Posted on May 11, 2022 at 8:40 PM

Russia Hit By Waves Of Cyber Attacks By Pro-Ukrainian Threat Actors

For a long time, Russia has been considered a force to reckon with when it comes to cybersecurity threats and cyber espionage. But since the country invaded Ukraine, it has been on the receiving end of waves of cyberattacks. In the past, most threat actors dread launching attacks on Russian soil because of a risk of a more severe reparatory attack. However, such fears are no more.

The country keeps facing a series of online attacks from different threat groups, with most of them showing solidarity with Ukraine in the ongoing war. Cases of cyber-attacks on Russian companies and institutions have been reported almost daily.

Although the physical war in Ukraine is still fiercely fought, it appears Russia is losing heavily when it comes to cyber-warfare. Pro-Ukrainian threat actors are launching a series of online attacks on Russia’s critical infrastructure, including their communications channels, energy, and other important facilities.

Russia Hit By Waves Of Cyber Attacks

In the latest development, CrowdStrike revealed that Pro-Russian actors have attacked Russian and Belarusian websites with DDoS attacks. According to the report, the attacks have kept some of the websites offline.  The hackers hit the Docker Engine pots with a DDoS attack through an exposed Docker Engine API.

The Docker Engine honeypots were allegedly compromised between February 27 and March 1, 2022. The honeypots were infiltrated by the hackers who were looking to use the tool to execute different Docker images to target both Belarusian and Russian websites.

The Docker image’s lists are used side by side with some domains shared by the Ukrainian government-backed Ukraine IT army (UIA).

The group initially rallied some of its members to intensify their hacking efforts against Russian-based companies and institutions. However, the Ukrainian government warned that there may be a risk of retaliatory attacks from those supporting Russia in the ongoing crisis. In another development, cyber security firm Mandiant has uncovered another threat actor dubbed UMC3524. The hackers rely on the methods used by the two Russian-based groups – APTT28 and APT29. However, it is not certain that the action was committed by any known group.

The Hackers Are Using Sophisticated Tools

In most cases, nation-state actors usually target the critical infrastructure of government organizations. But the targeting of individuals involved in corporate transactions shows that their motivation can be financial. However, looking from another perspective in terms of how long they successfully stayed in the victim’s system.

Their ability to remain in the victim’s system undetected is longer than the average dwell time of 2 days in 2021, according to a report by M-Trends 2022.

One of the reasons the group is notorious for achieving such a long dwell in the hackers’ choice of backdoors on appliances in the victims’ environment that don’t have adequate security tools. Some of the appliances do not have an endpoint or anti-virus protection.

The group sets itself apart due to the low malware footprint, high level of operational security, and high evasive skills. Whenever a victim’s environment detects and deletes their access, it takes them little time to re-establish themselves in the environment without any strong resistance. Once they re-compromise the environment with different mechanisms, they proceed with their data theft campaign.

Chinese-Sponsored Hackers Also Active

In another development, cybersecurity firm Cybereason announced that it has been tracking a nation-state hacking campaign targeting technology and manufacturing firms around the world.

According to the researchers at the security firm, the activity of the hackers can be classified as “a moderate-to-high degree of confidence” and attributed to the Chinese state-backed threat group known as Winnti or APT41.

Last year, the security researchers investigated several intrusions that target manufacturing and technology companies in Europe, Asia, and North America. However, the attacks can be traced to 2019 when the sophisticated cyber espionage campaign against these companies started operating.

The researcher also noted that the group has spent years identifying valuable data. As a result, it is believed that they have succeeded in exfiltrating hundreds of gigabytes of information. The threat actors launched attacks on intellectual property developed by victims, including formulas, diagrams, blueprints, manufacturing-related proprietary data, and other sensitive documents.

Additionally, apart from stealing information needed at the moment, they also stole sensitive information they could use for future attacks. These include details like employee emails, user accounts and credentials, customer data, network architecture, and information about the target company’s business units.