Cyberwar — Ukraine

Ukraine

December 2015 – 2017 — A blackout across the Ivano-Frankivsk region in western Ukraine killed power for 700,000 people on December 23. The blackout was attributed to a cyberattack on Ukrainian electrical power company Prykarpattya Oblenergo. Ukraine's state security service SBU officially blamed Russian-linked hackers.

ESET analyzed the attacks, reporting January 3 that a cybercriminal group had used the BlackEnergy malware family to attack the Ukrainian electrical power industry and news media companies. They used both denial-of-service attacks, overwriting document files with random data and making the operating system non-bootable, plus an SSH back door they labeled. SSHBearDoor. It listens for an SSH client providing the hard-coded password passDs5Bu9Te7.

ESET issued another report on January 4. Other energy companies in Ukraine were targeted at the same time. The infections came in through Microsoft Office files with malicious macros. The malware also had some additional functions targeting industrial control systems.

Kaspersky provided more details in their report on January 28. Cyc Centrum has a report on BlackEnergy attacks in Ukraine through 2014 and 2015.

SentinalOne released a nice detailed analysis of BlackEnergy 3 in late January, see the announcement and the detailed report.

SANS published a detailed analysis in mid-March 2016, summarizing the incident itself, the reporting in the media, and then analyzing the attack techniques. They concluded that it started with a phishing email with Word and Excel documents with macro-based malware. That dropped BlackEnergy3 malware into place, which stole legitimate user credentials. The stolen VPN credentials allowed attackers to access the industrial control systems network.

This was widely reported, including by Dark Reading on January 5 2016, January 14, and January 27; Foreign Policy on January 8; Reuters on January 27; The Register on January 28, and Wired with more detail on March 3.

The U.S. Defense Intelligence Agency's Russia Military Power Report 2017 reported "CyberBerkut is a front organization for Russian state-sponsored cyber activity, supporting Russia's military operations and strategic objectives in Ukraine", citing "Russia's Use of Disinformation in the Ukraine Conflict. Russian strategy analysis", 18 Feb 2015, in Eurasia Review. They say that CyberBerkut "has been implicated in multiple incidents of cyber espionage and attack, including distributed denial of service attacks against NATO, Ukraine, and German government websites." More recently, CyberBerkut has been stealing and publishing documents from Ukrainian government and political figures in order to discredit, demoralize, embarrass, and create distrust of those figures.

Russia's "Troll Army", also known as the Internet Research Agency, is described in the DIA report as "a state-funded organization that blogs and tweets on behalf of the Kremlin. The New York Times reported on the Troll Army in June 2015.

December 2016 – 2017 — On December 17, 2016, malicious software tripped circuit breakers and shut off electrical power to part of western Kiev, cutting off about 20% of the city's electrical supply. About 700,000 people in the Ivano-Frankivsk region, half the homes there, were left without electricity for several hours. That seems to have been just a test of sophisticated malware, since labeled Crash Override and Industroyer by investigators.

The malware has a modular design, with support for various SCADA protocols commonly used in Europe. Unlike earlier attacks against infrastructure which required interactive control by several operators, this malware seems to be largely automated. It can map the network where it is inserted, observing and logging traffic patterns.

It exploits a known vulnerability in a Siemens digital relay. There is speculation that it is intended to do more than just cut off power, but to damage equipment in the process, overloading lines and transformers.

Honeywell and the Kiev-based Information System Security Partners have said that the 2016 blackout was likely caused by the same attackers as the 2015 attack, which has been widely attributed to a hacker group called Sandworm, and that it likely originated in Russia.

The Dragos report says, "Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team."

Technical reports and analysis:

Media coverage:

June 2017 — Malicious software targeted Ukraine on 27 June 2017. It spread quickly in Ukraine through government ministries, energy companies, the power grid, banks, and transportation. 80% of the infections happened in Ukraine, with 9% in Germany and others in France, Italy, Poland, the U.K. and the U.S.

The malware claimed to be ransomware, but it was actually a "wiper", overwriting data. It was a variant of Petya, which propagates via the NSA's EternalBlue exploit. This variant is being called Petya, NotPetya, Pnyetya, ExPetr, GoldenEye, and more.

Initial spread was through an update to M.E. Doc, a Ukrainian tax accounting package. All tax accounts in Ukraine are required by law to use M.E. Doc, and it is the de facto standard accounting package for businesses there. A similar attack had happened on 18 May 2017 when ransomware called XData was carried out via M.E. Doc. [see the report in Russian]

The site with M.E. Doc software updates was served on one host at the WNet hosting company. On 1 June 2017 the Ukrainian security agency SBU raided the WNet offices. The SBU said that WNet had turned over control to the FSB, Russia's intelligence service. [see the reports at ain.ua and politolog.net] On July 1 "the head of Ukraine's CyberPolice suggested" in an Associated Press report that M.E. Doc knew of the intrusion and malware planting and "For this neglect, the people in this case will face criminal responsibility."

In January 2018, the CIA concluded that the Russian military's GTsST or Main Center for Special Technology was behind NotPetya.

A.P. Møller-Maersk, the world's largest container shipping company, reported that it recovered by reinstalling over 4,000 servers, 45,000 PCs, and 2,500 applications in late June and early July 2017. For 10 days they had no computers, but meanwhile another ship with 20,000 containers would enter a port every 15 minutes.

Media coverage:
Reuters New York Times Washington Post (June 2017) BBC Ars Technica Wired Bloomberg ain.ua politolog.net Associated Press Washington Post (January 2018)
Technical reports and analysis:
Matt Suiche Kaspersky Labs, #1 Kaspersky Labs, #2 the grugq Brian Krebs Lesley Carhart On the Wire Talos and Cisco detailed analysis ESET detailed analysis Wired US-CERT Alert TA17-181A

July 2018 — Ukraine's SBU federal security service detected and shut down a cyberattack that used VPNFilter malware against equipment in the LLC Aulska chlorine station that supplies water and sewage treatment plants. The Russian military hacker team called Fancy Bear and APT28 is believed to be behind the attack.

Interfax Ukraine News Agency

2022 Russian Invasion of Ukraine

Russia had been attacking Ukrainian infrastructure at least since 2015. Largely electrical power generation and distribution, but also transportation, banks, and other targets.

When Russia invaded Ukraine in late February 2022, the biggest surprise for many was the lack of overt cyberattacks. There was some, like the attack on the Viasat KA-SAT network used by Ukrainian armed forces, police, and intelligence service. As a side-effect, the Viasat attack took out control of a large number of German wind generators.

Then multiple destructive attacks from Russia hit Ukrainian targets on February 23 and 24, just before the invasion started, including: WhisperGate, HermeticWizard, IsaacWiper, and CaddyWiper.

It seems that the U.S. had been quietly disabling enormous Russian botnets before the invasion.

U.S. F.B.I accouncement U.S. Department of Justice announcement

The New York Times reported on the story, and Brian Krebs provided links to more technical details.

The New York Times published a long interactive article on 16 December 2022. It says, "Russia not only botched the attack by land and air, but also put too much faith in another wing of its vaunted arsenal: hacking."

States including Russia had been using hacking for espionage, financial crimes, subversion, and sabotage for years. Sandworm, also known as Unit 74455, is a cybermilitary unit of the GRU, Russia's military intelligence organization.

Sandworm is believed to have been behind the December 2015 attacks on Ukrainian electrical infrastructure, the 2017 attacks with the NotPetya malware, and others. "But nobody really knew how it would play out in a full-scale military conflict." Approaching the first anniversary of Russia's invasion, hacking had not yet been an effective Russian weapon.

How Putin's War in Ukraine Became a Catastrophe for Russia

In May 2021, the Kaspersky security firm released a new report about a hacking group "Red Stinger" using the "CloudWizard" APT to carry out espionage attacks against both sides in the conflict — against pro-Russia targets in eastearn Ukraine and against pro-Ukraine targets in central Ukraine. Security firms ESET and CyberX had discovered similar infrastructure and malware in 2016 and 2017.

Kasperkey's 19 May 2023 report ESET 2016 "Groundbait" report CyberX 2017 "Operation BugDrop" report Wired story