From Anonymous attacks to the proliferation of malware: maximum alert for Governments that strengthen protection measures with dedicated task forces. And Kiev appeals to ICANN: it has requested the disconnection of all Russian Internet sites. Here's what's going on 02 Mar 2022 Patrizia Licata Journalist
From the beginning, the war between Russia and Ukraine has also been fought on the digital front - indeed, the cyber war conducted by hackers began long before armies entered the field, according to what Eset researchers discovered. The cybersecurity company is rebuilding the offensive campaigns against Ukrainian organizations implemented in recent times and has discovered two new families of wiper malware attacking Ukrainian organizations. The repercussions are far-reaching and the Italian government has already created a "Cybersecurity Nucleus to share the information collected and set up a permanent table on the ongoing crisis", as announced by Prime Minister Mario Draghi, while the CSIRT has urged businesses and administrations to raise their levels of attention in view of possible cyberattacks. "The evolution of the scenario is particularly rapid and a further escalation will inevitably consist of effective actions in lightning-fast times. It is important that the reaction to possible attacks is timely and coordinated ", says Claudio Telmon, member of the Clusit Steering Committee, the Italian Association for Information Security which has just published a handbook for businesses. Meanwhile, Ukraine is trying a new card: according to Rolling Stone, Kiev has asked ICANN, the body that manages the addresses of Internet providers and is responsible for the management and coordination of the DNS (Domain name system), to disconnect all Russian sites from the internet. This is an unprecedented request that will probably be rejected, but for the Ukrainian government, in particular, closing DNS servers located in Russia and suspending domains such as '.ru' would help counter Russian cyber attacks that "hinder the ability to communication of Ukrainian citizens and the government ”, helping users to“ seek reliable information by preventing propaganda and disinformation ”. Index of topics • Eset's analysis: two new families of wiper malware • Proofpoint: possible cyber front in Belarus • Clusit recommendations for Italian companies • Yarix: hybrid conflict, here's how to defend yourself Eset's analysis: two new families of wiper malware The cybersecurity company Eset is reconstructing the offensive campaigns against Ukrainian organizations implemented in the last period. As the Russian invasion got underway, Eset researchers discovered two new families of wiper malware attacking Ukrainian organizations. The first cyberattack began a few hours before the Russian military invasion and after the distributed denial-of-service (DDoS) attacks against major Ukrainian websites earlier today on 23 February. These destructive attacks exploited at least three components: HermeticWiper for data wiping, HermeticWizard for local network diffusion, and HermeticRansom to act as decoy ransomware. The malware artifacts suggest that the attacks were planned for several months. On February 24, a second destructive attack against a Ukrainian government network began, via a wiper that Eset Research has called IsaacWiper and whose connection with HermeticWiper is not yet clear. Eset researchers believe it is highly likely that affected organizations were compromised well before the wiper was deployed. Eset Research has not yet been able to attribute these attacks to a threat actor due to the lack of any significant similarity of the code to other samples in Eset's malware database. Proofpoint: possible cyber front in Belarus Proofpoint cybersecurity researchers have released new threat intelligence showing likely Belarus-sponsored cyber activity targeting European government personnel involved in managing the logistics of refugees fleeing the conflict in Ukraine. The cybersecurity company has detected a targeted phishing campaign, which distributes malware known as 'SunSeed', which originates from a compromised email account of a member of the Ukrainian military. Proofpoint hypothetically attributes this activity to a threat group known as Ta445 (Ghostwriter / Unc1151), which appears to operate from Belarus, and has a history of engaging in numerous disinformation operations aimed at influencing European attitudes towards the refugee movement. in NATO countries. In light of the ongoing Russia-Ukraine war, the actions of proxy actors such as Ta445 will continue to target European governments to gather information on the movement of refugees from Ukraine and on issues relevant to the Russian government. This activity points to a military use of war migrants and refugees through a hybrid model of information warfare and targeted cyber attacks. Clusit's recommendations for Italian companies Clusit first of all recommends that Italian companies and institutions carefully follow the communications and indications that are promptly provided by the national Csirt, the Italian Computer security incident response team, active in providing scenario information and on specific threats and vulnerabilities. Thanks to the continuous coordination with actors at European and international level, our Csirt has in fact timely information to which other sources may not have access. Then there are four fundamental points on which the Italian Association for Information Security urges maximum alert: 1. Raise awareness of possible anomalies that may be indicative of ongoing attacks. "This indication does not only concern companies that have relations with Ukraine or Russia but, without distinction, all organizations; in fact, when the evolution of the scenario would lead Italy to be more directly the object of attack, the events could develop very quickly ", Telmon points out. 2. Take the opportunity to remind your staff of company policies in terms of information security, paying particular attention to the rules of conduct to avoid being the subject of phishing attacks or a vehicle for malware attacks. 3. Verify the effectiveness of their security measures, including those to ensure the availability of services and information even in the event of major attacks on their systems; in particular, at least check the availability and correctness of updated and offline backups and, where present, the effectiveness of the disaster recovery processes and mechanisms. 4. To ensure that any early warning and threat intelligence services acquired as a service are up, running and, not to be underestimated, that they are monitored. Yarix: hybrid conflict, here's how to defend yourself This hybrid conflict, which combines military actions and cyber warfare strategies supported by the spread of fake news, "is just a new chapter in a war that began well before: in recent weeks there has been a wave of DDoS attacks and defacements against Ukrainian government and institutional websites. And, going back a few years, we remember the Russian cyber attacks targeting the Ukrainian electricity grid during the winter season in 2015 and 2016 (BlackEnergy) the NotPetya offensive in 2017 ″, highlights Mirko Gatto, CEO of Yarix, cyber division security of Var Group. "But not only Ukraine among the victims: think of the NotPetya malware, aimed at Ukrainian systems but then spread all over the world, including Italy". Gatto recalls how the use of bot farms, fake accounts able to circulate untrue news to manipulate sentiment, set foot in Ukraine before the troops: only last February the same country, today also physically affected, declared that eliminating an alleged Russian bot farm with 18,000 fake accounts in its assets. To accelerate the conflict in the fifth domain and to make it known to the public, the involvement of the largest hacker group in the world, Anonymous, which with a targeted attack using Ddos (Distributed Denial of Service) techniques, hit the Duma websites and the Kremlin, the Russian Ministry of Energy and dozens of other government and corporate websites. Cyber efficiency is therefore in all respects a weapon to equip one's arsenal and, on the other hand, it is increasingly necessary to raise attention by preparing a defense on several fronts. “Make sure your systems are properly patched against vulnerabilities by prioritizing exposed systems including web mail, VPNs and remote access systems,” says Gatto. “Prepare yourself against attacks aimed at data destruction by having offline backups and make sure you test recovery plans that cover all business objects. We need to be reactive: it is necessary to identify key figures in all areas of the organization and to define tested communication methods. Also, avoid any unnecessary services and navigation for the business ".