Posted on March 11, 2022 at 6:45 PM
Cybercriminals are launching attacks on ethical hackers that support the IT army of Ukraine against Russia. According to reports, the threat actors are posing as genuine representatives of Ukraine’s IT team and pretend to be providing the ethical hackers with tools for DDoS attacks. But in essence, they are attaching malware to the fake tools, researchers at Cisco Talos said.
The IT Army of Ukraine was formed to launch cyberattacks against Russia. It was formed by a Ukrainian Minister to recruit many supporters of Ukraine in the cyberwar against Russia. The war in Russia is both based on physical warfare and cyber warfare.
The group has grown to more than 300,000 only two weeks after it was formed. It posts daily “hit lists” of target URLs for tech-savvy supporters to knock Russian sites offline. The group recently targeted importers of technology for the Russian military as well as Russian electronic signature services.
However, these ethical hackers have become targets themselves by cybercriminals. The report notes that they are using Telegram channels that seem to relate to the genuine IT Army of Ukraine group. The threat actors are, instead, sending the Phoenix infostealer that is after cryptocurrency and important account credentials from the ethical hackers.
The Phoenix keylogger first emerged in 2019. However, it has quickly become a full-fledged info stealer with powerful anti-analysis and anti-detection modules.
More Hackers Take Advantage Of The War In Ukraine
The infostealer steals information from browsers such as Firefox and Chrome while scanning other locations on the file system before sending it to the Russian IP address.
Cybercriminals are always seeking opportunities to launch their attacks on systems, especially during times of turmoil, crises, or global events. The Russian-Ukraine war is seen as an opportunity for some of them to launch attacks and target their victims who may be unsuspecting of any danger.
The researchers said the opportunistic criminals are taking advantage of the ongoing conflict to exploit sympathizers on both sides.
The attacks can take several forms, including malware masquerading as offensive or security defensive tools, malicious links claiming to host relief funds or refugee support sites, donation solicitations, or email lures on news topics.
As a result, the researchers have warned users to carefully inspect suspicious emails before opening them, as some of them can be laced with malware.
The Threat Actors Have Been Around Since November Last Year
The Cisco Talos researchers also stated that the hackers in charge of the attack have been around since November 2021. They have been distributing infostealers for the past four months but started targeting hacktivists as the opportunity presented itself.
Cisco Talos said evidence suggests the threat actors behind the campaign have been distributing infostealers since “at least November 2021” but have now pivoted to targeting hacktivists siding with Ukraine.
It also said it expects the information-stealing activity to continue and diversify as the global interest in the conflict creates a potentially massive pool of targets for threat actors to prey on.
Their Actions Could Increase If War Continues
The ongoing Russia-Ukraine crisis has brought both old threats and new ones, as many of the cybercriminals are now shifting their focus to the crisis. Several threat actors of varying skills have also joined the cyberwar, with some choosing the Ukrainian side while others are backing Russia. There is another group of hackers who are only interested in financial gains from either party. The researchers have warned that threat action has increased drastically since the war began as more cybercriminals are exploiting loopholes to steal funds.
Notorious cyber attack groups like the Conti ransomware gang and the Anonymous group have also joined in the cyber war. Already, there have been DDoS attacks on Ukraine government websites as well as its military. Ukraine and other sympathizers have also launched retaliatory attacks on Russian sites, with Anonymous hijacking Russian cameras. While soldiers on the frontline get shot at, soldiers on the cyber-frontlines are at risk of getting arrested.
But another worry is now those who are taking advantage of the entire fracas to steal cryptocurrencies and other financial information.
Cisco predicted that this type of situation may continue and even explode if the war in Ukraine continues. The firm added that the global interest in the war has created a massive potential victim pool for hackers and cybercriminals to explore.