28 January 2023

Bear CyberWarfare Dominance

 

Biz & IT / Information Technolog

#GermanyRIP. Kremlin-loyal hacktivists wage DDoSes to retaliate for tank aid

Killnet hacktivist group appears to have indirect ties to the Russian government.

An iteration of what happens when your site gets shut down by a DDoS attack.

"Threat actors loyal to the Kremlin have stepped up attacks in support of its invasion of Ukraine, with denial-of-service attacks hitting German banks and other organizations and the unleashing of a new destructive data wiper on Ukraine.

Germany's BSI agency, which monitors cybersecurity in that country, said the attacks caused small outages but ultimately did little damage.

“Currently, some websites are not accessible,” the BSI said in a statement to news agencies. “There are currently no indications of direct effects on the respective service and, according to the BSI's assessment, these are not to be expected if the usual protective measures are taken.”

The distributed denial-of-service attacks, typically called DDoSes, appeared to come as retaliation for the German government’s decision to allow its advanced Leopard 2 tanks to be supplied to Ukraine. Researchers at security firm Cado Labs said on Wednesday that Russian-language hacktivist groups—including one calling itself Killnet—issued calls for its members to wage DDoSes against targets in Germany. The campaign, which began on Tuesday as the Leopard 2 tank decision appeared immanent, used the hashtag #ГерманияRIP, which translates to “#GermanyRIP.”

Messages soon followed from other Russian-speaking groups claiming attacks against the websites of major German airports, including Hamburg, Dortmund, Dresden, and Dusseldorf; German development agency GIZ; Germany’s national police site; Deutsche Bank; and online payment system Giropay. It wasn’t clear if any of the attacks successfully shut down the sites.

Another group calling itself “Anonymous Sudan,” meanwhile, also claimed responsibility for DDoS attacks against the websites of the German foreign intelligence service and the Cabinet of Germany, in support of Killnet.

“As we’ve seen throughout the Russia-Ukraine war, cyber threat actors are quick to respond to geopolitical events, and are successful in uniting and mobilizing groups with similar motives,” Cado Labs researchers wrote. “The involvement of a group purporting to be the Sudanese version of Anonymous is interesting to note, as it demonstrates the ability for Russian-language hacktivist groups to conduct this mobilisation and collaboration on an international level.”

Killnet emerged shortly after Russia’s invasion of Ukraine. Last June, it took credit for what the Lithuanian government called “intense” DDoSes on the country’s critical infrastructure, including parts of the Secure National Data Transfer Network, which helps execute Lithuania's strategy for ensuring national security in cyberspace. Discussions on a Killnet Telegram channel at the time indicated the attacks were in retaliation for the Baltic government closing transit routes to Russia earlier that month.

In September, security firm Mandiant said it uncovered evidence that Killnet had indirect links to the Kremlin. Specifically, Mandiant researchers said Killnet coordinated some of its activities with a group called Xaknet and that Xaknet, in turn, had coordinated some activities with threat actors from the Russian Main Intelligence Directorate, or GRU.

In related news, on Friday, researchers from security firm Eset reported that another Kremlin-backed threat actor, known as Sandworm, unleashed a never-before-seen data wiper on Ukrainian targets. The destructive malware, dubbed SwiftSlicer, is written in the Go programming language and uses randomly generated 4096-byte blocks to overwrite data."

Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Find him on Mastodon at: https://infosec.exchange/@dangoodin 

www.bleepingcomputer.com

Ukraine: Sandworm hackers hit news agency with 5 data wipers

Sergiu Gatlan
3 - 4 minutes

Russia

"The Ukrainian Computer Emergency Response Team (CERT-UA) found a cocktail of five different data-wiping malware strains deployed on the network of the country's national news agency (Ukrinform) on January 17th.

"As of January 27, 2023, 5 samples of malicious programs (scripts) were detected, the functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion)," CERT-UA said (automated translation from Ukrainian).

The list of destructive malware deployed in the attack against Ukrinform includes CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD).

Two of the five strains, ZeroWipe and BidSwipe, are either new malware or are tracked by the Ukrainians under different names than those used by anti-malware vendors.

The attackers launched the CaddyWiper malware using a Windows group policy (GPO), showing that they had breached the target's network beforehand.

As CERT-UA found during the investigation, the threat actors gained remote access to Ukrinform's network around December 7th and waited more than a month to unleash the malware cocktail.

However, their attempt to wipe out all the data on the news agency's systems failed. The wipers only managed to destroy files on "several data storage systems," which didn't impact Ukrinform's operations.

"The CERT-UA emphasizes that the cyberattack was only a partial success, specifically with regard to a limited number of data storage systems," the State Service of Special Communications and Information Protection (SSSCIP) of Ukraine added.

CERT-UA Sandworm tweet

Cyberattack linked to Russian Sandworm military hackers

CERT-UA linked the attack to the Sandworm threat group last week, a hacking outfit part of the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU).

​Sandworm has also used the CaddyWiper data wiper in another failed attack from April targeting a large Ukrainian energy provider.

In that attack, the Russian hackers used a similar tactic, deploying CaddyWiper to erase traces left by Industroyer ICS malware, together with three other wipers designed for Linux and Solaris systems, and tracked as Orcshred, Soloshred, and Awfulshred.

Since Russia invaded Ukraine in February 2022, multiple strains of data-wiping malware have been deployed on the networks of Ukrainian targets besides CaddyWiper.

This list also includes the likes of DoubleZero, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain.

Microsoft and Slovak software company ESET have also linked recent ransomware attacks targeting Ukraine to the Sandworm hacking group."

No comments: