In a recent report, the Computer Emergency Response Team of Ukraine (CERT-UA) has highlighted a significant increase in cyberattacks against the country’s civil infrastructure websites, particularly those of government agencies and local authorities. The report, which covers the period from January to February 2023, notes that these sites have been particularly vulnerable due to a lack of adequate cyber protections.

The Rising Tide of Cyberattacks

CERT-UA has processed over 300 cyber incidents and attacks during this period, which is almost half as much as in the corresponding period last year. On average, Russian hackers are targeting Ukraine with more than ten cyberattacks every day.

Furthermore, CERT-UA has observed an increase in espionage attacks, with the primary focus being on maintaining constant access to organisations. The malware distributed by Russian hackers is primarily focused on data collection and remote access to users’ devices. CERT-UA warns that these attacks are potentially aimed at obtaining information that can give an advantage in a conventional war against Ukraine, including data on mobilisation and Western weapons logistics.

The Storm-0978 Connection

In a related development, Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defence and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884 (NVD), which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.

The Gamaredon Threat

CERT-UA has also recently unveiled the rapid data theft methods of the APT known as UAC-0010 (aka Armageddon, Gamaredon). Gamaredon, comprising former Ukrainian Security Service (SBU) officers in Crimea who defected in 2014 and started serving the Russian FSB, primarily aims for cyber espionage against Ukraine’s security forces, with evidence of destructive actions on information infrastructure targets.

The group mainly infects government computers, particularly within communication systems, often using compromised accounts and various tactics such as emails and Telegram, WhatsApp and Signal messages. They also utilise malware like GammaSteel to rapidly exfiltrate files within 30-50 minutes, primarily focusing on documents with specific extensions.

MITRE ATT&CK TTPs

Based on the information provided in the reports, the following MITRE ATT&CK TTPs are relevant:

  • Phishing (T1566): The threat actors conducted a phishing campaign to target defence and government entities in Europe and North America.
  • Exploitation for Client Execution (T1203): The threat actors exploited the CVE-2023-36884 vulnerability to gain remote code execution capabilities on compromised devices.
  • Command and Control Infrastructure (T1583): The malware establishes a command-and-control server (C2) for communication and control.
  • Data Exfiltration (T1020): The threat actors utilise malware like GammaSteel to rapidly exfiltrate files within 30-50 minutes, primarily focusing on documents with specific extensions.
  • Masquerading (T1036): The threat actors used the guise of legitimate communication platforms like Telegram, WhatsApp, and Signal to disguise the malware’s true identity.

Mitigations and Recommendations

CERT-UA urges Ukrainian military personnel to install endpoint detection and threat response (EDTR) software to minimise risks, especially for systems outside the protection perimeter, including those using Starlink terminals for Internet access.

Further Reading

This analysis is based on the reports from CERT-UA, Microsoft Security Blog, and Infosecurity Magazine.