At least six different Russia-aligned actors launched no less than 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.
“Collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and undermine the public’s trust in those same institutions,” the company’s Digital Security Unit (DSU) said in a special report.
The major malware families that have been leveraged for destructive activity as part of Russia’s relentless digital assaults include WhisperGate, HermeticWiper (FoxBlade aka KillDisk), HermeticRansom (SonicVote), IssacWiper (Lasainraw), CaddyWiper, DesertBlade, DoubleZero (FiberLake), and Industroyer2.
WhisperGate, HermeticWiper, IssacWiper, and CaddyWiper are all data wipers designed to overwrite data and render machines unbootable, while DoubleZero is a .NET malware capable of data deletion. DesertBlade, also a data wiper, is said to have been launched against an unnamed broadcasting company in Ukraine on March 1.
SonicVote, on the other hand, is a file encryptor detected in conjunction with HermeticWiper to disguise the intrusions as a ransomware attack, whereas Industroyer2 is specifically engineered to strike operational technology networks to sabotage critical industrial production and processes.
Microsoft attributed HermeticWiper, CaddyWiper, and Industroyer2 with moderate confidence to a Russian state-sponsored actor named Sandworm (aka Iridium). The WhisperGate attacks have been tied to a previously unknown cluster dubbed DEV-0586, which is believed to be affiliated with Russia’s GRU military intelligence.
32% of the total 38 destructive attacks are estimated to have singled out Ukrainian government organizations at the national, regional, and city levels, with over 40% of the attacks aimed at organizations in critical infrastructure sectors in the nations.
Other malicious cyberattacks involve phishing campaigns targeting military entities (Fancy Bear aka Strontium) and government officials (Primitive Bear aka Actinium) as well as data theft (Energetic Bear aka Bromine) and reconnaissance (Venomous Bear aka Krypton) operations.
“Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” Tom Burt, corporate vice president of customer security and trust, said.
“Given that Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. It’s likely the attacks we’ve observed are only a fraction of activity targeting Ukraine.” Read more: https://bit.ly/3OOjogZ
You can also read this:Microsoft Azure Vulnerability Exposes PostgreSQL Databases to Other Customers