breaking amplification ratio of almost 4.3 billion to 1. Reflection attacks start with a small packet reflected inside a closed network while its size gets amplified with each loop. When reaching the possible upper limit, the resulting volume of traffic is channeled to the target. For this DDoS method, threat actors are abusing vulnerable Mitel devices, such as MiVoice Business Express and MiCollab or by leveraging the functionality of Middleboxes. One notable difference of these vectors against most UDP reflection methodologies is that they can sustain lengthy DDoS attacks, lasting for up to 14 hours. “The single largest observed attack of this type to date was approximately 53 million pps and 23 gb/sec.
The threat actors need a way in, and most of the time the weakest link for compromising a network remains human. Google has issued a warning of an increase in phishing campaign conducted by government-backed groups. The purpose of this will be to sweep the nations, especially eastern EU countries, for vulnerable spots in order to compromise networks for future attacks. Threat actor groups such as Belarusian Ghostwriter and Russian FancyBear launched, in the past several days, credential phishing campaigns using compromised email accounts targeting Polish and Ukrainian military and government organizations.
An Awakening
Out of all the unknowns, one thing is certain: We are seeing an increase in digital oppression and new, cunning ways to abuse the system, in a manner from which we may never go back. The good in all of this it that the world is starting to notice how vulnerable the digital medium is and how easily the harm reflected into the physical world is real. The masses are having an awakening to the importance of the service that cybersecurity companies provide. Among them CyBourn, standing with the oppressed, against the oppressors! An awakening to the ever-increasing need for the protection they provide against evolving actors, that have proven time and time again that we are as vulnerable in the here as we are out there.
